Assessment of Consumer Data Right data holders as at February 2021
- The OAIC assessed how Consumer Data Right data holders complied with Privacy Safeguard 1. Privacy Safeguard 1 requires CDR entities (including data holders) to have a policy describing how they manage CDR data, and to maintain internal practices, procedures and systems to ensure compliance. It is the bedrock privacy safeguard that underpins compliance with all the other privacy safeguards.
- We assessed the four major banks (ANZ, CBA, NAB and Westpac), as they were the initial CDR data holders.
- The OAIC did not identify any areas of high privacy risk.
- For each bank we identified at least one medium privacy risk. One bank had 4 medium privacy risks, two banks had 3 and one bank had one medium privacy risk.
- The majority of medium privacy risks related to the way the banks had implemented internal practices, procedures and systems to ensure compliance with their CDR obligations.
- We recommended what action each bank should take to address the medium privacy risks. All banks accepted the OAIC’s recommendations.
- The OAIC also suggested what each bank could do to improve their privacy compliance in relation to at least one area of low privacy risk. A total of 6 areas of low risk were identified.
- The recommendations and suggestions will assist the banks to further embed, review and enhance their privacy practices and to comply with the privacy safeguards.
- We have used the findings of this assessment to update our Guide to developing a CDR policy and inform future updates to the CDR Privacy Safeguard Guidelines.
- We have outlined to the banks our expectation that they implement our recommendations, and we will check implementation after six months.
Part 1: Introduction
The Office of the Australian Information Commissioner (OAIC) protects the privacy of individuals by regulating organisations’ compliance with personal information handling obligations. This includes regulating the privacy aspects of the Consumer Data Right (CDR).
The CDR gives consumers greater control over their consumer data. It enables a consumer to direct a data holder to provide their CDR data to an accredited data recipient, in a CDR compliant format.
The OAIC has the power to assess or audit whether CDR entities are maintaining and handling CDR data in accordance with the privacy safeguards and CDR Rules (that relate to privacy or confidentiality).
The OAIC’s first CDR assessment focused on CDR data holders’ compliance with Privacy Safeguard 1. The objective of Privacy Safeguard 1 is to ensure CDR entities handle CDR data in an open and transparent way. Compliance with Privacy Safeguard 1leads to a flow on effect where privacy is embedded in handling CDR data, resulting in better overall privacy management, practice and compliance through a ‘privacy-by-design’ approach.
At the time we initiated the assessment process in November 2020, the data holders were Australia’s 4 major banks (Australia and New Zealand Banking Group Limited, Commonwealth Bank of Australia, National Australia Bank and Westpac Banking Corporation). This report refers to them collectively as ‘the banks’.
The assessment consisted of a desktop review of the banks’ CDR policies, as well as related processes, practices and systems. It also included analysing questionnaires that the banks completed about their compliance with Privacy Safeguard 1.
Part 2 of this document explains what Privacy Safeguard 1 and the CDR Rules require data holders to do. It also outlines where the banks have engaged in good privacy practices, as well as identifying areas for improvement.
Part 3 provides more information on the objective, scope and conduct of the assessments, and implementation of the recommendations.
The OAIC has issued guidance to assist CDR participants to comply with Privacy Safeguard 1. This guidance is available at oaic.gov.au/consumer-data-right/cdr-privacy-safeguard-guidelines. It has also issued a Guide to developing a CDR Policy at oaic.gov.au/consumer-data-right/guidance-and-advice/guide-to-developing-a-cdr-policy.
Part 2: Summary of findings
Privacy Safeguard 1 and CDR Rule 7.2 outline the requirements for CDR entities (including data holders) to handle CDR data in an open and transparent way.
All CDR entities must also take steps that are reasonable in the circumstances to implement practices, procedures and systems that will ensure they:
- comply with their CDR obligations
- are able to deal with related enquiries and complaints from consumers.
The OAIC rates privacy risks in its assessment reports as high, medium or low risk.
High risks are those that would likely lead to a breach of legislative obligations. The OAIC expects the organisation to act immediately to address these risks.
Medium risks are those that would possibly lead to a breach of legislative obligations, or meet some (but not all) requirements of a specific obligation. Organisations should take steps to address these risks in a timely manner.
Low risks are those where the organisation could improve the way it complies and the OAIC suggests further management attention.
For more information about these privacy risk ratings, refer to Chapter 7 of the OAIC’s Guide to privacy regulatory action.
Policy about managing CDR data
All data holders must have a CDR policy that outlines how they manage CDR data. The CDR policy must be publicly and freely available, including being readily available on each online service where the CDR entity ordinarily deals with CDR consumers. This policy must be up to date and clearly expressed. The document must be distinct from the entity’s other privacy policies.
Privacy Safeguard 1 and the CDR Rules specify information that data holders must have in their CDR policy. CDR policies must contain information about:
- how consumers can access and correct their CDR data
- how consumers can complain about a failure of the data holder to comply with the data holder’s obligations, and how the data holder will deal with that complaint
- whether the data holder accepts requests for voluntary product or consumer data, and whether the data holder charges fees for such requests (and if so, how to find out about those fees).
Areas of good privacy practice
All the banks developed a CDR policy, distinct from their other privacy policies, that outlined how they managed CDR data. The policies generally contained the mandatory information.
Each bank’s CDR policy was available and accessible. The CDR policies were available free of charge. Each bank demonstrated good privacy practice through the steps it took to ensure the complex information required in their CDR policy was expressed clearly. Their CDR policies used language that was accessible to a wide audience with varying levels of literacy.
