Guide to privacy for data holders

16 July 2020
Tags: data holders

Version 2.0, July 2020

Download the print version

Version history

VersionCurrency datesChanges and other comments
1.0 12 June 2020 to 15 July 2020  
2.0 16 July 2020 to …
  • Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2020, including changes to:
    • when a data holder may refuse to seek an authorisation or disclose CDR data, and
    • how a data holder must allow a consumer to withdraw authorisation.
  • Minor redrafting of text to aid with readability.

Introduction

  • This Guide outlines key privacy obligations for data holders in the Consumer Data Right (CDR) system, and should be read in conjunction with the CDR Privacy Safeguard Guidelines.[1]

  • In addition to several obligations under the privacy safeguards, data holders must also comply with some key privacy obligations in the CDR Rules.

  • Data holders should read this Guide together with the full text of Division 5 of Part IVD of the Competition and Consumer Act 2010 (Competition and Consumer Act) and the CDR Rules.

  • Chapter B (Key concepts) of the CDR Privacy Safeguard Guidelines contains guidance on general matters, including an explanation of key concepts that are used throughout this Guide.

  • This Guide is not legally binding and does not constitute legal advice about how an entity should comply with the CDR Rules and/or the privacy safeguards. Entities may wish to seek independent legal advice where appropriate.

Key points

  • In the CDR system, a data holder must comply with privacy obligations relating to:
    • the privacy safeguards
    • consumer data request services
    • disclosure of CDR data
    • authorisation
    • consumer dashboards, and
    • the provision of access to certain records.
  • A data holder discloses CDR data to an accredited person where required or authorised to do so in response to a consumer data request.
  • A data holder must ask a consumer to authorise the disclosure of their CDR data to an accredited person (unless an exception applies).
  • For a data holder that is also subject to the Privacy Act 1988 (Privacy Act), the Australian Privacy Principles (APPs) will apply to CDR data that is also personal information, with some exceptions.[2]
  • In the banking sector, an example of a data holder is an authorised deposit-taking institution (such as a bank).

Who is a data holder?

  • In the banking sector, an example of a data holder is an authorised deposit-taking institution (such as a bank).[3]
  • In the CDR system, a data holder discloses CDR data to an accredited person or the consumer themselves, where required or authorised to do so in response to a consumer data request.[4]
  • A person is a ‘data holder’ of CDR data if:
    • the person holds the CDR data,
    • is not a designated gateway for the data,
    • began to hold the data after the earliest holding day,[5] and
    • any of the following three cases apply:[6]
      • The entity is specified as a data holder in the Designation Instrument — If the person belongs to a class of persons specified in a designation instrument, and the CDR data was not disclosed to the person under the CDR Rules
      • Reciprocity — If the CDR data was not disclosed to the person under the CDR Rules, but the person is an accredited data recipient of other CDR data, or
      • As enabled by the CDR Rules — If the CDR data was disclosed to the person under the CDR Rules, and the person is an accredited person who meets conditions set out in the CDR Rules.[7]
  • For further information on when a person will be a ‘data holder’ of CDR data, see Chapter B (Key concepts) of the CDR Privacy Safeguard Guidelines.

What privacy obligations in the CDR system apply to data holders?

  • In the CDR system, a data holder must comply with privacy obligations relating to:
    • Privacy Safeguards 1 (open and transparent management of CDR data), 10 (notifying of the disclosure of CDR data), 11 (quality of CDR data) and 13 (correction of CDR data)
    • providing consumer data request services
    • disclosing CDR data in response to consumer data requests
    • seeking authorisation from consumers
    • managing authorisations, including by providing consumer dashboards, and
    • providing access to copies of records where requested by consumers.
  • These privacy obligations are discussed in this Guide.
  • A data holder should be aware that they have other, non-privacy related obligations under the CDR Rules. For example, the requirements relating to product data requests.[8] These are not covered in this Guide.

