26 September 2019

Our reference: D2019/010634

Structural Reform Division
The Treasury
Langton Crescent
Parkes ACT 2600

By email: data@treasury.gov.au

Consumer Data Right – Priority Energy Datasets Consultation

The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to comment on the Consumer Data Right (CDR) - Priority Energy Datasets consultation paper.

The OAIC is Australia’s independent regulator for privacy and freedom of information. The OAIC regulates and advises on the privacy aspects of the CDR scheme in conjunction with the Australian Competition and Consumer Commission (ACCC), the agency regulating the broader scheme. Our goal in regulating the privacy aspects of the CDR scheme is to enable the consumer and economic benefits to flow from the data sharing by ensuring the system has a robust data protection and privacy framework and effective oversight.

The CDR will facilitate data being shared, used and built upon in new ways, and this is reflected in the policy intention behind the CDR scheme. However, the protection of personal information needs to be a central consideration in order to maximise the potential of the digital economy. The OAIC supports an ongoing focus on ensuring that privacy protection is central to the expansion of the CDR to the energy sector. We are pleased to see this reflected in the stated goal for the ACCC’s energy rules ‘to ensure that the privacy of consumers’ data is protected and that CDR participants are held accountable’.[1]

The data flows within the energy sector are complex. We also note that there is potential for energy-related datasets to be combined to give a rich view of an individual’s personal information, especially when considering the potential for cross-sector transfers between the energy and banking sectors. These two factors create increased risks to personal information, which require sophisticated and robust privacy mitigation strategies and management practices.

Given these factors, the OAIC recommends that Treasury undertake a Privacy Impact Assessment (PIA) before designating the particular datasets for the energy sector. A PIA is a systematic assessment of a project to identify the impact it might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact.

An important part of the designation process is ensuring the benefits of using CDR energy data are balanced with privacy considerations. Undertaking a PIA process early will allow the findings to influence the development of the designation instrument and the rules relevant to the energy sector.

The OAIC recommends that the PIA focus on both the privacy risks associated with each potential dataset and the additional privacy impacts associated with combining datasets. This will be particularly important where privacy risks are not immediately obvious, and supports the approach of undertaking a PIA early on in the process.

Further, the OAIC considers that undertaking a PIA process will assist in ensuring that only necessary data sets are included in the energy designation instrument. This approach is in line with the CDR’s data minimisation principle and is privacy enhancing.

To discuss these comments further, please contact Zoe Fitzell, Director, Regulation & Strategy, on [contact details removed].

Yours sincerely,

Angelene Falk

Australian Information Commissioner
Australian Privacy Commissioner

26 September 2019


[1] Priority Energy Datasets consultation paper, p4.