Sponsored accreditation model Privacy obligations of affiliates

23 December 2021

The sponsored accreditation model allows a person accredited to the ‘sponsored’ level (an ‘affiliate’) to provide goods or services directly to a consumer. To do so, they must have a written contract with an unrestricted accredited person (a ‘sponsor’) who discloses CDR data they hold as an accredited data recipient to the affiliate. The model is intended to provide an alternative to unrestricted accreditation and support a broader array of business arrangements.

Entities can apply for sponsored accreditation from 1 February 2022.

The purpose of this page is to assist an entity to understand the privacy obligations they will have if they decide to become accredited to the sponsored level. The CDR Privacy Safeguard Guidelines will be updated to reflect this content.

This page outlines the key privacy obligations for affiliates, which fall under the following topics:

  • Written contract
  • Requesting a consumer’s CDR data
  • Consent
  • Liability
  • Notification
  • CDR policy
  • Dashboards
  • Third parties

These obligations have been introduced by Version 3 of the CDR Rules (being the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2021) and must be complied with from 1 February 2022.

These obligations apply in addition to an affiliate’s own privacy obligations as an accredited person and accredited data recipient (for example, to comply with the privacy safeguards).

For information regarding an affiliate’s accreditation obligations, see the ACCC’s Accreditation Guidelines.

For information on the privacy obligations for sponsors, see Sponsored accreditation model: Privacy obligations of sponsors.

Key points

  • An affiliate is an entity that has been granted accreditation at the sponsored level and who has a sponsorship arrangement with an unrestricted accredited person (known as the ‘sponsor’). Entities can apply for sponsored accreditation from 1 February 2022.
  • The ‘sponsorship arrangement’ is a written contract between a sponsor and their affiliate which meets the minimum requirements set out in CDR Rule 1.10D.
  • The sponsorship arrangement must provide for the sponsor to disclose CDR data to their affiliate, in response to a consumer data request from the affiliate.
  • An affiliate may collect CDR data from an accredited data recipient or request that their sponsor collect CDR data on their behalf. They cannot collect CDR data from a data holder directly, or engage an outsourced service provider to collect CDR data on their behalf.
  • Where an affiliate requested their sponsor collect a consumer’s CDR data, that data is taken also to have been collected by the affiliate.  This ensures that limitations on uses and disclosures apply to affiliates.
  • In general, as an affiliate and their sponsor are both accredited persons, each entity will be liable in their own right for their handling of CDR data.
  • An affiliate may have more than one sponsor at a time.
  • For examples of situations in which a sponsorship arrangement could be used, see pages 8–9 of the explanatory statement to the amending instrument for the Version 3 CDR Rules.
  • For an overview of the key similarities and differences between entities accredited to the unrestricted level and entities accredited to the sponsored level, see page 6 of the explanatory statement to the amending instrument for the Version 3 CDR Rules.

Written contract

An affiliate must have a written contract with their sponsor that meets the minimum requirements in CDR Rule 1.10D(1). This written contract is known as a ‘sponsorship arrangement’.

The sponsorship arrangement must provide for the sponsor to disclose CDR data to their affiliate, in response to a consumer data request from the affiliate.

The arrangement must also require the affiliate to provide the sponsor with appropriate information and access to their operations as needed for the sponsor to fulfil their obligations as a sponsor. The sponsor’s obligations include ensuring the affiliate complies with the minimum information security controls in the CDR Rules.

An affiliate may also include a term in the arrangement for their sponsor to make consumer data requests, or to use or disclose CDR data, at the affiliate’s request.

An affiliate may enter into multiple sponsorship arrangements (i.e. an affiliate can have more than one sponsor).

Requesting a consumer’s CDR data

There are certain restrictions on when and to whom an affiliate may make a consumer data request (CDR Rule 5.1B).

These restrictions apply in addition to the ordinary restrictions for making a consumer data request (notably, the requirement for an accredited person to have a valid request from the consumer).

An affiliate must not make a consumer data request to collect CDR data unless they have a ‘registered sponsor’ (see CDR Rules 5.1B(2) and 5.1B(8)). If an affiliate has a registered sponsor, the affiliate may only make a consumer data request in the following ways:

  • through their registered sponsor (by making a consumer data request to their sponsor to collect CDR data on their behalf), or
  • to an accredited data recipient under CDR Rule 4.7A.

This means that an affiliate may only make a consumer data request to collect CDR data from accredited data recipients (including their registered sponsor). They cannot make a consumer data request to a data holder.

Consent

An affiliate is responsible for seeking consents from the consumer. This is regardless of whether the affiliate intends to collect the CDR data themselves (from an accredited data recipient) or request their sponsor do so on their behalf.

