CDR outsourcing arrangements Privacy obligations for principals

23 December 2021

In the CDR system, an accredited person may engage an outsourced service provider (OSP) to do one or both of the following:

  • collect CDR data on their behalf
  • provide goods or services to the accredited person using CDR data that the OSP collected on the accredited person’s behalf or that was disclosed to them by the accredited person.

To use an OSP, an accredited person must have a written contract in place with the OSP which meets the requirements set out in the CDR Rules (being the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2021). The accredited person is known as the ‘principal’ under this contract.

This page outlines the key privacy obligations for accredited persons that engage OSPs, which fall under the following topics:

  • Written contract
  • Liability
  • Consent
  • Disclosure
  • CDR policy
  • Restrictions for affiliates and CDR representatives

Many of these obligations have been in place since June 2020. This page outlines those obligations, as well as provisions introduced by Version 3 of the CDR Rules. The Version 3 CDR Rules removed the requirement for an OSP to be accredited in order to collect CDR data on behalf of a principal. This means that, since 19 October 2021, there is no requirement for an OSP to be accredited, regardless of what service they are providing.

The CDR Privacy Safeguard Guidelines will be updated to reflect the changes introduced by the Version 3 CDR Rules.

These obligations apply in addition to a principal’s privacy obligations as an accredited person and accredited data recipient (for example, to comply with the privacy safeguards).

For information on the privacy obligations for OSPs, see CDR outsourcing arrangements: Privacy obligations for outsourced service providers.

Key Points

  • An outsourced service provider (OSP) is a person who does one or both of the following:
    • collects CDR data from a CDR participant on behalf of an accredited person in accordance with the CDR Rules
    • provides goods or services to the accredited person using CDR data that it collected on behalf of the accredited person or that has been disclosed to them by the accredited person.
  • An accredited person who engages an OSP must have a written contract in place with the OSP (known as a ‘CDR outsourcing arrangement’) that meets the requirements set out CDR Rule 1.10(2).
  • An accredited person who engages an OSP under a CDR outsourcing arrangement is known as the ‘principal’.
  • The level to which an entity is accredited affects the purpose for which they can engage an OSP: entities accredited to the sponsored level (known as ‘affiliates’) cannot engage an OSP to collect CDR data on their behalf.
  • A principal is liable for the collection, use and disclosure of CDR data by their OSP, regardless of whether that collection, use or disclosure is in accordance with the CDR outsourcing arrangement.
  • An OSP is not required to be accredited.

Written contract

A principal must have a ‘CDR outsourcing arrangement’ with their OSP that meets the requirements set out in CDR Rule 1.10(2).

A CDR outsourcing arrangement is a written contract between the principal and the OSP under which the OSP will do one or both of the following:

  • collect CDR data from a CDR participant on behalf of the principal in accordance with the CDR Rules
  • provide goods or services to the principal using CDR data that it has collected on behalf of the principal or that has been disclosed to it by the principal.

The purpose of the CDR outsourcing arrangement is to govern the OSP’s handling of ‘service data’, being CDR data that is:

  • collected by the OSP under the arrangement; or
  • disclosed from the principal to the OSP for the purposes of the arrangement; or
  • directly or indirectly derives from the above.

The minimum terms that must be contained in the CDR outsourcing arrangement are listed in CDR Rule 1.10(2) and include a requirement for the OSP to comply with the minimum information security controls in Schedule 2 to the CDR Rules.  For more information on the minimum terms, see CDR outsourcing arrangements: Privacy obligations for outsourced service providers.

Privacy Tip: In limited circumstances, providing CDR data to a third party (such as a cloud service provider) for limited purposes may be a use of data, rather than a disclosure. This distinction has implications for whether an accredited person would be required to have a CDR outsourcing arrangement in place. It will constitute a ‘use’ (rather than a ‘disclosure’) of CDR data only if the data remains encrypted at all times, and the third party does not hold or have access to the decryption keys.

This distinction between use and disclosure needs to be carefully considered on a case-by-case basis and depends on the specific technical arrangements in place with the third party. For further information, see Chapter B (Key concepts) (‘Use’).