All banks included a consumer complaint handling process within their CDR policy.
Areas for improvement
Three banks did not provide sufficient detail about their complaints processes. Of the 9 information requirements they needed to address, one bank did not fully address 3. Another did not fully address one requirement and the third relied on a link to an external document to address most of the requirements. These were medium privacy risks, as they met some (but not all) requirements of a specific obligation. We recommended the banks update their CDR policies to address every information requirement for their complaints process.
One bank’s CDR policy did not clearly address whether it accepted requests for voluntary product data and voluntary consumer data. This was a medium privacy risk as this information is mandatory.
We also found 3 banks could improve their CDR policies by advising consumers, who are individuals, that they can access their CDR data—that is also personal information—under Australian Privacy Principle (APP) 12 and request to correct their data under APP 13 if Privacy Safeguard 13 does not apply. These were low privacy risks.
Internal polices, practices and systems
CDR entities are required to take reasonable steps to implement practices, procedures and systems to ensure compliance with their CDR obligations and be able to receive enquiries and complaints. They should monitor and review their CDR privacy processes regularly.
Areas of good privacy practice
We found the banks were taking steps to establish and promote a culture that respects privacy and good information handling practices when managing CDR data.
All banks had appointed senior staff responsible for strategic leadership of the CDR regime and officers responsible for day-to-day management of CDR data.
Three banks demonstrated good privacy practice in limiting access to CDR systems and data to staff with an operational requirement to have access.
The banks generally demonstrated good practice by setting practices, procedures and systems to review their CDR policies on a scheduled basis, as well as following legislative and operational changes. They used existing document control frameworks and specific staff were responsible for reviewing their CDR policy.
Areas for improvement
Each of the banks should develop internal practices, procedures and systems that specifically address compliance with privacy safeguards that diverge from, or are additional obligations to, the APPs. This was a medium privacy risk for each bank.
The internal practices, procedures and systems of one bank did not include sufficient detail about the CDR related requests consumers can make to data holders, such as information about correcting CDR data. This was a medium privacy risk.
One bank did not reference the OAIC as co-regulator of the CDR in its internal CDR complaints practices, procedures and systems. As consumers may escalate CDR privacy concerns to the OAIC, this was a medium privacy risk.
One bank did not demonstrate it provided CDR training to all relevant staff members before they handled CDR data. This was also a medium privacy risk.
Two of the banks could add version numbers to their CDR policies to assist with version control and ensuring the documents were current. These were low privacy risks.
Part 3: Context
Objective and scope of the assessment
The objective of the assessments was to examine whether the banks, as data holders, were managing CDR data in an open and transparent way.
Specifically, the OAIC evaluated whether the banks had:
- taken reasonable steps in accordance with Privacy Safeguard 1 to implement practices, procedures and systems that support the effective management of CDR data and ensure compliance with their CDR obligations.
Conduct of the assessment
The banks provided the OAIC with copies of their CDR policies, and any related or relevant documents outlining internal practices, procedures and systems relating to their compliance with the privacy safeguards. They also completed questionnaires that gathered information about their compliance with Privacy Safeguard 1. The banks provided these policies, documents and questionnaire responses on or before 12 February 2021.
We conducted a desktop review of these policies, documents and questionnaire responses against the requirements of Privacy Safeguard 1 and the related CDR Rules. We provided reports to each of the banks, including recommendations to address any privacy risks.
We conducted a risk-based assessment that focused on identifying privacy risks. Our aim was to help entities improve their CDR policies, and related internal practices, procedures and systems.
We conducted ‘point in time’ assessments. Our observations and opinions are only applicable to the time period in which we conducted the assessment.
For more information about privacy risk ratings, refer to the OAIC’s ‘Risk based assessments – privacy risk guidance’ in Appendix A of chapter 7 of the OAIC’s Guide to privacy regulatory action. This is available at oaic.gov.au/about-us/our-regulatory-approach/guide-to-privacy-regulatory-action.
Implementing the recommendations
On finalising the assessment, the OAIC wrote to the banks outlining our expectation that they respond with a plan for implementing our recommendations.
Six months after finalising the report, we will revisit the recommendations with each bank to ensure it has fully implemented the recommendations.
 These powers are set out in s 56ER of the Competition and Consumer Act (2010) and Rule 9.6 of the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules).
 CDR entities are accredited persons who are or who may become an accredited data recipient of CDR data, data holders and designated gateways. Read more about key CDR concepts in chapter B of the CDR Privacy Safeguard Guidelines.
 As set out in Part IVD of the Competition and Consumer Act and the CDR Rules.
 This is outlined in Section 56ED(3) of the Competition and Consumer Act and Rule 7.2(2) of the CDR Rules.
 This is outlined in Section 56ED(7) and 56ED(8) of the Competition and Consumer Act and Rules 7.2(8) and 7.2(9) of the CDR Rules.
 This is outlined in Section 56ED(4) of the Competition and Consumer Act and Rules 7.2(3) and 7.2(6) of the CDR Rules.
 This is outlined in Rule 7.2(6) of the CDR Rules.
 This is outlined in Section 56ED(2) of the Competition and Consumer Act.
 This guidance is outlined in Chapter 1 of the OAIC’s CDR Privacy Safeguard Guidelines and the OAIC’s Guide for developing a CDR policy.
 This is outlined in Section 56ED(2) of the Competition and Consumer Act.