Protecting your CDR data

Your CDR data contains your personal information and is valuable. A range of measures are in place to ensure the privacy of your CDR data is protected.

How is your privacy protected?

A business can only handle your CDR data if they are accredited by the ACCC and meet strict requirements for:

  • data collection, usage and storage
  • Information security
  • protecting your privacy, and
  • obtaining your consent.

If they don’t meet these requirements, they can have their accreditation suspended or cancelled, or they can be fined or face other regulatory action.

You are the only person who can request a data transfer to an accredited business, and you control what data you share, for what purpose and how long you share it.

Once you give your consent, your CDR data is transferred via a secure online system.

How is your data secured?

Data security requirements are built into the CDR system. Accredited providers must follow strict information security requirements around governance, minimum system controls, testing, monitoring, evaluation and reporting. Generally, they are required to destroy or de-identify your data if it is no longer needed. 

Providers must also comply with the Notifiable Data Breaches scheme, including by telling you and the OAIC about any serious data breach. 

While strong safeguards are in place, you should always protect yourself online. An accredited provider will never ask for your personal password to share CDR data.

How is your data deleted or de-identified, and what does this mean for you?

If your data is no longer needed, the provider is generally required to delete or de-identify it. You can refer to your provider’s CDR policy to understand how they delete or de-identify data. 

If your data is not needed, you can ask your provider to delete it, via your online dashboard. Alternatively, you can notify your provider in writing that you want them to delete your data.

If your data is de-identified, it means that providers have followed a stringent de-identification process to ensure that the data cannot be traced back to you. Once your data has been de-identified, the provider can use it for other purposes, including selling it to a third party (i.e. a market research organisation).

If the provider wants to de-identify some of your data while it is still being used to provide you with a good or service, they will need to seek your consent first. For example, a provider may ask for your consent to sell de-identified data to a third party, to provide you with a service free of charge.