Does the Privacy Act apply to data holders?

  • Where a data holder is an APP entity,[9] they must continue to comply with the Privacy Act.
  • The APPs will apply to CDR data held by data holders (where it is also personal information), with the exception of APP 10 (quality of personal information) and APP 13 (correction of personal information).
  • These APPs are replaced by Privacy Safeguard 11 (quality of CDR data) and Privacy Safeguard 13 (correction of CDR data), once the data holder is required or authorised to disclose the CDR data under the CDR Rules.[10]

Privacy Safeguards

  • A data holder must comply with the following privacy safeguards:
    • Privacy Safeguard 1 (open and transparent management of CDR data)
    • Privacy Safeguard 10 (notifying of the disclosure of CDR data)
    • Privacy Safeguard 11 (quality of CDR data), and
    • Privacy Safeguard 13 (correction of CDR data).
  • Information about how to comply with these privacy safeguards is available in Chapters 1, 10, 11 and 13 of the CDR Privacy Safeguard Guidelines.

Consumer data request services

  • A data holder may be required to disclose CDR data at the request of a consumer. The request is known as a ‘consumer data request’ and can be made to the data holder by:
    • an accredited person, on the consumer’s behalf, or
    • the consumer themselves.[11]
  • A data holder must provide an ‘accredited person request service’ to allow accredited persons to make consumer data requests, on behalf of consumers, to the data holder.
  • This service must comply with the requirements in CDR Rule 1.13(1)(b).

Consumer data request services in the banking sector — Joint accounts

For the banking sector, a data holder that could be required to disclose CDR data relating to a joint account must provide a joint account management service (JAMS) to the joint account holders.[12]

The JAMS allows these account holders to provide instructions on a range of matters. Specifically, an account holder can elect whether they authorise the other account holder to request and approve certain actions on their behalf, or (where offered by the data holder) whether they want to request and approve these actions individually. These actions include the following:

  • the ability to authorise the disclosure of CDR data to an accredited person, and/or
  • the ability to revoke such authorisations (whether given by themselves or the other joint account holder).[13]

Disclosing CDR data

  • The following sections outline when a data holder is required or authorised to disclose CDR data to an accredited person under the CDR Rules, and how that data must be disclosed.[14]

Disclosing CDR data in the banking sector

For the banking sector, different ‘categories’ of data holders are required to share certain types of CDR data at different stages.[15]

Consumer data requests made by accredited persons

  • An accredited person who has received a valid request from a consumer may request that a data holder disclose that consumer’s CDR data. This is a ‘consumer data request’ by an accredited person on behalf of a consumer.[16]
  • The request must be made using the data holder’s accredited person request service, in accordance with the data standards.[17]
  • Before a data holder can disclose CDR data to an accredited person, the consumer must first authorise the data holder to disclose the particular data to that accredited person.[18]
  • A data holder is required to disclose CDR data in response to a consumer data request from an accredited person where:
    • the consumer has authorised the disclosure of some or all of the required consumer data,[19] and
    • the request relates to ‘required’ consumer data.[20]
  • The following sections of this Guide outline:
    • when a data holder must seek authorisation
    • how that authorisation must be sought
    • circumstances where a data holder may refuse to disclose required consumer data, and
    • how authorisations must be managed.

Authorisation

When to seek authorisation

  • A data holder must seek a consumer’s authorisation for the disclosure of CDR data where the data holder:
    • receives a consumer data request from an accredited person (on behalf of an eligible CDR consumer), [21] and
    • does not already have a current authorisation to disclose the CDR data.
  • The data holder must seek authorisation in accordance with Division 4.4 of the CDR Rules and the applicable data standards.[22] The authorisation requirements in Division 4.4 are outlined in the following sections of this Guide.

