OAIC submission to the CDR Rules Expansion Amendments consultation

Threshold for recommending the good or service of another ADR

The paper outlines on page 25 that transfer of CDR data may occur in two ways: either through the recommendation of the good or service by ADR1 or based on a request from the consumer directly. Further, ADR 1 may only   recommend the good or service of ADR2 if a direct marketing consent is in place and ADR1 reasonably believes that the CDR consumer may benefit from the good or service (Rule 7.5(3)(a)(iv)).

Consultation question 15a seeks views on whether the threshold for recommending a good or service in draft Rule 7.5(3)(a)(iv) is appropriate. In response, the OAIC notes that the threshold provided is a broad one. There are likely to be many goods or services that an ADR ‘reasonably believes’ a CDR consumer may benefit from, notwithstanding that these goods or services may have no or a limited connection to the good or service currently being supplied by the ADR to the consumer. This raises the risk that a consumer may be ‘spammed’ with unwanted recommendations. Further, in the banking context, there is a risk that products could be recommended for a consumer that are inappropriate for their financial situation. Both of these practices could undermine consumer control and therefore trust in the CDR system. We also note that this represents a shift from the more cautious approach taken in the system to direct marketing to date.

In light of these factors, the OAIC recommends the ACCC amend draft Rule 7.5(3)(a)(iv) to include additional consumer protections, for example:

• requiring that promoted goods or services have a nexus with the existing good or service being provided or requested, and
• a prohibition on promoting or recommending goods or services, if the ADR considers they are likely to be inappropriate for the consumer.[37]

We note that other direct marketing protections would continue to apply, for example the consumer’s ability to withdraw their direct marketing consents. [38]

Transparency of commercial arrangements

Section 4.2 of the paper provides that the transfer of CDR data between ADRs is likely to be facilitated through commercial arrangements. Consultation question 15b asks for views on whether these commercial arrangements between ADRs should be made more transparent. In response, the OAIC would recommend that information about commercial arrangements, and how CDR data is transferred, be described in the entity’s CDR policy as a requirement under Rule 7.2. This enhances transparency for consumers – for example, by making them aware that ADR1 will receive payments if a consumer accepts their recommendation to access a good or service provided by ADR2.

Disclosures to non-accredited third parties

Disclosure to trusted advisors

The draft Rules allow the disclosure of CDR data by an ADR to a ‘trusted advisor’ with the consumer’s consent. This will allow consumers to share their CDR data with their professional advisor so they can receive professional services. The OAIC is broadly supportive of the draft Rules in relation to disclosures to non-accredited third party ‘trusted advisors’. In particular, we welcome the proposal to narrowly prescribe the types of trusted advisors in the draft Rules, as well as the underlying principles that trusted advisors will only be prescribed where the service they offer will provide a direct benefit to the relevant consumer, and where they are subject to existing professional or regulatory oversight.

While the OAIC generally supports these arrangements, we consider that CDR data provided to trusted advisors outside the CDR system should still be subject to a baseline level of protection, being the protections in the Privacy Act. This would ensure that consumers who wish to provide their CDR data to a trusted advisor would still have their data protected, in particular under the data breach notification scheme, and have access to redress mechanisms, monitoring and oversight by the OAIC.

One way to achieve this would be for the draft Rules to prohibit an ADR from disclosing CDR data to trusted advisors that are not subject to the Privacy Act. Where a trusted advisor wishes to be able to receive CDR data, but is not otherwise covered by the Privacy Act, they may consider ‘opting in’ to the Privacy Act.[39] Alternatively, a regulation could be made to apply the Privacy Act to trusted advisors that are small business operators, in relation to the handling of CDR data disclosed to them in their trusted advisor capacity.[40]

Further, as the privacy framework that would apply to such disclosures would differ to the CDR framework, consumers should be clearly notified that the CDR privacy protections will not apply at the time of consent. Consideration should be given to how the Rules may provide for further specificity about how this information could be presented to the consumer, so that they are clearly informed of the potential consequences of a disclosure outside the system.

In relation to the draft rule which authorises the ACCC to approve further classes of trusted advisors,[41] the OAIC considers it would be appropriate for this Rule to set out the relevant factors that must be taken into consideration when prescribing additional types of trusted advisors in the future. This could cover the policy factors outlined in the paper (i.e. evidence of consumer benefit, whether the advisor is subject to professional obligations, etc).

In terms of the format and method for disclosure of CDR data to a trusted advisor, it appears that the proposed rules do not intend to limit how the CDR data can be transferred (for example, through a standard). While OAIC appreciates that it may not be practical to limit the format and method, we consider it is important that CDR data be transferred to trusted advisors via an appropriately secure method. The OAIC recommends that the ACCC consider whether the Rules should provide guidance about secure options, for example minimum security requirements, for transfer of CDR data to trusted advisors.

Disclosure of CDR insights

The proposed Rules introduce the concept of a CDR insight,[42] and would permit ADRs to disclose an ‘insight’ derived from CDR data to any person outside the CDR system, provided they have the consumer’s consent. An ‘insight’ is information derived from a consumer’s CDR data. The insight would be provided together with an identifier for the relevant consumer, making it consumer data (however, in the absence of this identifier, this data would otherwise be considered de-identified data).[43]

The proposal aims to facilitate the provision of a broader range of services by an ADR to consumers and third parties, such as assisting entities to undertake inquiries and verification steps (including income and expense verification, verification of payments, or outcomes of responsible lending assessments).[44] It is also intended to make it easier for consumers to provide their CDR information to third parties of their choice.

