Published:  10 Mar 2023

Assessment of Consumer Data Right data holders as at February 2022

Key points

  • The Office of the Australian Information Commissioner (OAIC) assessed whether Consumer Data Right (CDR) accredited persons, who are or may become accredited data recipients of CDR data, were complying with Privacy Safeguard 1.
  • Privacy Safeguard 1 requires CDR entities (including accredited persons) to have a policy describing how they manage CDR data, and to maintain internal practices, procedures and systems to ensure compliance. It is the bedrock privacy safeguard that underpins compliance with all the other privacy safeguards.
  • We assessed the 7 accredited persons active on the CDR register as at 1 November 2021.
  • We examined the accredited persons’ CDR policies against what the policies are required to include. We found 17 instances of non-compliance and 35 instances of partial compliance.
    • The accredited persons’ CDR policies allowed consumers to generally understand how the accredited person would handle their CDR data, and deal with enquiries and complaints.
    • The number of findings made about individual entities ranged from 3 to 10 findings.
  • We examined the steps accredited persons took to implement practices, procedures and systems that will ensure they comply with their CDR obligations. We did not identify any high privacy risks. We found 14 medium privacy risks and 5 low privacy risks.
    • The number of findings made about individual entities ranged from no identified privacy risks to 5 medium or low privacy risks.
  • None of the instances of partial or non-compliance, or privacy risks, were serious enough to warrant further regulatory action at this point. We made recommendations that, if implemented, will adequately address the partial or non-compliance and privacy risks.
  • In general, the accredited persons for which we found more privacy risks, or partial or non-compliance, were not handling CDR data at the time of assessment. We note that:
    • every accredited person – regardless of whether they are handling CDR data – must have a CDR policy in place that meets the requirements of Privacy Safeguard 1 and CDR Rule 7.2
    • even if not handling data, we expect accredited persons to have taken steps to put in place practices, procedures and systems to comply with their CDR obligations. We consider a range of factors, including whether or not the accredited person was handling CDR data, when assessing if those steps are reasonable.
  • We have advised these accredited persons of the OAIC’s expectation that they implement our recommendations, and we will follow up to confirm they have done this in a timely manner.
    • At the time of publication, 5 of the 7 accredited persons had taken steps to implement their recommendations. All accredited persons had accepted the recommendations that were not yet implemented.
  • We have used the findings of this assessment to inform the November 2022 update to the CDR privacy safeguard guidelines.

Part 1: Introduction

The OAIC protects the privacy of individuals by regulating organisations’ compliance with personal information handling obligations. This includes regulating the privacy aspects of the CDR.

The CDR gives consumers greater control over their data. It enables a consumer to direct a data holder to provide their CDR data to an accredited data recipient or a CDR representative, in a CDR compliant format.

The OAIC has the power[1] to assess whether accredited persons,[2] who are or may become accredited data recipients of CDR data, are complying with Privacy Safeguard 1 and the CDR rules that relate to Privacy Safeguard 1.

The targets of this assessment were the 7 CDR accredited persons that were active[3] on the CDR register as at 1 November 2021. These were Adatree Pty Ltd, Commonwealth Bank of Australia (CBA), Envestnet | Yodlee, Frollo Australia Pty Limited, Illion Open Data Solutions Pty Ltd, Intuit Australia Pty Ltd, Intuit Inc and Regional Australia Bank.[4] This report refers to them collectively as accredited persons. As Intuit Australia and Intuit Inc are both accredited persons and effectively operate as a single entity, we considered them as one entity in this assessment. (When we give breakdowns of numbers of accredited persons in this report, the numbers will total 7.)

We examined the accredited persons’ compliance with Privacy Safeguard 1. The objective of Privacy Safeguard 1 is to ensure CDR entities handle CDR data in an open and transparent way. Compliance with Privacy Safeguard 1 leads to a flow on effect where entities embed privacy in their data-handling. This results in better overall privacy management, practice and compliance through a ‘privacy-by-design’ approach.