Authorisation in the banking sector — Joint accounts

For the banking sector, where a data holder receives a consumer data request relating to a joint account, the data holder:

  • must ask the relevant consumer to authorise the disclosure of CDR data,[23] and
  • may also need to ask the other joint account holder to authorise the disclosure of CDR data.[24]

Whether the data holder must seek authorisation from the other joint account holder depends on whether:

  • the joint account holders have made any relevant elections via the JAMS,[25] or
  • any exceptions apply.[26]
  • A data holder may refuse to seek an authorisation in the following circumstances outlined in CDR Rule 4.7:
    • where the data holder considers this to be necessary to prevent physical or financial harm or abuse[27]
    • where the data holder has reasonable grounds to believe that disclosing some or all of the CDR data would adversely impact the security, integrity or stability of the Register of Accredited Persons or the data holder’s ICT systems[28]
    • where the CDR data relates to an account that is blocked or suspended, or
    • where provided for in the data standards.
  • Where the data holder refuses to seek an authorisation, they must inform the accredited person of the refusal in accordance with the data standards.[29]

Exception to obligation to seek authorisation in the banking sector — Joint accounts

For the banking sector, where a consumer data request relates to a joint account, a data holder must not seek any authorisations to disclose data relating to the joint account unless:

  • there is a current election under the JAMS,[30] and
  • the consumer data request accords with that election.[31]
  • The following flow chart demonstrates the role of authorisation in the key information flow between a consumer, data holder and accredited person.

Overview: key information flow in the CDR regime. Link to long text description follows image.

Link to long text description

Requirements for seeking authorisation

General processes

  • A data holder’s processes for seeking authorisation must:
    • accord with the data standards, and
    • be as easy to understand as practicable, including by using concise language and, where appropriate, visual aids.[32]
  • In ensuring processes are easy to understand, a data holder must also have regard to the Consumer Experience Guidelines.[33]

Information to be provided

  • When seeking an authorisation, a data holder must give the following information to the consumer:
    • the name of the accredited person that made the consumer data request
    • the period of time to which the CDR data relates (this may include historical data, for example CDR data dating back to 1 January 2017)[34]
    • the types of CDR data the data holder is seeking authorisation to disclose (the data holder must use the Data Language Standards to describe the CDR data)[35]
    • whether the authorisation relates to a ‘one-off’ disclosure, or an ongoing disclosure over a period of time (no more than 12 months)[36]
    • if authorisation is being sought for an ongoing disclosure — what the time period is (no more than 12 months)[37]
    • a statement that the authorisation can be withdrawn at any time, and
    • instructions for how the authorisation can be withdrawn.[38]

Restrictions on seeking authorisation

  • CDR Rule 4.24 provides that when asking a consumer to authorise the disclosure of CDR data, the data holder must not:
    • add any requirements to the authorisation process aside from those set out in the data standards and the CDR Rules
    • provide or request additional information beyond those specified in the data standards and the CDR Rules
    • offer additional or alternative services, or
    • include or refer to other documents.
  • The above practices are not permitted, because they may make authorisation harder for consumers to understand and have the potential to undermine the voluntary nature of the authorisation.

Obligations upon receiving authorisation

  • Once a data holder has sought and received authorisation from the relevant consumer/s,[39] the data holder:
    • must disclose the required consumer data,[40] and
    • may disclose the relevant voluntary consumer data.[41]
  • The data holder must disclose the data via its accredited person request service, and in accordance with the data standards.[42]
  • A data holder must not charge a fee for the disclosure of required consumer data.[43]

When a data holder may refuse to disclose CDR data

  • Despite having received an authorisation, a data holder may refuse to disclose required consumer data in the following circumstances outlined in CDR Rule 4.7:
    • where the data holder considers this to be necessary to prevent physical or financial harm or abuse[44]
    • where the data holder has reasonable grounds to believe that disclosing some or all of the CDR data would adversely impact the security, integrity or stability of the Register of Accredited Persons or the data holder’s ICT systems[45]
    • where the CDR data relates to an account that is blocked or suspended, or
    • where provided for in the data standards.
  • Where the data holder refuses to disclose CDR data, they must inform the accredited person of the refusal in accordance with the data standards.[46]

