CDR representative model  Privacy obligations of CDR representatives

23 December 2021

The CDR representative model is intended to facilitate the participation of a broader array of business models in the CDR system.

It allows an unaccredited person (known as a ‘CDR representative’) to provide CDR goods or services directly to a consumer, where they have a written contract in place with an unrestricted accredited person (known as a ‘CDR principal’).  These written contracts must meet the requirements in the CDR Rules.

A CDR representative receives CDR data from their CDR principal, and uses that CDR data to provide goods or services directly to the consumer.

Under this arrangement, the CDR principal is liable for the actions of the CDR representative.

The purpose of this page is to outline the privacy obligations for CDR representatives.

The main privacy obligation for a CDR representative is to comply with the terms of the written contract with the CDR principal. This page explains what the written contract is, and outlines its key terms, which fall under the following topics:

  • Requirements of the written contract
  • Consent
  • Use and disclosure
  • Privacy safeguards
  • CDR policy
  • Deletion
  • Outsourced service providers

The Rules relating to the CDR representative model have been introduced by Version 3 of the CDR Rules (being the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2021) and have been binding since 19 October 2021. The CDR Privacy Safeguard Guidelines will be updated to reflect this content.

These obligations apply in addition to other privacy obligations a CDR representative may have under other legislation (for example, the Privacy Act 1988 where the CDR representative is an APP entity).

For information on the key privacy obligations for CDR principals, see CDR representative model – Privacy obligations of CDR principals.

Key points

  • A CDR representative is an unaccredited person who has been engaged by a CDR principal under a written contract that meets the requirements in the CDR Rules. The CDR principal must be accredited at the unrestricted level.
  • A CDR representative collects CDR data from their CDR principal and uses that CDR data to provide goods or services directly to the consumer.
  • A CDR representative may collect CDR data only from their CDR principal. They are not permitted under the CDR Rules to collect CDR data from data holders or accredited data recipients (other than their CDR principal).
  • The main privacy obligation for a CDR representative is to comply with the terms of the written contract with the CDR principal. The CDR principal is liable for the actions of the CDR representative when handling service data.
  • A CDR representative must not seek consent, collect, use, disclose or otherwise handle CDR data unless they have a written contract in place with their CDR principal, and their details have been entered onto the Register of Accredited Persons.
  • A CDR representative may have one CDR principal only.
  • For examples of situations in which this type of CDR representative arrangement could be used, see page 17 of the explanatory statement to the amending instrument for the Version 3 CDR Rules.

Requirements of the written contract

A CDR representative must not seek consent, or collect, use, disclose or otherwise handle CDR data unless they have a ‘CDR representative arrangement’ in place with their CDR principal, and their details have been entered onto the Register of Accredited Persons.

A CDR representative arrangement is a written contract between the CDR representative and their CDR principal that meets the minimum requirements listed in CDR Rule 1.10AA(2).

The purpose of the arrangement is to regulate the CDR representative’s handling of ‘service data’, being:

  • CDR data that was collected by the CDR principal on the CDR representative’s behalf (and subsequently disclosed by the CDR principal to the CDR representative), and
  • any information derived from the above CDR data (whether directly or indirectly derived).

A CDR representative may only have one arrangement in place at any time (i.e. they must not enter into an arrangement with another CDR principal).

The CDR representative’s obligations under the arrangement are outlined in the following sections.

Privacy tip: The written contract between a CDR representative and their CDR principal must meet the minimum requirements listed in CDR Rule 1.10AA(2). However, a CDR representative may wish to include additional terms in their written contract to assist them to comply with that contract.

For example, a CDR representative might not be aware of a consumer withdrawing a consent. This could, for example, occur where the CDR principal provides the consumer with a dashboard and the consumer withdraws a consent via that dashboard.

To minimise the risk of a CDR representative continuing to use or disclose CDR data without a consumer’s consent (in breach of the written contract), a CDR representative should ensure the written contract contains aterm requiring the CDR principal to notify the CDR representative as soon as practicable upon becoming aware that a consumer has withdrawn a use/disclosure consent or that a use/disclosure consent has otherwise expired.