Interaction with the credit reporting provisions in Part IIIA of the Privacy Act

We note that the CDR insight rule amendments have a similar policy objective and regulate the same (or similar) types of information as the credit reporting provisions under Part IIIA of the Privacy Act. Both these schemes aim to provide entities with sufficient information to assist them to verify banking-related information and assess risk about an individual, in relation to the provision of credit and/or access to goods or services.

Part IIIA seeks to achieve a balance between access to information for entities (that have a legitimate need to verify a consumer’s financial position) and ensuring that appropriate consumer protections are in place in relation to the handling of credit information, recognising the significant impact that decisions relating to an individual’s creditworthiness can have on their lives.[45] It does this by:

• prescribing the types of information that can flow between credit providers and credit reporting bodies for use in assessing an individual’s creditworthiness (and compiling their credit reports)[46]
• limiting the types of bodies which can access this information,[47] and
• limiting which types of credit information certain credit providers (and others) can access. For example, real estate agents and landlords are currently prohibited from accessing an individual’s credit report,[48] and telecommunications and utility providers are prohibited from accessing repayment history information under Part IIIA.[49]

The interaction between the CDR and Part IIIA is addressed in section 56EC(3) of the Competition and Consumer Act 2010 (Competition and Consumer Act), which states that ‘[s]ubject to the regulations, this Division does not limit Part IIIA (about credit reporting) of the Privacy Act 1988’.[50] This means that the Rules cannot permit credit providers and credit reporting bodies to collect, use or disclose CDR data for credit reporting purposes (except in ways where they are already permitted to use that same information under Part IIIA).

While s 56EC(3) makes clear that the operation of Part IIIA is not to be directly affected by the CDR, the proposed model for permitting disclosures of CDR insights appears to be inconsistent with the policy objectives of Part IIIA, by creating avenues to share similar types of information beyond what is currently prescribed and limited under that framework. For example, the draft Rules would allow entities prohibited from obtaining credit information or an individual’s credit report (such as landlords and real estate agents), to obtain access to a CDR insight (derived from the same types of information used to compile credit reports) for their own commercial, non-credit related purposes. More broadly, it would allow insights from more granular information that cannot be collected, shared or used under Part IIIA (such as insights derived from transaction information)[51] to be shared outside the Part IIIA framework.

On a related note, the proposed rule may also create uncertainty and confusion for entities about the interaction between Part IIIA and the CDR scheme. For example, an ADR deriving insights from CDR data (which may relate to an individual’s creditworthiness), may inadvertently breach the credit reporting laws by disclosing this information if they fall into the definition of credit reporting body under Part IIIA (and are unaware of this fact, believing they are operating under the CDR system).

If the ACCC determines that it is appropriate to make these proposed rules, in our view the interaction with Part IIIA should be more fully considered. However, given the matters outlined above, and further given the significant impacts this proposal could have on an individual’s right to privacy (see comments on that issue below), it may be more appropriate for this policy change to be considered by Parliament.

Appropriate limitations to protect vulnerable consumers

As recognised in the PIA on the draft Rules, the types of CDR insights discussed the paper,[52] such as the ability to afford essential goods and services (like rental accommodation, or the ability to repay credit), are likely to be more privacy invasive than the sharing of raw CDR data alone. Sharing a CDR insight would also likely provide similar (or more invasive) insights when compared with an individual’s credit report. The concept of a CDR insight is similar to a credit report, as both use personal and financial information to generate a ‘score’ (or insight) that comments on the level of risk posed by a consumer to a provider.

In the absence of more specific limitations, we would be concerned that entities could require consumers to provide access to CDR insights generated about them as a pre-condition to being offered a product or service. While consumers would need to consent to this, we would be concerned about an individual’s capacity to provide free and fully informed consent for such a disclosure, particularly where the good or service is essential.

The OAIC would therefore recommend:

• amending the Rules to prohibit the disclosure of CDR insights for certain prohibited purposes. Prohibited purposes could include assessing an individual’s application for an essential good or service (such as housing, healthcare, or utilities), or any employment-related purposes.
• prescribing the types of entities that can (or cannot) collect and use CDR insights derived from CDR data.
• that CDR insights not be disclosed to entities that are not covered by the Privacy Act, and
• that the ACCC consider whether additional consent and notification requirements may be required in relation to the disclosure of CDR insights.

The proposed trusted advisor arrangements may provide a useful model in relation to the above matters.

Additional matters in relation to the disclosure of CDR insights

We also note that draft Rule 7.5(aa)(ii), which permits the ADR to use CDR data for the purposes of ‘the creation of an insight’, is very broad, and may be inconsistent with existing Rule 4.12 which prohibits the aggregation of CDR data for the purposes of identifying, compiling insights into, or building a profile in relation to a person other than the consumer themselves. For an abundance of clarity, we recommend that7.5(aa)(ii) be amended to provide that the relevant insight must be in relation to the consumer only.

In relation to the definition of CDR insight in Rule 1.7(1)(c), we note the wording may require clarification, as Rule 1.17 sets out a process to be followed, rather than offering a definition of de-identified data. The OAIC recommends amending this sub-paragraph to read ‘without that identifier, could be considered to be ‘de-identified’ as though it had undergone the processes set out in Rule 1.17’, or similar.