The assessment consisted of a desktop review of the entities’ CDR policies, as well as their related processes, practices and systems. It also included analysing questionnaires that the accredited persons completed about their compliance with Privacy Safeguard 1.

Part 2 of this document explains what Privacy Safeguard 1 and the CDR Rules require accredited persons to do. It outlines where the accredited persons have engaged in good privacy practices, and identifies areas for improvement.

Part 3 provides more information on the objective, scope and conduct of the assessments, and implementation of the recommendations.

The OAIC has issued CDR privacy safeguard guidelines to help participants comply with the safeguards, including Privacy Safeguard 1. We have also issued a Guide to developing a CDR policy.

This assessment revealed instances where several accredited persons did not fully comply with, or had privacy risks relating to, a specific CDR obligation. We have further clarified and explained these obligations in the November 2022 version of the CDR privacy safeguard guidelines.

Part 2: Summary of findings

Privacy Safeguard 1 and CDR Rule 7.2 outline the requirements for CDR entities (including accredited persons) to handle CDR data in an open and transparent way.

All CDR entities must also take steps that are reasonable in the circumstances to implement practices, procedures and systems that will ensure they:

  • comply with their CDR obligations[5]
  • are able to deal with related enquiries and complaints from consumers.

The criteria the OAIC uses to make its findings are:

High risk: an internal control or risk management issue that if not mitigated would likely lead to a breach of legislative obligations.

Not compliant: a compliance issue that if not addressed would likely lead to a breach of legislative obligations.

The OAIC expects the organisation to act immediately to address high risks and non‑compliance.

Medium risk: an internal control or risk management issue that if not mitigated would possibly lead to a breach of legislative obligations, or meet some (but not all) requirements of a specific obligation.

Partially compliant: a compliance issue that if not addressed would possibly lead to a breach of legislative obligations, or meet some (but not all) requirements of a specific obligation.

The OAIC expects organisations to address medium risks and partial compliance in a timely manner.

Low risk: the organisation could improve the way it complies and the OAIC suggests further management attention.

For more information about these privacy risk ratings, refer to Chapter 7 of the OAIC’s Guide to privacy regulatory action.

Policy about managing CDR data

All accredited persons must have a CDR policy that outlines how they manage CDR data.[6] The CDR policy must be publicly and freely available, including being readily available on each online service where the CDR entity ordinarily deals with CDR consumers.[7] This policy must be up to date and clearly expressed. The document must be distinct from the entity’s other privacy policies.

Privacy Safeguard 1 and the CDR rules specify information that accredited persons must have in their CDR policy.[8] CDR policies must contain information about:

  • how consumers can access and correct their CDR data
  • how consumers can complain about a failure of the accredited person to comply with the accredited person’s obligations, and how the accredited person will deal with that complaint.

Areas of good privacy practice

All the accredited persons developed a CDR policy, distinct from their other privacy policies, that outlined how they managed CDR data. The policies generally contained the mandatory information.

Each accredited person’s CDR policy was available and accessible. The CDR policies were available free of charge. Each accredited person demonstrated good privacy practice through the steps it took to ensure the complex information required in their CDR policy was expressed clearly. Their CDR policies used language that was accessible to a wide audience with varying levels of literacy.

All accredited persons included a consumer complaint handling process within their CDR policy.

The accredited persons’ CDR policies allowed consumers to generally understand how the accredited person would handle their CDR data, and deal with enquiries and complaints. None of the accredited persons were fully compliant, but several had only a small number of omissions. CBA and Envestnet | Yodlee did not have any areas of non-compliance (but had findings of partial compliance). Adatree and Frollo each had one finding of non-compliance (as well as findings of partial compliance). These 4 accredited persons had the fewest number of findings of partial or non-compliance.

Areas for improvement

This section identifies requirements in respect of which 3 or more accredited persons had partial or non‑compliance.

