Trusted advisers in the Consumer Data Right system

This page outlines the key privacy obligations relating to disclosures to ‘trusted advisers’ under the Consumer Data Right (CDR) system.

The ‘trusted adviser’ provisions allow consumers to use the CDR to share their data with members of specified professions (‘trusted advisers’) to receive advice or a service.

Key points

• Consumers can nominate certain persons as their ‘trusted adviser’ and provide consent for an accredited data recipient or CDR representative to share data with that adviser, so the consumer can receive advice or a service.
• Trusted advisers are persons listed in CDR Rules, subrule 1.10C(2) and include lawyers, accountants, financial advisers, tax agents and mortgage brokers. A business can be a trusted adviser where it falls into one of the classes of professions listed in the rules.
• A person is taken to be a member of a trusted adviser class for the purposes of CDR Rules, rule 1.10C if the accredited data recipient or CDR representative has taken reasonable steps to confirm that the person was, and remains, a member of the class (CDR Rules, subrule 1.10C(3)).
• Reasonable steps will differ in each case but may include checking a public register, such as the tax agents register for the relevant individual, asking them to provide proof of membership or requesting a contractual warranty, attestation or representation.
• An accredited data recipient or CDR representative must have the consumer’s consent before disclosing a consumer’s CDR data to their nominated trusted adviser.
• An accredited data recipient or CDR representative generally must not make a consumer nominate a trusted adviser or particular trusted adviser, or consent to data being disclosed to a trusted adviser, before agreeing to provide them with goods or services.
• Trusted advisers should be aware of their obligations under the Privacy Act 1988 when handling personal information and the professional obligations they have that relate to their handling of a consumer’s data.

Who are trusted advisers?

A consumer can nominate certain persons to be their trusted adviser. With the consumer’s consent, known as a ‘TA disclosure consent’, an accredited data recipient or CDR representative can disclose the consumer’s CDR data to the nominated trusted adviser.

Trusted advisers are not CDR participants and are therefore not subject to the privacy safeguards or other obligations that apply under the CDR system.

Trusted advisers must belong to one of the specified professions listed in CDR Rules, subrule 1.10C(2). These are:

• qualified accountants within the meaning of the Corporations Act 2001
• persons admitted to the legal profession that hold a current practising certificate
• registered tax agents, BAS agents and tax (financial) advisers within the meaning of the Tax Agent Services Act 2009
• financial counselling agencies within the meaning of the ASIC Corporations (Financial Counselling Agencies) Instrument 2017/792
• financial advisers that are relevant providers under the Corporations Act 2001, other than provisional and limited-service time-share advisers
• mortgage brokers within the meaning of the National Consumer Credit Protection Act 2009.

A business can be a trusted adviser if the business falls into one of the specified professions listed in the CDR Rules. For example, the Tax Agent Services Act 2009 allows partnerships and companies to be eligible for registration as a tax agent.

Any person or business that does not fall within one of these specified professions cannot be a consumer’s ‘trusted adviser’ for the purposes of the CDR system. Examples of entities that fall outside the trusted adviser classes include real estate agents and mortgage aggregators.

Reasonable steps to confirm trusted adviser status

An accredited data recipient or CDR representative may, with a consumer’s consent, disclose the consumer’s CDR data to a member of a trusted adviser class. A person is taken to be a member of a class for the purposes of CDR Rules, rule 1.10C if the accredited data recipient or CDR representative has taken reasonable steps to confirm that the person was, and remains, a member of the class (CDR Rules, subrule 1.10C(3)).

Where an accredited data recipient discloses CDR data to a person who does not belong to a trusted adviser class, and did not take reasonable steps to confirm the person belonged to the class, the disclosure would contravene CDR Rules, rule 7.6. Where a CDR representative discloses CDR data to a person who does not belong to a trusted adviser class, and did not take reasonable steps to confirm the person belonged to the class, the disclosure would be a contravention of CDR Rules, rule 7.6 by the CDR representative principal (because any disclosure by a CDR representative is taken to have been by the CDR representative principal - CDR Rules, subrule 7.6(4)).