Finally, as outlined in the paper,[53] the ACCC is seeking views on how an ‘insight’ derived from CDR data may be provided to a nominated person in a secure and safe way. Given the sensitive nature of a CDR insight, the OAIC would strongly support the ACCC developing Rules that will ensure transfer of a CDR insight occurs via a secure mechanism, and having regard to stakeholder feedback on the best way to do this.

Extending the CDR to non-individual consumers

Under the existing Rules, only individual consumers can authorise data sharing in the CDR system. Section 6 of the paper sets out proposed rules which would allow non-individual consumers (such as business partnerships and limited companies) to participate in the CDR.[54] The proposed Rules will require data holders to allow non-individual consumers to appoint ‘nominated persons’, who can share and manage CDR data on their behalf. From an information access perspective, the OAIC is supportive of the extension of the CDR to non-individual consumers in this way.

The OAIC also supports the requirement that the nominated person would need to be authenticated using the credentials held on the data holder’s system. As the CDR expands to include non-individual consumers, the high degree of security afforded by the existing consumer authentication processes should not be diluted.

Consultation question 21 seeks views on proposed Rules 1.13 (c) and (d), which require data holders to provide a single dashboard to manage authorisations to disclose CDR data. In response, the OAIC supports having a single dashboard which can be used by all nominated representatives. We understand that this will allow for the continuity of authorisations given on behalf of the consumer, regardless of the involvement of a particular nominated representative (who may leave the business, for example).[55]

Consultation question 25 seeks views on whether the internal dispute resolution (IDR) requirements are appropriate for business consumers. The OAIC is of the view that existing IDR arrangements are appropriate for business consumers in relation to CDR (noting they were designed with both individual and business complaints in mind).

Business partnerships

Section 6.2 of the paper sets out the policy intention to treat business partnerships consistently with the approach the ACCC is proposing for non-individual consumers, as discussed above. The OAIC notes that business partnerships differ from other non-individual consumers (such as corporations), as they are not considered distinct legal entities; rather they may be comprised of one or more individual (or non-individual) consumers.

As partnerships may be comprised of individuals, CDR data sharing may therefore involve the disclosure of personal information relating to the individuals in the partnership (i.e. where individual partners are account holders). Consultation question 24 seeks views on whether additional protections should be introduced where business partners are individuals, as personally identifiable information may be shared in customer data relating to the partnership with other third parties.

By way of general comment, we note that any CDR data relating to the partnership would be subject to the usual Privacy Safeguards and the stringent privacy protections within the CDR scheme. Stakeholders may have more specific views on whether additional privacy protections are required, however we note that the proposed system (which would require appointment of a nominated person to engage in data sharing on behalf of a partnership entity) would appear to provide for appropriate choice, transparency and control in the business context.

Secondary users

In the CDR system, only ‘eligible’ consumers can make consumer data requests for the transfer of their CDR data. In the banking sector, ‘eligible’ consumers are currently defined as individuals who are 18 years or over and have an open (and online) account with the data holder.[56]

The paper notes that the proposed Rules would broaden the meaning of eligible consumer by allowing non-account holders to share data relating to the account. These users are known as ‘secondary users’. Secondary users are those that have account privileges in relation to an account (i.e. secondary cardholders) and would need to be approved by the account holder through a secondary user instruction in order to share CDR data. The draft Rules propose that for the banking sector, an individual with account privileges must be 18 years of age or older and also have the authority to make transactions on the account.

In response to consultation question 26, the OAIC supports extending the CDR to secondary users in the ways outlined in the paper and above.

Scope of account privileges

Consultation question 27 seeks views on whether any other persons should be considered as individuals with account privileges, and therefore be able to qualify as ‘secondary users’.

In response, the OAIC supports the proposed definition of ‘account privileges’ outlined above and think this is an appropriate initial threshold for authorising secondary users. Any future expansions to these arrangements could be considered in light of evidence gathered from stakeholders on the operation of the system, and any benefits for consumers in doing so.

Secondary users on joint accounts

Consultation question 28 seeks views on how the secondary user rules should operate in a joint account context. The OAIC is broadly supportive of the proposal to allow joint account holders to approve secondary users to share CDR data in relation to joint accounts.

Clause 2.1(2)(c) of Part 2, Schedule 3 of the consultation draft of the Rules provides that to qualify as a secondary user in relation to a joint account,  a ‘pre-approval disclosure option’ (which means the approval of just one of the joint account holders is sufficient to authorise CDR data sharing) must be in place for that joint account. However, we consider that a secondary user should be able to be approved to share CDR data in relation to a joint account, regardless of the disclosure option chosen by the account holders. The OAIC therefore recommends that cl 2.1(2)(c) of Schedule 3, Part 2 be amended to include joint accounts that have both pre-approval and co-approval arrangements in place.

The OAIC further recommends that the processes for providing a secondary user instruction be made consistent with the disclosure option selected on the joint account. For example, if a co-approval disclosure option is in place, the OAIC considers that both joint account holders should be required to give the secondary user instruction. Similarly, if a pre-approval disclosure option is in place, it would be appropriate for one of the joint account holders to give the secondary user instruction on the other’s behalf.

Joint accounts

The existing Rules allow CDR data to be shared from joint accounts. Joint account holders can elect to allow data sharing on their behalf by the other account holder, or require that decisions be made jointly.[57] As outlined in the paper,[58] the proposed Rules seek to enhance consumer control in the context of joint accounts and reduce ‘negative friction’ in consumer processes.