Exception to obligation to disclose in the banking sector — Joint accounts

For the banking sector, where a consumer data request relates to a joint account, a data holder must not disclose CDR data relating to the joint account unless:

  • there is a current election under the JAMS,[47] and
  • the consumer data request accords with that election.[48]

How authorisations must be managed

Consumer dashboards

  • A consumer dashboard is an online service which must be provided to a consumer when the data holder receives a consumer data request from an accredited person (on behalf of the consumer).[49]
  • The purpose of the consumer dashboard is to help the consumer to manage and view the authorisations they have given to disclose their CDR data.
  • The consumer dashboard should be provided to the consumer as soon as practicable after the data holder receives the relevant consumer data request.[50]

Consumer dashboards in the banking sector — Joint accounts

For the banking sector, where a consumer data request from an accredited person relates to a joint account, the data holder must provide a dashboard to both:

  • the consumer on whose behalf the accredited person is making the consumer data request, and
  • the other joint account holder.[51]
  • The consumer dashboard must contain the following details for each authorisation:[52]
    • the CDR data to which the authorisation relates
    • the date on which the consumer gave authorisation
    • the period for which the consumer gave authorisation
    • if the authorisation is current — when it will expire
    • if the authorisation is not current — when it expired
    • the information required to notify the consumer of the disclosure of their CDR data, being:
      • what CDR data was disclosed
      • when the CDR data was disclosed, and
      • the accredited data recipient for the CDR data.[53]
    • if the CDR data was disclosed in response to a request under Privacy Safeguard 11 for the data holder to disclose corrected CDR data – a statement of this fact.[54]
  • The consumer dashboard must have a functionality that allows the consumer to withdraw authorisation at any time. This functionality must be simple and straightforward to use, and prominently displayed.[55]

Tip: For examples of how to present this information on the consumer dashboard, and other best practice recommendations relating to the consumer dashboard, see the Consumer Experience Guidelines.

Consumers may withdraw authorisation

  • A consumer who has given authorisation for a data holder to disclose their CDR data may withdraw the authorisation at any time.[56]
  • Where a consumer withdraws authorisation, the data holder must notify the accredited person of the withdrawal in accordance with the data standards.[57]
  • A data holder must allow a consumer to withdraw authorisation by:
    • using the data holder’s consumer dashboard, or
    • using a simple alternative method of communication made available by the data holder.[58]

Tip: For examples of how to implement the withdrawal functionality on the consumer dashboard, and best practice recommendations for how to do this, see the Consumer Experience Guidelines.

  • The functionality to withdraw authorisation on the consumer dashboard must:
    • be simple and straightforward to use
    • be prominently displayed
    • be as easy to use as the process for giving an authorisation, and
    • display a message outlining the consequences of withdrawing authorisation. This message must accord with the data standards.[59]
  • The alternative method of communicating the withdrawal of authorisation must be simple.[60] In addition, it:
    • should be accessible and straightforward for a consumer to understand and use, and
    • may be written or verbal. Where it is written, the communication may be sent by electronic means (such as email) or non-electronic means (such as by post).
  • A data holder may wish to ensure their alternative method of communication is consistent with existing channels already made available to its customers,[61] for example through their telephone helpline.

