Consultation on draft updates to the CDR Privacy Safeguard Guidelines

1 September 2022

The Office of the Australian Information Commissioner (OAIC) is seeking your views on draft updates to the Consumer Data Right (CDR) Privacy Safeguard Guidelines. These draft updates reflect changes made to the CDR system by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2021 (Version 3 Rules), Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2021 (Version 4 Rules) and Competition and Consumer Amendment (Consumer Data Right) Regulations 2021 (amending regulations).

Background

In August 2019, the Australian Parliament passed the Treasury Laws Amendment (Consumer Data Right) Act 2019 to insert a new Part IVD into the Competition and Consumer Act 2010 (Competition and Consumer Act) to enact Consumer Data Right (CDR).

The CDR aims to provide greater choice and control for Australians over how their data is used and disclosed. It will allow consumers to access particular data in a usable form and to direct a business to securely transfer that data to an accredited data recipient.

The security and integrity of the CDR regime is maintained by 13 privacy safeguards, contained in the Competition and Consumer Act and supplemented by the Consumer Data Rules. These privacy safeguards set out the privacy rights and obligations for users of the scheme, including the requirement for informed consent to collect, disclose, hold or use CDR data.

The Version 3 Rules were made in September 2021 and introduced:

  • the CDR representative model of participation
  • the sponsorship model of participation
  • disclosures to trusted advisers
  • disclosures of CDR insights
  • changes to the rules applying to CDR outsourcing arrangements
  • changes to authorisation in relation to joint accounts.

The Version 4 Rules and amending regulations were made in November 2021. The Version 4 Rules implement CDR in the energy sector by establishing a new data access model for certain CDR data (‘shared responsibility data’) and making energy sector specific CDR rules. The amending regulations also facilitate implementation of the CDR in the energy sector.

Under s 56EQ(1)(a) of this Act, the Australian Information Commissioner (Information Commissioner) has the power to make ‘guidelines for the avoidance of acts or practices that may breach the privacy safeguards’.

The CDR Privacy Safeguard Guidelines were first made by the Information Commissioner in February 2020. They outline how the Information Commissioner will interpret and apply the privacy safeguards when exercising functions and powers relating to the privacy safeguards. The Privacy Safeguard Guidelines are updated from time to time, including to take account of changes in the Competition and Consumer Act, Competition and Consumer (Consumer Data Right) Rules 2020 or other legislation, and relevant regulatory decisions. The Privacy Safeguard Guidelines were updated in July 2020 and again in June 2021. You can find out more about version changes to Privacy Safeguard Guidelines here.

Purpose of consultation

The purpose of this consultation is to seek your views on draft updates to the Privacy Safeguard Guidelines to reflect the Version 3 Rules, Version 4 Rules and amending regulations. In this consultation, we are also consulting on some minor miscellaneous draft changes that we propose making for clarity and completeness.

The draft changes that are the subject of this consultation are marked in each chapter of the Privacy Safeguard Guidelines consultation version, which is available here .

These draft updates to the Guidelines set out the OAIC’s current understanding and interpretation of the privacy safeguards and the relevant Consumer Data Rules and Regulations.

Although the guidelines are primarily aimed at data holders and accredited persons in the CDR system, the OAIC welcomes comments by other interested stakeholders and members of the community.

How to make comments

Submissions can be made by:

Email

consultation@oaic.gov.au

Post

GPO Box 5218 Sydney NSW 2001

The closing date for comments is Friday 7 October.

We intend to make all submissions publicly available. Please indicate when making your submission if it contains confidential information you don’t want made public and why it should not be published. Requests for access to confidential comments will be determined in accordance with the Freedom of Information Act 1982 (FOI Act).

Although you may lodge submissions electronically or by post, electronic lodgement is preferred. To help us meet our accessibility obligations, we would appreciate you providing your submission in a web accessible format or, alternatively, in a format that will allow us to easily convert it to HTML code — for example Rich Text Format (.rtf) or Microsoft Word (.doc or .docx) format.

Consultation questions

To assist you in preparing comments for this consultation, the OAIC has prepared the questions below which are intended to stimulate comments and reflections on the draft updates to the Guidelines.

They are not intended to limit the issues that may be raised. You may wish to respond to some or all questions, or to raise other issues within the scope of the consultation.

  • Are the marked updates to the Privacy Safeguard Guidelines clear, relevant and practical?
  • Do the marked updates meet the needs of entities in understanding their obligations introduced by the Version 3 Rules, Version 4 Rules and amending regulations?
  • Are there any topics that are raised by the Version 3 Rules, Version 4 Rules or amending regulations that you believe the draft guidelines should cover that have not been covered, or should be covered in greater detail?
  • Are there any practical examples in relation to CDR in the energy sector that you could share to help illustrate parts of the guide?

Privacy Collection statement

The OAIC will use the personal information it collects in the course of this consultation for the purpose of finalising the updates to the guidelines and our ongoing engagement with you.