By way of overall comment, the OAIC supports the proposed amendments to the Rules for joint accounts. In particular, the OAIC supports the general aim of providing the ‘non-requesting’ joint account holder (‘joint account holder B’) with more transparency and control in relation to the sharing of their joint CDR data by the other joint account holder (‘joint account holder A’).

Vulnerable consumers

The proposed Rules also provide for the expansion of existing protections for vulnerable consumers, by allowing a data holder to take the following steps, if they consider this is necessary to prevent physical or financial harm or abuse:

• enable vulnerable consumers to share CDR data on a joint account, as if the account was held in their name alone,[59] and
• refuse to provide a consumer dashboard to the non-requesting joint account holder.[60]

The OAIC appreciates the need to balance the protection of a vulnerable consumer with another consumer’s right to privacy (for example, receiving notifications in relation to how their data is handled). The OAIC notes that the Privacy Act framework recognises that the right to privacy is not absolute, and must give way, for example where the entity ‘reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety’ (Item 1 of the Table, s 16A(1)).

The OAIC therefore supports these draft Rule amendments. However, we would recommend that the ACCC consider whether the wording outlined above from section 16A could be adopted in these Rules (and potentially at other points in the Rules, where the same formulation is used). The OAIC considers that the Privacy Act formulation may be preferable, as it requires the entity to have a ‘reasonable belief’ as to the necessity of the action to be taken. Further, as most data holders will be APP entities, this would have the additional benefit of increasing consistency and leveraging a data holder’s existing frameworks for compliance with their Privacy Act obligations.

Responses to specific consultation questions

Question 30a

The OAIC supports the proposed approach to require data holders to allow consumers to set their preferences (i.e. a disclosure option) as part of the authorisation process. This will provide useful context for the consumer and make the decision-making process more meaningful.

Question 30b

The OAIC strongly supports the proposed approach of allowing ‘joint account holder B’ to withdraw an approval at any time. This will ensure both joint account holders, regardless of who provides the authorisation, are able to stop CDR data sharing on a joint account.

Question 30c

The approach to joint accounts held by more than two individuals is proposed to be substantially the same as the proposed approach for joint accounts held by two individuals.[61] The OAIC supports the adoption of a similar approach to all joint accounts, as this will ensure regulatory consistency and enhance the ability of regulated entities to comply with their joint account obligations.

Question 30e

The proposed Rules are silent on whether a data holder must display a consumer’s history of ‘disclosure option selections’ as part of the joint account management service or consumer dashboard.[62] The OAIC recommends that data holders be required to show the history of disclosure option selections on the joint account management service and consumer dashboard. This will lead to greater transparency and will also assist consumers to exercise appropriate control over their data sharing arrangements in the CDR system.

Question 31

Under the proposed Rules, joint account holder B will not have oversight of any additional disclosures that occur after the initial disclosure from the data holder to the first ADR.[63] (For example, where a joint account holder consents to the ADR on-disclosing the joint account CDR data to a third party such as another ADR or trusted advisor.) The OAIC notes that if the proposed Rules regarding CAP arrangements, ADR to ADR transfers, trusted advisors and disclosure of insights are made as drafted, a large number of additional third parties may enter the CDR system with the result that CDR data is more likely to be further on-disclosed after the initial disclosure.

In light of this, the OAIC recommends that a data holder be required to notify joint account holder B that their joint account CDR data could be further on-disclosed to other third parties, such as another ADR or trusted advisor, in accordance with joint account holder A’s consent. This could occur, for example, when the data holder asks joint account holder B to indicate what disclosure option they prefer under clause 4.7(2) of Schedule 3 to the Rules. This will ensure joint account holder B is given some visibility over the possibility of further disclosures, and has the opportunity to refuse to allow CDR data to be shared from the joint account if they are not comfortable with the possibility of further disclosures.

Amending consents

Under the existing Rules, if a consumer wishes to amend their consent with an ADR they must first withdraw this existing consent and then provide a new consent to the ADR. The paper explains that the draft Rules aim to allow a consumer to have more control over various aspects of consent,  including by allowing them to add or amend uses, data types, accounts, or data holders, and changing the duration for which their data is held.[64] Any amendments to consent would have to be sought in accordance with the existing consent requirements in Division 4.3.2 of the Rules, unless otherwise provided for in the Rules.[65]

The OAIC generally supports a requirement that amendments to consent be sought in broadly the same manner as original consent. This would mean requiring the consumer to undergo the ‘full’ consent and authorisation ‘flow’ to amend any aspect of their consent. At the same time, the OAIC appreciates there may be a need to simplify certain aspects of the consent and authorisation flow, to avoid the risk of information overload and enhance the consumer experience. In doing so, the OAIC notes that it is important to ensure any simplification does not impact on a consumer’s ability to give consent which is voluntary, express, informed, and specific.[66] The OAIC generally considers an appropriate balance has been struck in the draft Rules.

Processes for amending consent and authorisation

In light of the above general comments, and in response to consultation question 34, the OAIC considers that the authorisation requirements in Division 4.4 of the existing Rules are fit-for-purpose, and should all be required for the seeking of amendments to authorisation.

In response to consultation question 33, the OAIC recommends that consumers be given the option to amend each category of consent given to an ADR (i.e. not just collection consents and use consents, but disclosure consents as well, including direct marketing consents and research consents). This will ensure consumers can exercise choice and control in relation to all aspects of the handling of their CDR data.

Consistent CX

The paper notes that the draft Rules do not take a prescriptive approach, rather they simply authorise ADRs to allow consumers to make amendments to consent. This means ADRs will be able to determine the best approach for their particular good or service.