Effect of withdrawing authorisation

  • The main consequence of withdrawing an authorisation is that the authorisation expires, and CDR data can no longer be shared with the relevant accredited person. Information about when authorisation expires is contained in the following section of this Guide.
  • If a consumer withdraws authorisation using the data holder’s consumer dashboard, the withdrawal is immediately effective.[62]
  • If a withdrawal is not communicated over the consumer dashboard, the data holder must ‘give effect’ to the withdrawal as soon as practicable, but not more than two business days after receiving the communication.[63]
  • The test of practicability is an objective test. In adopting a timetable that is ‘practicable’ a data holder can take technical and resource considerations into account. However, the data holder must be able to justify any delay in giving effect to the consumer’s communication of withdrawal.
  • ‘Giving effect’ to the withdrawal includes updating the consumer dashboard to reflect that the authorisation has expired,[64] as required by CDR Rule 4.27.[65]

When an authorisation expires

  • CDR Rule 4.26 provides that authorisation expires in the following circumstances:
    • If the authorisation is withdrawn
      • If a withdrawal notice is given via the consumer dashboard, the authorisation expires immediately. Where withdrawal is not given through the consumer dashboard, the authorisation expires when the data holder gives effect to the withdrawal, or two business days after receiving the communication, whichever is sooner.
    • Upon the consumer ceasing to be ‘eligible’[66]
      • For example, in the banking sector, the consumer will cease to be ‘eligible’ upon closing the bank account/s that the authorisation relates to.[67]
    • When the data holder is notified by the accredited person of the withdrawal of consent
      • Upon notification from the accredited person that the consumer has withdrawn consent, the authorisation expires immediately.
    • For ongoing disclosure, at the end of the period of authorisation (no longer than 12 months after authorisation was given)
      • Authorisation expires at the end of the specified period for which the consumer gave authorisation for the data holder to disclose the CDR data. This specified period cannot be longer than 12 months.
    • For disclosure on a single occasion, after the CDR data has been disclosed
    • If another CDR Rule provides that authorisation expires
      • For example: an authorisation to disclose CDR data expires once the accredited person becomes a data holder rather than an accredited data recipient for the CDR data.[68]
    • If the accredited person’s accreditation is revoked or surrendered
      • Authorisation for a data holder to disclose CDR data to that accredited person expires when the data holder is notified of the revocation or surrender.

Notification requirements

  • A data holder must also comply with the following notification requirements under the CDR Rules:
    • Notification of disclosure
      • There is a requirement to notify the consumer of the disclosure of their CDR data as soon as practicable after the disclosure occurs.[69]
    • Update consumer dashboard
      • There is a general obligation to update a consumer’s dashboard as soon as practicable, after the information required to be contained on the consumer dashboard changes.[70]

Providing access to copies of records

  • A consumer may request access to copies of the following data holder records:
    • authorisations given by the consumer to disclose CDR data
    • disclosures of CDR data made by the data holder in response to consumer data requests made by or on behalf of the consumer, and
    • CDR complaint data relating to the consumer.[71]
  • Data holders are required to keep and maintain these records under the Rules.[72]
  • Where requested by a consumer, a data holder must provide the relevant copies of records as soon as practicable, but no later than 10 business days after receiving the request.[73]
  • In adopting a timetable that is ‘as soon as practicable’, a data holder can take technical and resource considerations into account.
  • A data holder is not excused from providing access to copies of records in a prompt manner by reason only that it would be inconvenient, time consuming or costly to do so.
  • A data holder must provide the requested copies in the form (if any) approved by the Australian Competition and Consumer Commission.

Footnotes

[1] The CDR Privacy Safeguard Guidelines provide guidance on the privacy safeguards and related CDR Rules. They focus primarily on the privacy obligations of accredited persons and accredited data recipients.

[2] Data holders are likely to be bound by the Privacy Act, which applies to most organisations that have an annual turnover of over $3 million. See e.g. sections 6C, 13 and 15 of the Privacy Act for more information.

[3] Authorised-deposit taking institutions are specified as a relevant class of persons who hold CDR data in the designation instrument for the banking sector: see ss 56AJ(1) and 56AJ(2) of the Competition and Consumer Act; s 5(2) of the designation instrument.

[4] Further information is available under the section Consumer data requests made by accredited persons.

[5] 1 January 2017 is the ‘earliest holding day’ specified in the designation instrument for the banking sector: s 5(3) of the designation instrument.