The ‘reasonable steps’ test is an objective one and an entity must be able to justify that reasonable steps were taken. As noted under ‘Record keeping’ below, the accredited data recipient (or CDR representative principals in relation to each of their CDR representatives) should keep records of any steps it (or its CDR representative) takes to confirm that the trusted adviser is a member of a specified class.

An example of a reasonable step that may be taken to confirm that a trusted adviser is a member of a specified class is to search a public register to confirm the individual is currently included as a member. Examples of such registers include the tax agents register, or the various state-based registers of current practising lawyers.

Other examples that may constitute reasonable steps in the circumstances include asking the nominated individual to provide proof that they are a registered member of the profession, or requesting a contractual warranty, attestation, representation or statutory declaration from the trusted adviser that they belong to the relevant class.

What is reasonable will vary depending on the circumstances. Factors that may be relevant include:

• the nature of the CDR data to be disclosed (with more rigorous steps required as the amount and/or sensitivity of CDR data to be disclosed increases), or
• the nature of the relationship between the consumer and the nominated trusted adviser (for example, whether the trusted adviser is known to the consumer already and the length of their pre-existing relationship)
• the possible adverse consequences for the consumer if the data is disclosed to someone who is not a trusted adviser (and therefore not subject to the professional obligations that apply to trusted adviser classes).

In some circumstances, it may be reasonable for an accredited data recipient or CDR representative to take no steps to confirm a trusted adviser is a member of a particular class. For example, this may be the case where the accredited data recipient or CDR representative has only recently taken reasonable steps to verify the status of that particular trusted adviser.

However, it would be good practice to verify the trusted adviser’s status at regular intervals, for example once every 12 months, in order to ensure they are still a member of the relevant class. Further, if the accredited data recipient or CDR representative becomes aware that the trusted adviser may no longer be a member of a listed class, it would be prudent at that time to take steps to verify their status before any further disclosures of CDR data are made.

Seeking consent to disclose

An accredited data recipient or CDR representative must have the consumer’s consent before disclosing a consumer’s CDR data to their nominated trusted adviser. This is known as ‘TA disclosure consent’ (see CDR Rules, subparagraph 1.10A(1)(c)(iii)).

An accredited data recipient must ask for a TA disclosure consent in accordance with Division 4.3 of the CDR Rules, while a CDR representative must ask for a TA disclosure consent in accordance with Division 4.3A. These Divisions seek to ensure that consent is voluntary, express, informed, specific as to purpose, time limited, and easily withdrawn. As part of this, an accredited data recipient’s and CDR representative’s process for asking a consumer to give or amend a TA disclosure consent must:

• comply with any relevant consumer experience data standards and
• be as easy to understand as practicable, including by use of concise language and, where appropriate, visual aids, having regard to any consumer experience guidelines (see CDR Rules, subparagraphs 4.10(1)(a)(ii) and 4.20D(a)(ii)).

The disclosure of CDR data to trusted advisers must also be consistent with the consumer experience standards for disclosure of CDR data to trusted advisers (see CDR Rules, subparagraph 8.11(1)(c)(iv)).

Unless the CDR data is disclosed to a trusted adviser who is also an accredited person, the CDR data will no longer be subject to the protections and safeguards of the CDR system. An accredited data recipient or CDR representative must explain this to the consumer in accordance with the relevant customer experience data standard (see CDR Rules, subrule 8.11(1B)).

Dashboard

An accredited data recipient must provide a consumer dashboard for each consumer who has provided a consent in relation to their CDR data (see CDR Rules, subrule 1.14(1)). CDR representatives may provide a consumer dashboard where their CDR representative principal arranges for them to do so (see CDR Rules, subrule 1.14(5)).