The OAIC appreciates the need to provide entities with sufficient flexibility to tailor their processes to suit the particular good/service, and the aspect(s) of consent being amended. However, the OAIC considers it will be important to ensure there is not too much divergence within the CDR system, to ensure a broadly consistent consumer experience across ADRs. The OAIC therefore recommends the ACCC work closely with Data61 to ensure the CX standards and guidelines allow for a consistent consumer experience for amending consent, to the extent practicable.

Informing consumers of their ability to amend consent

The existing Rules require an ADR to provide a consumer with the information listed in Rule 4.11(3) when seeking consent, including information about their ability to withdraw consent. Further, under existing Rule 4.18, an ADR must issue a CDR receipt to the consumer setting out certain matters, including the information provided when seeking consent under Rule 4.11.

The OAIC notes that Rule 4.11(3) does not require an ADR to provide a consumer with information about their ability to amend consent (and that as a result, the CDR receipt would not contain this information either). To ensure that a consumer is informed about the full range of rights they have in relation to their consent, the OAIC recommends Rule 4.11(3) be amended to require ADRs to present consumers with information about their ability to amend consent (during the consent flow) and instructions for doing so.

Amending consent via the consumer dashboard

The paper notes that there may be some use cases where an ADR would not be able to offer the consumer the option to amend all aspects of the consent. (For example, because the ADR offers a limited service and would not be able to offer the service without the original set of data.) Nevertheless, the ACCC’s preference is for ADRs to be required to offer consumers the ability to amend their consent to the extent possible.[67]

As a general comment, and in response to consultation question 32, the OAIC strongly supports the proposal to allow consumers to amend particular aspects of their consent through the ADR’s consumer dashboard. This will increase consumer choice, transparency and control, by giving them a mechanism to instigate the amendment process. The OAIC considers the consumer dashboard to be an appropriate place from which to offer this functionality, as it provides important context (for the consumer’s decision) as to whether and how to amend their consent.

The OAIC appreciates that ADRs may not always be able to offer consumers the ability to amend all aspects of the original consent. To enhance transparency for consumers, the OAIC recommends that ADRs be required to explain to consumers which aspects of their consent may not be able to be amended, and the reasons for this. This could be done, for example, via the dashboard amending consent functionality.

Adding accounts

The paper notes that the proposed ADR process to allow consumers to add or remove an account will necessarily require re-direction to the data holder.[68] The paper further notes that this could occur through existing ‘oAuth’ endpoints, and that the Data Standards Chair may amend existing data standards or create new data standards to enable technical amendments to consent in future.

From a security perspective, the OAIC strongly supports the requirement for ADRs to re-direct consumers to the data holder’s (authorisation) processes in order to add an account. However, it is unclear from the paper as to how this will occur, and whether there are existing data standards to support this. Noting that Rule 4.22 requires a data holder to seek a consumer’s authorisation in accordance with the data standards, it appears a new or amended data standard will be required to achieve the intended outcome. The OAIC therefore recommends the ACCC work with the Data Standards Chair to ensure there are appropriate data standards to give effect to this proposal.

Separate consents

The paper outlines proposed changes to the Rules that will enable separate consents to be obtained, in relation to (1) the collection and (2) the use of CDR data. This is different to the approach taken in the existing Rules, in which a single consent is obtained covering both the collection and use of data. The paper notes that re-framing the Rules in this manner will create more flexibility for ADRs, and enable more granular consent options.[69]

The OAIC notes that the draft Rules also propose to introduce four kinds of ‘disclosure consents’.[70] The draft Rules further divide these (and collection and use consents) into ‘categories’ of consents.[71] Rule 4.11(1)(c) requires an ADR to ask for the consumer’s express consent for particular matters in relation to each category of consent. As a result, we note that navigating the consent flow will become more complex for consumers and regulated entities.

Need for effective CX standards and guidance to reduce complexity of the consent flow

By way of general comment, and in response to consultation question 35, the OAIC supports the increased consumer control that the separate consents approach will provide. However, we consider that there is a risk of consumer confusion resulting from the additional complexity of the consent flow, which needs to be appropriately mitigated. The OAIC therefore recommends that clear and effective consumer experience (CX) standards and guidelines are developed to support an ADR’s processes for seeking and amending separate consents, and to ensure a simple and straightforward consumer experience. In this regard, the OAIC strongly supports the requirement in Rule 4.10 for an ADR’s consent processes to be in accordance with the CX standards, and to have regard to the CX guidelines.

The OAIC also understands from the paper that the approach in the existing Rules of a combined ‘use and collection consent’ was informed by earlier CX findings.[72] In light of this, the OAIC also recommends that the ACCC work with Data61 to undertake further CX research on the proposed separate consent rules, to test consumer reactions to each aspect of the separate consent approach (i.e. the consent flow, the consumer dashboard, withdrawing consent etc).[73] The OAIC further recommends that the prototypes tested cover all types and categories of consents arising out of the changes proposed in the draft Rules (i.e. not only collection consent and use consent, but also disclosure consent as outlined above).

Regarding consultation question 36, please see the OAIC’s response in ‘Transfer of CDR data between ADRs’[74] above regarding the related question 15.

‘Point in time’ redundancy approach

Under Privacy Safeguard 12, an ADR is required to delete or de-identify redundant CDR data in accordance with the Rules.[75] However, under the existing Rules CDR data may  become redundant at different points in the CDR data life cycle, depending on how a consumer withdraws authorisation, and whether or not the consumer is sharing data from one or multiple data holders. Section 7.4 of the paper notes that the current arrangements may create confusion for consumers, and do not support consistent messaging about how deletion and de-identification works in the CDR system.

