Under the Consumer Data Right (CDR), you can direct that your data is safely and securely shared with an accredited provider of your choice. Providers are also referred to as ‘accredited data recipients’.

You can use your CDR data to investigate, compare and access new services in the banking sector.

For example, you might share your data with a provider that offers a budgeting or savings app.

The CDR system will allow you to access, manage and share your data, by giving you the ability to:

  • Decide which providers can see and use your data
  • Specify what types of data you wish to transfer
  • Specify what you want your data to be used for
  • Stop the transfer of data
  • Ask for your data to be deleted once it is no longer needed.

Your data can only be shared within the CDR system with your consent and can only be transferred to an accredited provider.

How to access your CDR data

The accredited provider of your choice will guide you through the process of accessing your data from the business which holds it.

You will need to give your consent to share your data to both businesses.

This image shows the process for accessing CDR data with the provider of your choice. Link to long text description follows image.

Long text description

Do you have a joint account?

If you want to access or share information relating to a joint account, both you and the other account holder must first agree to allow this. Your service provider will allow you to express your preferences through an online account management service.

Through this service, both you and the other account holder can manage your preferences, including whether you are happy for the other account holder to make requests to share CDR data on your behalf. 

Giving consent to access your data is an important part of protecting your privacy. An accredited provider you have chosen to deal with under the CDR system can only access your CDR data with your consent.

You can specify what data to share, how it will be used and how long you wish to share through the CDR system.

You can stop sharing your data at any time. Your consent to use your CDR data expires after 12 months.

An accredited provider should only ask you for consent to collect data that is reasonably needed to provide the good or service.

Your consent must be voluntary and made as an active choice — that is, your consent must be given specifically for the agreed purpose and not implied or presumed, and it cannot be the result of default settings or pre-selected options. You should be fully informed about how your data will be used before giving consent.

You should not feel pressured into providing your consent to a provider.

You have a right to complain to your provider, and to the OAIC, if you have concerns about how your consent has been sought, or if you think your provider has not handled your data in accordance with your consent.

If you need help to understand whether you should provide consent under the CDR system, or if you are experiencing financial difficulties in relation to a good or service provided under the CDR, organisations such as the Financial Rights Legal Centre may be able to assist you. Consumers can contact the Financial Rights Legal Centre for free legal advice on 02 8204 1313 or via their website.

Understanding and managing how your CDR data will be used

Businesses in the CDR system must have a ‘CDR policy’ available to you. This has detailed information on how your CDR data will be managed. It will also tell you what to do if your data is misused.

Each business must also provide you with an online consumer dashboard that will allow you to manage your data sharing activity. You will receive information through your online dashboard about what you’ve consented to and what the data is used for. The online dashboard will also give you the ability to:

  • withdraw your consent
  • ask for your CDR data to be deleted once it is no longer needed.

Correcting your CDR data

You have the right to make a request to correct your CDR data if it is inaccurate, out of date, incomplete or misleading.

If you think your CDR data is incorrect, you can contact the business to ask them to correct it. The business should consider the reasons they hold your CDR data, and then respond to your request by either:

  • correcting your CDR data, or
  • providing a qualifying statement to ensure that the data won’t be misinterpreted.

If the business does not correct your CDR data, they must tell you why they considered that no correction or statement was required and how you can make a complaint if you aren’t satisfied with their response.

The Consumer Data Right (CDR) system is designed to keep your data secure. Strong privacy protections are built into the system, and a provider can only access your data if they are accredited and you have given your consent.

We enforce the privacy aspects of the CDR system and deal with complaints about how your CDR data is handled. The Australian Competition and Consumer Commission (ACCC) is responsible for accrediting providers and enforcing the CDR Rules.

Long text description

This image shows the process for accessing CDR data with the provider of your choice.

The consumer is positioned in the centre, between the business which has their data and the business they’d like to share their data with. The consumer consents with both parties for the sharing of their data. They can stop sharing data at any time and their consent lasts for 12 months.

The business which has the consumer’s data transfers only the data requested to the business the consumer has chosen to engage with. That business stores the data securely and only uses it in a way that the consumer has specified.

That business will display the CDR accredited logo.

Back to diagram

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au