-

Privacy tip: A principal is liable for their OSP’s collection of CDR data. As such, where an accredited person intends to engage an OSP to collect CDR data on their behalf, the accredited person should include an additional term in the CDR outsourcing arrangement to require the OSP to comply with the same restrictions and requirements that apply to an accredited persons’ collection of CDR data. This would include requiring an OSP to comply with the requirements of Privacy Safeguard 3, the CDR Rules and the relevant data  standards.

The written contract must require the OSP to only use or disclose the service data in accordance with the contract. The written contract should tightly prescribe how an OSP can use and disclose CDR data, and these permitted uses and disclosures must align with what the principal would be permitted to do given that use or disclosure by the provider is taken to have been by the principal.

This will help to reduce the risk that an OSP collects, uses or discloses CDR data in breach of the regulatory framework (a breach that the principal would be liable for).

Ensuring compliance

The principal must ensure the OSP complies with the requirements under the CDR outsourcing arrangement (CDR Rule 1.16).

Privacy tip: A principal is required by CDR Rule 1.16 to ensure that their OSP complies with the requirements of the CDR outsourcing arrangement. As part of discharging this obligation, the principal could consider:

  • undertaking review and assurance activities at least annually
  • requiring the OSP to provide regular reports against its compliance with the CDR outsourcing arrangement, and/or
  • providing the OSP with any appropriate assistance or training in technical and compliance matters.

Prior to entering the CDR outsourcing arrangement, the principal could undertake due diligence on the proposed OSP, with a focus on their personal information handling capabilities, procedures and practices.

Taking these steps may assist the principal in avoiding a breach of CDR Rule 1.16, and in doing so, may also assist the principal in avoiding a breach of other privacy-related CDR Rules (given the principal is liable for the actions of the OSP).

Liability

Any collection, use or disclosure of service data by an OSP under a CDR outsourcing arrangement is taken to have been the principal under the arrangement. This means that a principal is liable for any collection, use or disclosure of service data by their OSP, including by their OSP’s subcontractors. The principal is liable regardless of whether the collection, use or disclosure is in accordance with the CDR outsourcing arrangement (CDR Rule 7.6).

For example, when an OSP collects CDR data on a principal’s behalf, the principal must notify the consumer of the collection of their CDR data under Privacy Safeguard 5, and must only use or disclose the CDR data in accordance with Privacy Safeguards 6, 7, 8 and 9.

CDR policy

A principal must include certain information about OSPs in their CDR policy. This includes a list of their OSPs, the nature of the services each OSP provides, and the data that may be disclosed to or collected by each OSP. See CDR Rule 7.2(4) and the Guide to developing a CDR policy.

Consent

Where a principal uses an OSP to collect CDR data, or may disclose the consumer’s CDR to an OSP, the principal must provide certain additional information to the consumer when seeking their consent. This includes notifying the consumer of this fact, providing a link to the accredited person’s CDR policy, and a statement that the consumer can obtain further information about such disclosures from the policy if desired. See CDR Rule 4.11(3)(f) and Chapter C (Consent).

Disclosure

A principal may disclose CDR data to an OSP in prescribed situations as set out in CDR Rules 7.5(1)(d) and 7.5(3)(c). This includes disclosing for the purpose of the OSP using CDR data to provide goods or services requested by the consumer in compliance with the data minimisation principle, and disclosing for the purpose of the OSP undertaking specified direct marketing activities in accordance with a direct marketing consent.

For further information, please see existing guidance in Chapter 6 (Privacy Safeguard 6) and Chapter 7 (Privacy Safeguard 7).

Restrictions for affiliates and CDR representatives

The level to which an entity is accredited affects for what purpose they can engage an OSP:

  • Entities accredited to the unrestricted level may disclose data to OSPs and engage OSPs to collect data under a CDR outsourcing arrangement.
  • Entities accredited to the sponsored level (known as affiliates) must not engage an OSP to collect CDR data on their behalf (CDR Rule 5.1B(4)). However, they may disclose data to OSPs under a CDR outsourcing arrangement.

As an unaccredited person, a CDR representative must not engage an outsourced service provider (CDR Rule 1.10AA(2)(c)). For further information on the obligations of CDR Representatives, see CDR representative model: Privacy obligations of CDR representatives.

For further information regarding levels of accreditation please see the ACCC Accreditation Guidelines.