For these reasons, the ACCC is proposing a ‘point in time’ redundancy approach in the draft Rules. Such an approach would mean that all CDR data related to the good or service would become redundant at the same point in time, that is, either immediately upon the consumer withdrawing their collection and use consents, or at the end of the usual 12-month period.

The OAIC understands from page 46 of the paper that this ‘point in time’ approach is intended to benefit consumers, by ensuring they do not withdraw a use consent without an informed understanding of the consequences. However, consistent with the separate consents outlined above and in the next section, this will also mean that in order to fully withdraw consent for an ADR to handle their CDR data, a consumer would need to take multiple steps (i.e. withdraw both their collection and use consents).

Risk of consumer confusion

The OAIC appreciates the policy objectives behind the ‘point in time’ approach. However, and in response to consultation questions 37 and 38, the OAIC considers the ‘point in time approach’ may be confusing for consumers. Consumers may not understand the different outcomes that may flow from withdrawing a particular type of consent and how to fully withdraw consent to handle their CDR data, if that is what they are seeking to do.

By way of general comment, and in addition to the specific recommendations outlined below, the OAIC recommends the ACCC work with Data61 to ensure that clear and effective CX standards and/or guidelines are developed to support an ADR’s processes for communicating the ‘point in time’ approach to consumers. This will help to ensure a straightforward consumer experience and ensure that consumers have choice, transparency and control in relation to the handling of their CDR data.

The OAIC further considers there is a need to explore the impact of the ‘point in time’ approach on disclosure consents, as outlined below.

Notifying a consumer that they may withdraw their use consent

Where a consumer withdraws their ‘collection consent’,[76] draft Rule 4.18A requires an ADR to notify the consumer that they may also withdraw their use consent. Withdrawing both the collection and use consents will mean the ADR has to stop all handling of the consumer’s CDR data. This notification must occur in writing outside of the consumer dashboard. In response to consultation question 39, the OAIC strongly supports the notification requirement proposed by Rule 4.18A and the proposed methods of delivery.

The OAIC further recommends that the following additional requirements be included in Rule 4.18A:

• A requirement for ADRs to provide the notification in Rule 4.18A as soon as practicable after the collection consent expires. This will ensure that a consumer is able to fully stop an ADR from handling their CDR data, as soon as possible,[77] and
• A requirement for ADRs to include the following statements in the Rule 4.18A notification:

−            a statement that the consumer’s collection consent has expired, but their use consent continues, and

−            a statement outlining what the implications of withdrawing the use consent will be for the consumer.

Impact on disclosure consents

Under the proposed draft rules, a consumer may provide an ADR with a ‘disclosure consent’ in addition to collection and use consents.[78] The OAIC understands that, among other things, this will  allow an ADR to disclose CDR data to a third party in order to provide the specific good or service that the consumer has requested.

Where a disclosure consent is needed to provide the relevant good or service requested, the OAIC understands that the consumer would need to withdraw all three types of consents (collection, use and disclosure) in order to fully stop the ADR from handling their CDR data. CDR data would therefore only become ‘redundant’ and be required to be deleted or de-identified under Privacy Safeguard 12, once all three consents have been withdrawn (or otherwise expired).

In light of the above, the OAIC makes the following recommendations.

Using CDR data for research

The draft Rules would permit an ADR to use CDR data for general research in accordance with the consumer’s consent.[79] The OAIC acknowledges that allowing ADRs to use CDR data for research activities may fulfil many of the policy objectives behind the CDR, including increasing competition, driving innovation, and allowing entities to more easily comply with their regulatory obligations.

However, it also represents a significant shift in the direction of the CDR, from a system that generally limits the use of CDR data to providing goods or services for the consumer’s benefit, to one where ADRs can use CDR data for their own commercial purposes. It also raises a number of potential privacy risks for individuals, given that CDR data may be subject to data aggregation and other analysis and used to build rich and granular insights about a consumer for the purposes of the research.

Importance of transparency to ensure consent to research is informed

While consumers have the option to consent to the use of their CDR data for research, the data analytics activities that may be used in such research projects can be difficult to explain and understand, which may mean a consumer’s consent to research is not genuinely informed. It will therefore be important that ADRs are transparent with consumers about how their CDR data will be used, and that this is communicated in a way that is easy for them to understand.

Under the draft Rules, if a consumer consents to research the ADR must provide them with a link to the CDR policy which must describe:

• the research to be conducted, and
• any additional benefit that may be offered to the consumer in exchange.[80]

The OAIC is generally supportive of this, however we consider that the broad nature of this information may not be sufficient to ensure that consumers can give voluntary, informed and specific consent.[81]

To ensure consumers are genuinely informed of the consequences of providing consent to research, the OAIC recommends that the ACCC consider whether the Rules should provide greater particularity in terms of ADR transparency about their research, either when seeking consent or in the CDR policy. This could include information about:

• the specific purposes for which the ADR uses such research (for example, to conduct market research on its customers to inform the development of new products)
• the types of CDR data used in research, and
• any potential consequences for the consumer (for example, that their de-identified data from the research may be disclosed and sold).

