CDR outsourcing arrangements – Privacy obligations for principals
23 December 2021
In the CDR system, an accredited person may engage an outsourced service provider (OSP) to do one or both of the following:
- collect CDR data on their behalf
- provide goods or services to the accredited person using CDR data that the OSP collected on the accredited person’s behalf or that was disclosed to them by the accredited person.
To use an OSP, an accredited person must have a written contract in place with the OSP which meets the requirements set out in the CDR Rules (being the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2021). The accredited person is known as the ‘principal’ under this contract.
This page outlines the key privacy obligations for accredited persons that engage OSPs, which fall under the following topics:
- Written contract
- CDR policy
- Restrictions for affiliates and CDR representatives
Many of these obligations have been in place since June 2020. This page outlines those obligations, as well as provisions introduced by Version 3 of the CDR Rules. The Version 3 CDR Rules removed the requirement for an OSP to be accredited in order to collect CDR data on behalf of a principal. This means that, since 19 October 2021, there is no requirement for an OSP to be accredited, regardless of what service they are providing.
These obligations apply in addition to a principal’s privacy obligations as an accredited person and accredited data recipient (for example, to comply with the privacy safeguards).
For information on the privacy obligations for OSPs, see CDR outsourcing arrangements: Privacy obligations for outsourced service providers.
- An outsourced service provider (OSP) is a person who does one or both of the following:
- collects CDR data from a CDR participant on behalf of an accredited person in accordance with the CDR Rules
- provides goods or services to the accredited person using CDR data that it collected on behalf of the accredited person or that has been disclosed to them by the accredited person.
- An accredited person who engages an OSP must have a written contract in place with the OSP (known as a ‘CDR outsourcing arrangement’) that meets the requirements set out CDR Rule 1.10(2).
- An accredited person who engages an OSP under a CDR outsourcing arrangement is known as the ‘principal’.
- The level to which an entity is accredited affects the purpose for which they can engage an OSP: entities accredited to the sponsored level (known as ‘affiliates’) cannot engage an OSP to collect CDR data on their behalf.
- A principal is liable for the collection, use and disclosure of CDR data by their OSP, regardless of whether that collection, use or disclosure is in accordance with the CDR outsourcing arrangement.
- An OSP is not required to be accredited.
A principal must have a ‘CDR outsourcing arrangement’ with their OSP that meets the requirements set out in CDR Rule 1.10(2).
A CDR outsourcing arrangement is a written contract between the principal and the OSP under which the OSP will do one or both of the following:
- collect CDR data from a CDR participant on behalf of the principal in accordance with the CDR Rules
- provide goods or services to the principal using CDR data that it has collected on behalf of the principal or that has been disclosed to it by the principal.
The purpose of the CDR outsourcing arrangement is to govern the OSP’s handling of ‘service data’, being CDR data that is:
- collected by the OSP under the arrangement; or
- disclosed from the principal to the OSP for the purposes of the arrangement; or
- directly or indirectly derives from the above.
The minimum terms that must be contained in the CDR outsourcing arrangement are listed in CDR Rule 1.10(2) and include a requirement for the OSP to comply with the minimum information security controls in Schedule 2 to the CDR Rules. For more information on the minimum terms, see CDR outsourcing arrangements: Privacy obligations for outsourced service providers.
The principal must ensure the OSP complies with the requirements under the CDR outsourcing arrangement (CDR Rule 1.16).
Any collection, use or disclosure of service data by an OSP under a CDR outsourcing arrangement is taken to have been the principal under the arrangement. This means that a principal is liable for any collection, use or disclosure of service data by their OSP, including by their OSP’s subcontractors. The principal is liable regardless of whether the collection, use or disclosure is in accordance with the CDR outsourcing arrangement (CDR Rule 7.6).
For example, when an OSP collects CDR data on a principal’s behalf, the principal must notify the consumer of the collection of their CDR data under Privacy Safeguard 5, and must only use or disclose the CDR data in accordance with Privacy Safeguards 6, 7, 8 and 9.
A principal must include certain information about OSPs in their CDR policy. This includes a list of their OSPs, the nature of the services each OSP provides, and the data that may be disclosed to or collected by each OSP. See CDR Rule 7.2(4) and the Guide to developing a CDR policy.
Where a principal uses an OSP to collect CDR data, or may disclose the consumer’s CDR to an OSP, the principal must provide certain additional information to the consumer when seeking their consent. This includes notifying the consumer of this fact, providing a link to the accredited person’s CDR policy, and a statement that the consumer can obtain further information about such disclosures from the policy if desired. See CDR Rule 4.11(3)(f) and Chapter C (Consent).
A principal may disclose CDR data to an OSP in prescribed situations as set out in CDR Rules 7.5(1)(d) and 7.5(3)(c). This includes disclosing for the purpose of the OSP using CDR data to provide goods or services requested by the consumer in compliance with the data minimisation principle, and disclosing for the purpose of the OSP undertaking specified direct marketing activities in accordance with a direct marketing consent.
Restrictions for affiliates and CDR representatives
The level to which an entity is accredited affects for what purpose they can engage an OSP:
- Entities accredited to the unrestricted level may disclose data to OSPs and engage OSPs to collect data under a CDR outsourcing arrangement.
- Entities accredited to the sponsored level (known as affiliates) must not engage an OSP to collect CDR data on their behalf (CDR Rule 5.1B(4)). However, they may disclose data to OSPs under a CDR outsourcing arrangement.
As an unaccredited person, a CDR representative must not engage an outsourced service provider (CDR Rule 1.10AA(2)(c)). For further information on the obligations of CDR Representatives, see CDR representative model: Privacy obligations of CDR representatives.
For further information regarding levels of accreditation please see the ACCC Accreditation Guidelines.