The security and integrity of the Consumer Data Right (CDR) system is upheld by 13 privacy safeguards, contained in the Competition and Consumer Act and supplemented by the CDR Rules.

The privacy safeguards set out the privacy rights and obligations for participants in the CDR system, which cover, but are not limited to:

  • implementing practices, procedures and systems to ensure compliance with the CDR system
  • having a CDR policy that provides information to consumers about how their CDR data is managed, and how they can make an inquiry or complaint
  • obtaining the consumer’s consent before seeking to collect data
  • using data only for the purpose the consumer consented to
  • restrictions on direct marketing and overseas disclosure
  • quality and correction of data
  • information security requirements around minimum system controls, testing, monitoring, evaluation and reporting, and
  • deleting or de-identifying redundant data if it is no longer needed (with a right for the consumer to elect for their data to be deleted).

These privacy safeguard obligations and how to comply are set out in the OAIC’s CDR Privacy Safeguard Guidelines.

In addition to the obligations under the privacy safeguards, data holders must also comply with several privacy obligations in the CDR Rules relating to authorisation, disclosure and management of records. These obligations are set out in the Guide to privacy for data holders.

There is also a Guide to developing a CDR policy to assist accredited data recipients and data holders prepare and maintain a CDR policy.

Having a CDR data management plan may also help you comply with the obligation to have practices, procedures and systems implement to ensure compliance with the CDR system, including the privacy safeguards.

A CDR data management plan identifies specific, measurable privacy goals and targets and sets out how a participant will meet its ongoing compliance obligations.

Further information on how to develop a CDR data management plan can be found in Chapter 1 (Privacy Safeguard 1) of the CDR Privacy Safeguard Guidelines.

What happens if there is a data breach?

Accredited data recipients have obligations to respond to information security incidents as soon as practicable under Schedule 2 to the CDR Rules. These include the following obligations:

  • managing all relevant stages of an incident, from detection to post-incident review.
  • complying with the Notifiable Data Breaches scheme under the Privacy Act, including obligations to notify consumers and the OAIC about eligible data breaches. An eligible data breach occurs when there is unauthorised access to, or unauthorised disclosure of CDR data, or a loss of CDR data held by a CDR entity, where this is likely to result in serious harm to any of the consumers to whom the data relates, and
  • notifying the Australian Cyber Security Centre as soon as practicable (and no later than 30 days) after the information security incident occurs.

For further information about obligations in the event of a data breach, see the Notifiable Data Breaches scheme web page and Chapter 12 (Security of CDR data and destruction or de-identification of redundant CDR data) of the Privacy Safeguard Guidelines.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au