Appropriately limiting the scope of research activities

The OAIC notes that the draft Rules permit general research, which is defined as ‘research by the ADR that does not relate to the provision of goods or services to any particular CDR Consumer’.[82] In the OAIC’s view, the definition of general research under the draft Rules may be too broad, as it does not place any limits on the purposes that research may be conducted for, to ensure they remain consistent with the policy objectives of the CDR system and retain consumer trust.

To ensure that research activities conducted are appropriated limited in scope, the OAIC recommends that the Rules specifically prescribe the types of research activities permitted. Examples of permitted research activities could include:

• research by an ADR regarding new services or products
• business development, or
• methodologies to enhance regulatory compliance (see further below) or reduce compliance costs.

This would also assist consumers and ADRs to understand the types of research activities that are expected to be conducted under this Rule.

Disclosure of research (and other CDR) information

The paper notes that an ADR would only be able to disclose or sell CDR data if it is de-identified in accordance with the CDR data de-identification process. However, under Privacy Safeguard 6, the OAIC notes that ADRs can also disclose information where required or authorised by law (which does not require consent).[83] Research activity by an ADR may therefore lead to unexpected outcomes for consumers, where the research aims to meet regulatory obligations, and those obligations require or authorise the disclosure of CDR data. For example, if an ADR is conducting research to help it meet its regulatory obligations (such as research regarding compliance methodology for anti-money laundering or responsible lending obligations), and that research reveals that the consumer may have made unlawful transactions on their account, the ADR may be authorised, or even required, to disclose that CDR data.

The OAIC notes that this is an existing risk in the CDR framework that may be amplified by the introduction of the research Rules. The OAIC therefore recommends that the ACCC generally consider how the Rules could be amended to require ADRs to inform consumers about  the relevant laws that may permit a use or disclosure of CDR data, which has not been consented to by the consumer. This could occur when seeking consent and/or within the CDR policy.

Additional benefits offered to consumers to obtain consent

The draft Rules provide that the CDR Policy should outline any ‘additional benefits’ to be provided to a CDR consumer when consenting to the use of their CDR data for research.[84] The OAIC acknowledges that the ability to offer consumers an additional benefit may encourage them to participate in research (for example, by offering the consumer a discount on additional products or services).

However, the OAIC also notes the importance of ensuring that consent is voluntary, express, informed, and specific. [85] The OAIC therefore recommends that the Rules clarify that providing consent for research activities cannot be made a pre-condition for the performance of the good or service (similar to the protection provided for trusted advisor consents).

Further, the OAIC recommends that the ACCC include additional safeguards, to ensure that ADRs do not unfairly penalise consumers who do not consent to research activities (for example, by effectively making the product or services they are seeking more expensive). One way to do this may be to provide that any additional benefits to be provided to consumers in exchange for a research consent, are not directly related to the product or service being provided.

Attachment A – Recommendations

1.     Recommendations related to ‘Restricted accreditation’

1. That the ACCC and OAIC review the existing co-regulatory approach to compliance and enforcement in light of the anticipated increase in CDR participation posed by restricted accreditation, to ensure the approach is appropriately integrated, robust and targeted to identify and mitigate potential risks.
2. That the ACCC evaluate the sensitivity or relative risk of particular data with reference to a broader range of factors, when determining what data sets should be accessible via the limited data model of restricted accreditation.
3. That the limited data model of restricted accreditation initially be applied on a sector-specific basis only.
4. That draft Rules be amended to clarify what form the data enclave must take, and what responsibilities the principal and enclave provider would have in the CAP arrangement (for example, in Rules 5.1B and Schedule 2).
5. That draft Rule 5.1B(2)(ii) be amended to require that a principal may only ‘handle’ CDR data through an enclave provider, and within a data enclave.
6. That the draft Rules be amended to require enclave providers to expand the scope of their information security assurance reports, to include processes specific to the management of data enclaves (for example, in clause 2.1 of Schedule 1).
7. That the ACCC further consider what information security provisions in Schedule 2 to the Rules should apply to a principal, having regard to the data handling activities of a principal in the proposed data enclave model.
8. That the draft Rules be amended to specify the minimum steps which must be taken (and the arrangements that must be put in place) by sponsors in relation to their affiliates, for the purposes of Rule 5.1D(6) and clause 2.2(7) of Schedule 2 to the Rules.
9. That all of the information security requirements in Schedule 2 to the Rules should apply to affiliates, regardless of the specific arrangement in place between an affiliate and their sponsor.
10. That draft Rule 1.10B be amended to prescribe minimum requirements that should form part of all CAP arrangements.

2.     Recommendations related to ‘Expanding how ADRs can work together’

1. That the draft Rules be amended to expressly require a party to a CAP arrangement to notify the other party of the withdrawal or expiry of a consumer’s consent/authorisation. This could be done in draft Rule 1.10B, as per Recommendation 2(a).
2. That draft Rule 1.10B be amended to specify that the obligations in Rules 4.18–4.20 need only be discharged by the provider.
3. That draft Rule 1.14 be amended to specify that the obligations relating to the consumer dashboard need only be discharged by the provider.
4. That the ACCC consider whether there may be other obligations that should be discharged by only one of the ADRs (rather than both).
5. That the processes for seeking consent in the Rules continue to be supported by robust consumer experience standards and guidelines, such that consumers can easily understand the differences between consents to collect and use, and consent to disclose.
6. That draft Rule 7.5(3)(a)(iv) be amended to include additional privacy protections for consumers, such as requiring promoted goods or services to have a nexus with the existing good or service, and a prohibition on promoting or recommending goods or services where the ADR considers they are likely to be inappropriate for the consumer.
7. That Rule 7.2 be amended to require ADRs to include information about relevant commercial arrangements (those that facilitate ADR to ADR transfers) in their CDR policy.
8. That the draft Rules be amended to ensure CDR data may only be provided to a trusted advisor outside the CDR system where that trusted advisor is subject to the Privacy Act.