In accordance with Privacy Safeguard 10 (see Competition and Consumer Act, section 56EM and CDR Rules, rule 7.9), when an accredited data recipient discloses CDR data to a trusted adviser, they must also update each consumer dashboard as soon as practicable to indicate:

• what CDR data was disclosed
• when it was disclosed, and
• who the trusted adviser was (see CDR Rules, subrule 7.9(3)).

Where a CDR representative discloses CDR data to a trusted adviser, this is taken to be a disclosure by their CDR representative principal. This means that, under Privacy Safeguard 10, the CDR representative principal must update the consumer dashboard as soon as practicable to indicate the above details, or otherwise arrange for their CDR representative to do so on its behalf (see CDR Rules, subrule 4.19(2)).

An accredited data recipient (or CDR representative where they provide the dashboard) must also include certain information in the consumer’s dashboard, stating that they can request copies of these records and how to request a copy (see CDR Rules, subrule 1.14(3A)).

No condition on supply of goods or services

Generally, an accredited data recipient or CDR representative must not make the nomination of a trusted adviser, the nomination of a particular person as a trusted adviser, or the giving of consent to disclose data to a trusted adviser, a condition for the supply of the goods or services (see CDR Rules, subrule 1.10C(4)).

This means that the accredited data recipient or CDR representative cannot tell the consumer that they will only provide goods or services if the consumer consents to a trusted adviser receiving their CDR data, or if they nominate a trusted adviser or a particular trusted adviser.

However, where the only service requested is for CDR data to be collected from a data holder and provided to a trusted adviser, only the prohibition on requiring the nomination of a particular person as trusted adviser applies. The remaining two prohibitions (making the nomination of a trusted adviser, or the giving of a consent to disclose data to a trusted adviser, a condition for the supply of goods of services) do not apply (see CDR Rules, subrule 1.10C(5)).

Professional obligations for trusted advisers

Trusted advisers do not have the same regulatory obligations that apply to an accredited data recipient under the CDR system (or the same contractual obligations that apply to CDR representatives).

However, as members of a specified professional class, trusted advisers are subject to existing professional or regulatory oversight. Existing obligations may include the duty to act in the best interests of their client, and consumer law obligations such as the prohibition against unconscionable conduct.

Privacy obligations for trusted advisers

Trusted advisers who are APP entities should be aware of their obligations under the Privacy Act when handling consumer data.

There are 13 Australian Privacy Principles (APPs) in the Privacy Act which set out standards, rights and obligations in relation to a regulated entity’s handling, holding, accessing and correcting of personal information.

Further information about the APPs and who is covered in the Office of the Australian Information Commissioner’s (OAIC’s) Australian Privacy Principles guidelines.

Record keeping and reporting

An accredited data recipient must keep and maintain records when it discloses CDR data to a trusted adviser. This includes records that record and explain:

• disclosures of CDR data to the trusted adviser
• who the trusted adviser is, and
• any steps it took to confirm that the adviser is a member of a class of professions listed as a trusted adviser (i.e. lawyer, accountant) (see CDR Rules, paragraphs 9.3(2)(eb)-(ec)).

A CDR representative principal must keep corresponding records relating to disclosures to trusted advisers by each of their CDR representatives (see CDR Rules, paragraph 9.3(2A)(hb)-(hc). CDR representative principals should consider whether including relevant contractual terms in the CDR representative arrangement would assist them to comply with these record keeping and reporting requirements.

In their regular reports to the Australian Competition and Consumer Commission (ACCC) and the OAIC, the accredited data recipient must include information about:

• the number of consents received from CDR consumers to disclose CDR data to trusted advisers (CDR Rules, subparagraph 9.4(2)(f)(vi))
• the number of trusted advisers in each class to whom they disclosed CDR data (CDR Rules, subparagraph 9.4(2)(f)(vii)).

A CDR representative principal must also include this information in relation to each of its CDR representatives in its regular reports (CDR Rules, subparagraphs 9.4(2A)(vii)-(viii)).