[6] Being one of the conditions set out in ss 56AJ(2) to 56AJ(4 ) of the Competition and Consumer Act.

[7] The conditions for the banking sector are contained in clause 7.2 of Schedule 3 to the CDR Rules.

[8] See, eg, CDR Rule 1.12 and Part 2 of the CDR Rules.

[9] For information regarding an ‘APP entity’, see Chapter B (Key concepts) of the APP Guidelines.

[10] For further information regarding the interaction between the APPs and the privacy safeguards for data holders, see Chapter A (Introductory matters) of the CDR Privacy Safeguard Guidelines.

[11] For the banking sector, it is not currently possible for a consumer to make a consumer data request directly to a data holder. This is because the ACCC has exempted data holders in the banking sector from complying with the direct to consumer data sharing obligation in Rule 3.4(3) and all related CDR Rules until 1 November 2021. For further information about these exemptions, see the ‘Consumer data right exemptions register’ on the ACCC’s website. This Guide focuses upon consumer data requests made by accredited persons to data holders, on a consumer’s behalf, and the obligations associated with that, rather than the direct to consumer data sharing obligations set out in Rule 3.4(3) and related CDR Rules.

[12] Clause 4.2 of Schedule 3 to the CDR Rules.

[13] Clause 4.2 of Schedule 3 to the CDR Rules.

[14] This Guide focuses upon the disclosure of CDR data from data holders to accredited persons, rather than the disclosure of CDR data from data holders to consumers. This is because the ACCC has exempted data holders in the banking sector from complying with the direct to consumer data sharing obligation in Rule 3.4(3) and all related CDR Rules until 1 November 2021. For further information about these exemptions, see the ‘Consumer data right exemptions register’ on the ACCC’s website.

[15] See Part 6 of Schedule 3 to the CDR Rules, which outlines the staged application of the CDR Rules to the banking sector.

[16] CDR Rule 4.4.

[17] CDR Rule 4.4(3). Information regarding the ‘accredited person request service’ is contained under the section Consumer data request services.

[18] CDR Rule 4.5.

[19] CDR Rules 4.6(1) and 4.6(4).

[20] CDR Rule 4.6(4). Where a consumer data request from an accredited person relates to a consumer’s ‘voluntary’ consumer data:

  • if a data holder is considering disclosing any of the ‘voluntary’ consumer data, the data holder must ask the consumer to authorise disclosure of the requested data before disclosing that data to the accredited person (CDR Rule 4.5(2)), but
  • is not otherwise required to disclose requested ‘voluntary’ consumer data (CDR Rule 4.6(2).

For information regarding ‘voluntary’ consumer data and ‘required’ consumer data, see CDR Rule 1.7, clause 3.2 of Schedule 3 to the CDR Rules and Chapter B (Key concepts) of the CDR Privacy Safeguard Guidelines.

[21] For the definition of an ‘eligible’ CDR consumer in the banking sector, see clause 2.1 of Schedule 3 to the CDR Rules. See also Chapter B (Key concepts) of the CDR Privacy Safeguard Guidelines. The data holder must reasonably believe that the consumer data request was made by an accredited person on behalf of an ‘eligible’ CDR consumer: CDR Rule 4.5(1)(c).

[22] CDR Rule 4.5.

[23] Unless there is already a current authorisation for the data holder to disclose the requested data to the accredited person: CDR Rule 4.5(1)(b).

[24] Clause 4.5 of Schedule 3 to the CDR Rules.

[25] Clause 4.5 of Schedule 3 to the CDR Rules. The relevant elections are the elections referred to in clause 4.2(2)(b) and clause 4.2(1)(a)(ii) of Schedule 3 to the CDR Rules. Information regarding the ‘joint account management service’ can be found under the section Consumer data request services.

[26] The exception to the requirement to seek authorisation is contained in clause 4.3 of Schedule 3 to the CDR Rules.