3.     Recommendations related to ‘Disclosures to non-accredited third parties’

1. That draft Rule 1.10C(2)(h) be amended to set out the relevant factors that should be taken into consideration when prescribing additional types of trusted advisors in the future.
2. That the draft Rules be amended to ensure consumers are clearly informed that the CDR privacy protections will not apply to disclosures to trusted advisors.
3. That the ACCC consider whether the Rules should provide for a secure method of data transfer between ADRs and trusted advisors.
4. That the ACCC and relevant agencies consider the impact of the draft CDR insights Rules on the policy objectives of the Part IIIA framework, and determine whether the CDR Rules framework is the appropriate vehicle to introduce such a policy change.
5. That the draft Rules relating to CDR insights be amended to describe purposes for which insights data cannot be disclosed.
6. That the draft Rules relating to CDR insights be amended to prescribe the entities that can (or cannot) receive and handle CDR insights.
7. That the draft Rules prohibit the disclosure of CDR insights to entities that are not covered by the Privacy Act.
8. That the ACCC consider whether additional consumer consent and notification requirements are required in relation to CDR insight disclosures.
9. That draft Rule 7.5(aa)(ii) be amended to provide that the relevant insight must be in relation to the consumer only.
10. That draft Rule 1.7(1)(c) be amended so that it is consistent with the wording of the de-identification rule in 1.17.
11. That the draft Rules be amended to require disclosures of CDR insights to occur only via a secure mechanism.
12. That cl 2.1(2)(c) of Schedule 3, Part 2 be amended to include joint accounts that have both pre-approval and co-approval arrangements in place.

4.     Recommendations related to ‘Secondary users’

1. That the processes for providing a secondary user instruction be made consistent with the disclosure option selected on the joint account.
2. That the ACCC consider adopting the wording used in s 16A of the Privacy Act at each point in the Rules where the threshold of ‘necessary in order to prevent physical or financial harm or abuse’ (or a similar formulation) is used.

5.     Recommendations related to ‘Joint accounts’

1. That the Rules require data holders to show the history of disclosure option selections on a consumer’s joint account management service and consumer dashboard.
2. That data holders be required to notify joint account holder B that their CDR data could be further on-disclosed to other third parties, such as another ADR or trusted advisor, in accordance with joint account holder A’s consent.
3. That consumers be given the option to amend each category of consent given to an ADR, consistent with the requirements set out in subdivision 4.3.2A of the draft Rules.

6.     Recommendations related to ‘Amending consents’

1. That the ACCC work closely with Data61 to ensure the CX standards and guidelines allow for a consistent consumer experience when amending consents.
2. That draft Rule 4.11(3) be amended to require ADRs to provide consumers with information about their ability to amend consent and instructions for doing so.
3. That ADRs be required to explain to consumers which aspects of their consent may not be able to be amended, and the reasons for this.
4. That the ACCC work with the Data Standards Chair to ensure the data standards are amended, or new data standards are made, to ensure that ADRs are required to re-direct consumers to the data holder’s (authorisation) processes when adding accounts.
5. That clear and effective CX standards and guidelines be developed to support an ADR’s processes for seeking and amending separate consent, and to ensure a simple and straightforward consumer experience.

7.     Recommendations related to ‘Separate consents’

1. That the ACCC work with Data61 to undertake further CX research on the proposed separate consent rules, to test consumer reactions to each aspect of the separate consent approach.
2. That the ACCC work with Data61 to ensure that clear and effective CX standards and/or guidelines are developed to support an ADR’s processes for communicating the ‘point in time’ approach to consumers.

8.     Recommendations related to ‘Point in time redundancy approach’

1. That draft Rule 4.18A be expanded to require ADRs to (1) provide the notice as soon as practicable after the collection consent expires; and (2) include additional statements in the Rule 4.18A notice to explain to the consumer that their use consent will continue (and the implications of withdrawing a use consent).
2. That draft Rule 4.18A be expanded to require the ADR to notify the consumer that they may also withdraw their disclosure consent (and explain the implications of doing so). (In addition to the proposals in Recommendation 8(b).)
3. That the draft Rules clarify that a disclosure consent would automatically expire if both the collection and use consents are withdrawn.
4. That the draft Rules be amended to require ADRs to notify consumers that if they withdraw their disclosure consent, this will not fully stop an ADR from handling their data unless they also withdraw their collection and use consents.
5. That the ACCC consider how the draft Rules permitting research using CDR data could provide for greater transparency, either when seeking consent or in the CDR policy.

9.     Recommendations related to ‘Using CDR data for research’

1. That the draft Rules prescribe permitted purposes for which research may be conducted, to ensure that research practices remain consistent with the overall policy objectives of the CDR and retain consumer trust.
2. That the ACCC consider whether the draft Rules need to be amended, to provide a requirement for ADRs to outline relevant laws that may permit a use or disclosure of CDR data which has not been consented to by the consumer.
3. That the draft Rules permitting the use of CDR data for research be amended to clarify that giving consent to research cannot be made a pre-condition of providing the good or service.
4. That the ACCC amend the research-related Rules to provide additional safeguards, to prevent ADRs from unfairly penalising consumers who do not consent to research.