Sponsored accreditation model – Privacy obligations of sponsors

23 December 2021

The sponsored accreditation model allows a person accredited to the ‘sponsored’ level (an ‘affiliate’) to provide goods or services directly to a consumer. To do so, they must have a written contract with an unrestricted accredited person (a ‘sponsor’) who discloses CDR data they hold as an accredited data recipient to the affiliate. The model is intended to provide an alternative to unrestricted accreditation and support a broader array of business arrangements.

An accredited person can become a sponsor from 1 February 2022.

The purpose of this page is to assist accredited persons to understand the privacy obligations they will have if they decide to become a sponsor. The CDR Privacy Safeguard Guidelines will be updated to reflect this content.

This page outlines the key privacy obligations for sponsors, which fall under the following topics:

  • Written contract
  • Disclosure
  • Notification
  • CDR policy
  • Record keeping and reporting

These obligations have been introduced by Version 3 of the CDR Rules (being the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2021) and must be complied with from 1 February 2022.

These privacy obligations apply in addition to a sponsor’s own privacy obligations as an accredited person and accredited data recipient (for example, to comply with the privacy safeguards).

A sponsor must also comply with specific obligations in Schedule 1, clause 2.2 of the CDR Rules, including in relation to undertaking due diligence, and in relation to their affiliate’s compliance with information security requirements. Further information on these conditions will be available in the ACCC’s Accreditation Guidelines in early 2022.

For information on the privacy obligations for affiliates, see Sponsored Accreditation Model: Privacy Obligations of Affiliates.

Key points

  • A sponsor is a person accredited at the unrestricted level who has entered into a written contract (‘sponsorship arrangement’) with an affiliate that contains the requirements set out in CDR Rule 1.10D.
  • An accredited person can become a sponsor from 1 February 2022.
  • The role of the sponsor is to disclose CDR data to their affiliate so that the affiliate may use that data to provide goods or services directly to a consumer. The sponsor may also collect CDR data on behalf of their affiliate, and use or disclose CDR data at the request of their affiliate.
  • A sponsor must also comply with specific obligations in Schedule 1, clause 2.2 of the CDR Rules, including in relation to undertaking due diligence, and in relation to their affiliate’s compliance with information security requirements.
  • In general, as a sponsor and their affiliate are both accredited persons, each entity will be liable in their own right for their handling of CDR data.
  • For examples of situations in which a sponsor could engage an affiliate, see pages 8–9 of the explanatory statement to the amending instrument for the Version 3 CDR Rules.

Written contract

A sponsor must have a written contract with their affiliate that meets the minimum requirements in CDR Rule 1.10D(1). This written contract is known as a ‘sponsorship arrangement’.

The sponsorship arrangement must provide for the sponsor to disclose CDR data that it holds as an accredited data recipient, to their affiliate, in response to a consumer data request from the affiliate (CDR Rule 1.10D(1)(a)).

The arrangement must also require the affiliate to provide the sponsor with appropriate information and access to their operations as needed for the sponsor to fulfil their obligations (CDR Rule 1.10D(1)(b)). The sponsor’s obligations include ensuring the affiliate complies with the minimum information security controls in the CDR Rules.

The arrangement may also provide for the sponsor to make consumer data requests, or to use or disclose CDR data, at their affiliate’s request (CDR Rule 1.10D(2)). Where a sponsor makes a consumer data request, or uses or discloses CDR data at their affiliate’s request, the sponsor remains liable for their own conduct and must ensure they comply with the relevant CDR Rules and privacy safeguards. For example, a sponsor can only use or disclose CDR data at an affiliate’s request where that request is permitted under Privacy Safeguards 6, 7, 8 and 9 and is in accordance with the relevant consumer’s consent.

Privacy tip: Where the parties decide to provide for the sponsor to make consumer data requests at their affiliate’s request, the sponsor should consider an additional term in the written contract that requires the affiliate to provide the sponsor with evidence that the affiliate has obtained the consents required for a ‘valid request’ under CDR Rule 4.3A. This will ensure that a sponsor does not collect CDR data in breach of Privacy Safeguard 3.

A sponsor may enter into multiple sponsorship arrangements (i.e. can have more than one affiliate).

Disclosure

A sponsor may disclose CDR data to the affiliate for the following purposes, being so that the affiliate can:

  • use CDR data to provide goods or services requested by the consumer in compliance with the data minimisation principle and in accordance with a current use consent from the consumer (other than a direct marketing consent) (CDR Rule 7.5(1)(d), 7.5(1)(a))
  • de-identify CDR data in accordance with the CDR Rules to use for general research and/or for disclosing (including by selling) the de-identified data, in accordance with a current de-identification consent from the consumer (CDR Rule 7.5(1)(d), 7.5(1)(aa))
  • directly or indirectly derive CDR data from the collected CDR data in accordance with the above purposes (CDR Rule 7.5(1)(d), 7.5(1)(b)), or
  • disclose to the consumer any of their CDR data for the purpose of providing the goods or services requested by the consumer (CDR Rule 7.5(1)(d), 7.5(1)(c)).

When disclosing CDR data to their affiliate, the sponsor must disclose CDR data only to the extent reasonably needed for each of these purposes.

A sponsor is not permitted under the CDR Rules to disclose CDR data to their affiliate for any direct marketing purposes.

See Privacy Safeguard 6 and CDR Rule 7.5.

Notification

A sponsor must provide the consumer with the following notifications:

  • Where a sponsor collects a consumer’s CDR data on behalf of an affiliate, the sponsor and affiliate may decide which of them will be responsible for notifying the consumer of that collection under Privacy Safeguard 5. In addition to the information required by CDR Rule 7.4(1), the relevant party must ensure that the notification also indicates that the CDR data was collected by the sponsor on behalf of the affiliate.
  • A sponsor must also notify the consumer of other matters as set out in subdivision 4.3.5 of the CDR Rules. See Chapter C (Consent) for further information (‘Notification requirements’). Examples include notification requirements triggered by the receipt of a collection consent, or the amendment/expiry of the collection consent. Because a collection consent given to an affiliate is taken to also have been given to the sponsor, both the affiliate and the sponsor would be required to provide these notifications. However, in such a situation, the CDR Rules provide that the sponsor and affiliate may choose which of them will provide the notification (CDR Rules 4.20A).

Privacy tip: A sponsor and their affiliate may each be required to notify a consumer of the same matters. Where this occurs, the sponsor may choose for their affiliate to provide the notification only. Where it is the affiliate that has the consumer-facing relationship, or a greater consumer-facing role, it may be preferable for the affiliate, rather than the sponsor, to provide the notification. This will enhance consumer understanding and reduce the risk of confusion.

Where this option is chosen, the sponsor should consider including an obligation for the affiliate to provide the relevant notification/s as an additional requirement in the written contract between the parties. This will help minimise the risks that both parties provide the notification (which can lead to notification fatigue), or that neither party provides the notification (which would constitute a breach of the relevant CDR Rule or privacy safeguard).

CDR policy

A sponsor must ensure their CDR policy includes a list of their affiliates, and, for each affiliate, information about the nature of the services provided by the affiliate to the sponsor and vice versa (CDR Rule 7.2(4)).

Record keeping and reporting

A sponsor must keep and maintain records in relation to their sponsorship arrangements. The required records are set out in CDR Rule 9.3(2).

A sponsor must prepare and submit a report on a bi-annual basis to the Office of the Australian Information Commissioner and Australian Competition and Consumer Commission that contains the information set out in CDR Rule 9.4(2) in relation to each of their affiliates. See CDR Rule 9.4 for further information.