[27] For the banking sector, data holders (e.g. banks) may have existing internal frameworks which might assist in identifying these risks and deciding when this exception would apply. If a data holder requires further assistance in determining whether there is a risk of physical or financial harm or abuse, the OAIC recommends the data holder contact relevant advocacy organisations.

[28] The Register of Accredited Persons means the ACCC’s Register of Accredited Persons established under s 56CE(1) of the Competition and Consumer Act.

[29] CDR Rule 4.7.

[30] As described in clause 4.2 of Schedule 3 to the CDR Rules. Information regarding the ‘joint account management service’ can be found under the section Consumer data request services.

[31] Clause 4.3 of Schedule 3 to the CDR Rules.

[32] CDR Rule 4.22.

[33] CDR Rule 4.22. The ‘Consumer Experience Guidelines’ provide best practice interpretations of several CDR Rules relating to authorisation and are discussed in Chapter B (Key concepts) of the CDR Privacy Safeguard Guidelines.

[34] To be a data holder, a person must have begun to hold the CDR data after the ’earliest holding day (s 56AJ(1)(b) of the Competition and Consumer Act). Under the designation instrument for the banking sector, the earliest holding day is 1 January 2017: s 5(3) of the designation instrument. This means that consumer data requests may be made for CDR data dating back to 1 January 2017.

[35] The Data Language Standards are contained within the Consumer Experience Guidelines. They provide descriptions of the types of data to be used by data holders when making and responding to requests. Adherence to the Data Language Standards is mandatory and will help ensure there is a consistent interpretation and description of the consumer data that will be shared in the CDR system. See s 56FA of the Competition and Consumer Act and CDR Rule 8.11.

[36] Authorisations to disclose CDR data expire at the latest 12 months after they are given: CDR Rule 4.26(1)(e).

[37] Authorisations to disclose CDR data expire at the latest 12 months after they are given: CDR Rule 4.26(1)(e).

[38] CDR Rule 4.23.

[39] In the banking sector, a data holder may be required to seek authorisation from more than one consumer where the relevant CDR data relates to a joint account and the joint account holders have elected via the JAMS that they will provide authorisation individually: see clause 4.5 of Schedule 3 to the CDR Rules. Information about the JAMS is available under the section Consumer data request services.

[40] CDR Rule 4.6(4). ‘Required consumer data’ for the banking sector is defined in clause 3.2 of Schedule 3 to the CDR Rules. Clause 3.2(3) of Schedule 3 to the CDR Rule sets out what CDR data will be neither required consumer data nor voluntary consumer data. For further information, see Chapter B (Key concepts) of the CDR Privacy Safeguard Guidelines.

[41] CDR Rule 4.6(2). ‘Voluntary consumer data’ for the banking sector is defined in clause 3.2(2) of Schedule 3 to the CDR Rules. Clause 3.2(3) of Schedule 3 to the CDR Rule sets out what CDR data will be neither required consumer data nor voluntary consumer data. For further information, see Chapter B (Key concepts) of the CDR Privacy Safeguard Guidelines.

[42] CDR Rule 4.6. Information regarding the ‘accredited person request service’ is available under Consumer data request services.

[43] Section 56BU of the Competition and Consumer Act.

[44] For the banking sector, data holders (e.g. banks) may have existing internal frameworks which might assist in identifying these risks and deciding when this exception would apply. If a data holder requires further assistance in determining whether there is a risk of physical or financial harm or abuse, the OAIC recommends the data holder contact relevant advocacy organisations.

[45] The Register of Accredited Persons means the ACCC’s Register of Accredited Persons established under s 56CE(1) of the Competition and Consumer Act.

[46] CDR Rule 4.7.

[47] As described in clause 4.2 of Schedule 3 to the CDR Rules. Information regarding the ‘joint account management service’ can be found under the section Consumer data request services.

[48] Clause 4.3 of Schedule 3 to the CDR Rules.

[49] CDR Rule 1.15.