The consents that an affiliate may seek include collection consents, use consents and disclosure consents. Like all accredited persons, an affiliate must only seek to collect CDR data in response to a valid request from a consumer. The obtaining of consents from a consumer is a key component of a valid request.

Requirements when seeking consent

An affiliate must ask for consents in accordance with Division 4.3 of the CDR Rules. This Division seeks to ensure that consent is voluntary, express, informed, specific as to purpose, time limited, and easily withdrawn.

Where an affiliate intends for their sponsor to collect the consumer’s CDR data, it is still the responsibility of the affiliate to seek the collection consent. When seeking the collection consent, the affiliate must provide the consumer with the following information:

  • a statement of the fact that the affiliate’s sponsor will be collecting the consumer’s CDR data
  • the sponsor’s name
  • the sponsor’s accreditation number
  • a link to the sponsor’s CDR policy, and
  • a statement that the consumer can obtain further information about the sponsor’s collection of CDR data (and subsequent disclosure of that data to the affiliate) from the sponsor’s CDR policy.

See CDR Rules 4.3(2B) and 4.11(3). See generally Chapter C (Consent) for further general information.

Expiry of consent

In addition to the expiry situations outlined in CDR Rule 4.14, any collection consents given to an affiliate expire upon the affiliate ceasing to have any registered sponsor. However, any use consents and disclosure consents continue in effect. (CDR Rule 5.1B(6)).

This means that if an affiliate ceases to have a registered sponsor, they can no longer rely on previously obtained collection consents, but may continue to use and/or disclose the CDR data in accordance with the relevant consents. The affiliate would be required to notify a consumer of this fact under CDR Rule 4.18A.

Liability

In general, as an affiliate and their sponsor are both accredited persons, each entity will be liable in their own right for their handling of CDR data.

In addition, where a sponsor collects a consumer’s CDR data at the request of their affiliate, that data is taken also to have been collected by the affiliate (CDR Rule 7.6(3)). This ensures that the limitations on permitted uses and disclosures in Subdivision 7.2.3 apply to affiliates when they have used their sponsor to collect data from data holders.

Notification

An affiliate must notify the consumer of certain matters, as listed below.

  • Where a sponsor collects a consumer’s CDR data on behalf of an affiliate, the sponsor and affiliate may decide which of them will be responsible for notifying the consumer of that collection under Privacy Safeguard 5. In addition to the information required by CDR Rule 7.4(1), the relevant party must ensure that the notification also indicates that the CDR data was collected by the sponsor on behalf of the affiliate.
  • An affiliate must also notify the consumer of other matters as set out in subdivision 4.3.5 of the CDR Rules. See Chapter C (Consent) for further information (‘Notification requirements’). Examples include notification requirements triggered by the receipt of a collection consent, or the amendment/expiry of the collection consent. Because a collection consent given to an affiliate is taken to also have been given to the sponsor, both the affiliate and the sponsor would be required to provide these notifications. However, in such a situation, the CDR Rules provide that the sponsor and affiliate may choose which of them will provide the notification (CDR Rule 4.20A).

Privacy Tip: An affiliate and their sponsor may each be required to notify a consumer of the same matters. Where this occurs, the affiliate may choose for their sponsor to provide the notification only. Where it is the affiliate that has the consumer-facing relationship, or a greater consumer-facing role, it may be preferable for the affiliate, rather than the sponsor, to provide the notification. This will enhance consumer understanding and reduce the risk of confusion.

Where the parties decide that the sponsor will provide the notification/s, the affiliate should consider including an obligation for the sponsor to provide the relevant notification/s as an additional requirement in the sponsorship arrangement (i.e. written contract) between the parties. This will help minimise the risks that both parties provide the notification (which can lead to notification fatigue), or that neither party provides the notification (which would constitute a breach of the relevant CDR Rule or privacy safeguard).

See CDR Rules 4.3(2B), 4.20A and 7.4(2).

CDR policy

An affiliate must ensure their CDR policy includes a list of their sponsors, and, for each sponsor, information about the nature of the services provided by the sponsor to the affiliate and vice versa (CDR Rule 7.2(4)).

Dashboards

An affiliate must provide a consumer dashboard for each consumer who has provided a consent to the affiliate in relation to their CDR data. Where the affiliate is intending for their sponsor to collect the consumer’s CDR data, the affiliate must include the sponsor’s name and accreditation number on the consumer’s dashboard (CDR Rule 1.14).

Restrictions on engaging third parties

An affiliate must not engage an outsourced service provider to collect CDR data on their behalf (CDR Rule 5.1B(4)). However, an affiliate may disclose CDR data to an outsourced service provider for the purposes of that provider providing goods or services to the affiliate using that data.

An affiliate must not have a CDR representative (CDR Rule 5.1B(5)).