Consent

A CDR representative is responsible for seeking consents from the consumer, including a consent for their CDR principal to collect the consumer’s CDR data. Once the CDR representative has obtained these consents, the CDR principal collects the CDR data on their behalf, and discloses that data to the CDR representative so that the CDR representative may provide goods or services to consumers using that data.

The following sections outline which consents a CDR representative must seek, and the requirements for doing so.

Collection, use and disclosure consents

A CDR representative may seek certain consents from the consumer as follows (see CDR Rule 4.3A(2)):

  • a collection consent for the CDR principal to collect CDR data from a CDR participant (i.e. a data holder or accredited data recipient of that consumer’s CDR data), and
  • a use consent
    • for the CDR principal to disclose that data (once collected) to the CDR representative, and
    • for the CDR representative to provide the requested goods or services to the consumer.

A CDR representative may also ask the consumer to provide a disclosure consent (CDR Rules 1.10A(c) and 4.3A(3)).

Requirements when seeking consent

Like accredited persons, the CDR representative must ask for the above consents in accordance with Division 4.3 of the CDR Rules (as modified by CDR Rule 4.3C(1)).

Division 4.3 provides that the following processes and requirements must be met when seeking consent:

  • Processes for asking for consent (CDR Rule 4.10): to ensure that the consent is as easy to understand as practicable, including by having regard to the Consumer Experience Guidelines.
  • Requirements when asking for consent (CDR Rules 4.11, 4.16 and 4.17): including to allow the consumer to actively select the types and uses of data to which they provide consent, inform the consumer that the person is a CDR representative and the data will be collected by their CDR principal, and provide express consent for the CDR principal to collect and the CDR representative to use the selected data for those specified purposes. Additional requirements apply where the CDR representative is seeking consent to de-identify CDR data (CDR Rule 4.15).
  • Restrictions on seeking consent (CDR Rule 4.12): including that a CDR representative cannot seek consent to collect, use or disclose CDR data for a period exceeding 12 months.
  • Obligations about managing the withdrawal of consent (CDR Rule 4.13): including that a consumer may withdraw their consents at any time.
  • Time of expiry of consent (CDR Rule 4.14): a consent generally expires upon its withdrawal or at the end of the specified period in which the consumer gave the consent (which cannot be longer than 12 months).

As set out in CDR Rule 4.9, the object of Division 4.3 is to ensure that consent is voluntary, express, informed, specific as to purpose, time limited, and easily withdrawn.

Use and disclosure

A CDR representative must not use or disclose service data other than in accordance with the contract with their CDR principal (CDR Rule 1.10AA(2)(d)(iii)).

Privacy safeguards

A CDR representative must comply with the following privacy safeguards in relation to service data as if they were the CDR principal:

Privacy tip: A useful tool that can help a CDR representative to plan and document the steps they need to take to comply with each of the above privacy safeguards (and the other terms of the written contract) is a CDR data management plan.

A CDR data management plan is a document that identifies specific, measurable goals and targets, and sets out how an entity will meet their obligations under their written contract with the CDR principal. As part of this, the CDR data management plan could set out the tasks an entity will undertake to establish practices, procedures and systems that ensure compliance with their written contract, including the above privacy safeguards.

The CDR data management plan should also set out the processes that will be used to measure and document the entity’s performance against their CDR data management plan.

This will help ensure privacy is automatically considered when handling CDR data, resulting in better overall privacy management, practice and compliance through a ‘privacy-by-design’ approach.

CDR policy

A CDR representative must adopt and comply with the CDR principal’s CDR policy in relation to the service data (CDR Rule 1.10AA(2)(e)).

Deletion

A CDR representative must delete service data when directed to by the CDR principal and provide records of the deletion. This must be done in accordance with the CDR data deletion process under Privacy Safeguard 12.

Outsourced service providers

A CDR representative must not engage an outsourced service provider (CDR Rule 1.10AA(2)(c)). For further information on the obligations of outsourced service providers, see: CDR outsourcing arrangements: Privacy obligations for outsourced service providers.