[50] This is to assist the data holder in complying with its obligation under Privacy Safeguard 10 and Rule 7.9 to update the consumer’s dashboard ‘as soon as practicable’ after the disclosure of CDR data to notify the consumer of certain matters. See Chapter 10 (Privacy Safeguard 10) of the CDR Privacy Safeguard Guidelines for further information.

[51] The data holder must also provide the other joint account holder with a dashboard where both joint account holders have made relevant elections using the JAMS: clause 4.4 of Schedule 3 to the CDR Rules. The relevant elections are the elections referred to in clause 4.2(1)(a) or, if offered by the data holder, clause 4.2(2)(b) of Schedule 3 to the CDR Rules. Information regarding the JAMS or ‘joint account management service’ can be found under the section Consumer data request services.

[52] CDR Rules 1.15(1)(b) and 1.15(3).

[53] Privacy Safeguard 10 requires a data holder to notify consumers of the disclosure of their CDR data by updating the consumers’ dashboard to include certain matters. For further information, see CDR Rule 7.9 and Chapter 10 (Privacy Safeguard 10) of the CDR Privacy Safeguard Guidelines.

[54] Privacy Safeguard 11 requires a data holder to disclose corrected CDR data to the original recipient of the disclosure if the entity has advised the consumer that some or all of the CDR data was incorrect when the entity disclosed it, and the consumer requests the entity to disclose the corrected CDR data. For further information, see s 56EN(4) of the Competition and Consumer Act and Chapter 11 (Privacy Safeguard 11) of the CDR Privacy Safeguard Guidelines.

[55] CDR Rule 1.15(1)(c).

[56] CDR Rule 4.25(1).

[57] CDR Rule 4.25(2).

[58] CDR Rule 4.25(1).

[59] CDR Rule 1.15(1)(c).

[60] CDR Rule 4.25(1).

[61] Explanatory Statement to the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2020.

[62] CDR Rule 4.26(1).

[63] CDR Rule 4.26(1).

[64] See CDR Rule 1.15(3)(e).

[65] CDR Rule 4.27 requires a data holder to update the consumer dashboard as soon as practicable after the information required to be contained on the dashboard changes.

[66] This is because only ‘eligible’ CDR consumers may make consumer data requests under the CDR Rules.

[67] For the definition of an ‘eligible’ CDR consumer in the banking sector, see clause 2.1 of Schedule 3 to the CDR Rules. See also Chapter B (Key concepts) of the CDR Privacy Safeguard Guidelines.

[68] As a result of clause 7.2(3)(b) of Schedule 3 to the CDR Rules and section 56AJ(4) of the Competition and Consumer Act.

[69] Privacy Safeguard 10 requires a data holder to notify consumers of the disclosure of their CDR data by updating the consumers’ dashboard to include certain matters. For further information, see CDR Rule 7.9 and Chapter 10 (Privacy Safeguard 10) of the CDR Privacy Safeguard Guidelines.

[70] CDR Rule 4.27.

[71] CDR complaint data is defined in CDR Rule 1.7.

[72] CDR Rule 9.5(1). A data holder must keep and maintain certain records as outlined in CDR Rule 9.3(1).

[73] CDR Rule 9.5(4).

Long text descriptions

Overview of key information flow in the CDR regime

This chart illustrates the flow of information between data holders, consumers and accredited persons.

There are six steps involved:

  1. The consumer consents to an accredited person obtaining their data in order to provide a requested good or service

  2. The accredited person contacts the data holder, seeking to access the consumer’s data.

  3. The data holder asks the consumer to authorise the disclosure of their data to the accredited person.

  4. The consumer authorises the disclosure of their data by the data holder.

  5. The data holder shares the consumer’s data with the accredited person. The accredited person becomes an accredited data recipient for the consumer’s CDR data.

  6. The accredited data recipient uses the consumer’s CDR data to provide the requested good or service to the consumer.

Back to diagram

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au