Several of the accredited persons had not collected CDR consumer data at the time of the assessment. However, the Competition and Consumer Act and the CDR rules require all accredited persons to have CDR policies in place that address the requirements of Privacy Safeguard 1 and CDR Rule 7.2, regardless of whether or not they are handling CDR data. Many of the obligations in Privacy Safeguard 1 and CDR Rule 7.2 are civil penalty provisions, and breaches can attract significant penalties.[9]

Three accredited persons’ CDR policies did not fully specify the classes of CDR data they held or may hold in the future.[10] Accredited persons must include this information as it is important for ensuring consumers know what type of data they would expect to share with the accredited persons.

An accredited person’s CDR policy must address the purposes for which they may collect, hold, use or disclose CDR data.[11] Two accredited persons addressed each of these, the remaining 5 partially addressed them. Collecting, holding, using and disclosing data are distinct concepts,[12] and the Competition and Consumer Act requires accredited persons to address each of them separately. We recommended those 5 accredited persons update their CDR policies to include the purposes for which they collect, hold, use or disclose CDR data.

The accredited persons’ CDR policies must explain how a CDR consumer may both access the CDR data and seek correction of the CDR data.[13] One accredited person explained how consumers can do both, 3 accredited persons explained one and 3 did not explain either.

Chapter 13 of the OAIC’s Privacy safeguard guidelines sets out the obligations for accredited persons when they receive correction requests from CDR consumers. Upon receiving a correction request, an accredited person can determine it is not appropriate for it to correct the CDR data. Nevertheless, the accredited person must still outline how a consumer can seek correction of CDR data.

None of the CDR policies contained every event about which accredited persons are required to notify CDR consumers.[14] The OAIC’s Guide to developing a CDR policy identifies 8 events about which accredited persons have obligations to notification CDR consumers. These are when:

  • consumers give consent to collect, use or disclose data
  • consumers amend or withdraw consent
  • the accredited person collects CDR data
  • the accredited person discloses CDR data to another accredited person
  • the accredited person has ongoing notification requirements regarding consent
  • the consumer’s consent expires
  • the accredited person responds to a correction request
  • the accredited person has a notifiable data breach affecting the consumer.

Every accredited person’s CDR policy needed more information about how it deletes redundant CDR data.[15] Accredited persons’ policies could include information about whether deleted data is irretrievably destroyed, references to any applicable standards, explanations about how they manage hard copy information and confirm third party deletion, and whether back-ups are destroyed.

The CDR rules set out information that accredited persons must include in their CDR policies about how a CDR consumer can complain and how the entity will deal with the complaint.[16] This includes outlining key aspects of the accredited person’s internal dispute resolution process. For banking sector data, accredited persons’ internal dispute resolution processes must comply with relevant sections of the Australian Securities and Investment Commission’s Regulatory Guidance 271 (RG 271).[17]

The CDR rules require accredited persons to include information about their process for handling CDR complaints.[18] For banking sector data, accredited persons should include steps required under paragraph 172 of RG 271. This requires public complaints policies to explain ‘key steps for dealing with complaints, including acknowledgement, assessment and investigation, and provision of an IDR response’. Three accredited persons did not address each of these 3 steps in their CDR policies.

All but one accredited persons’ CDR policies did not include sufficient information about options for redress of complaints[19] made through internal dispute resolution processes. For banking sector data, paragraph 161 of RG 271 gives 13 examples of possible remedies. These include refunds, fee waivers, correction of records and compensation payments. Accredited persons should include examples of potential remedies in their CDR policies.

The CDR rules require accredited persons’ CDR policies to include options for review of dispute resolution outcomes, both internally (if available) and externally.[20] For banking sector data, the Australian Financial Complaints Authority (AFCA) is the recognised external dispute resolution scheme. Most accredited persons included in their CDR policies that AFCA was an avenue for consumers to resolve disputes externally. However most did not include that, in addition to AFCA, a consumer can also complain to the OAIC if the consumer is unsatisfied with the outcome of an accredited person’s internal dispute resolution process. Accredited persons should include the OAIC as an option for external review of dispute resolution outcomes.

Internal polices, practices and systems

Accredited persons are required to take reasonable steps to implement practices, procedures and systems to ensure compliance with their CDR obligations and be able to receive enquiries and complaints.[21] The OAIC expects accredited persons to monitor and review their CDR privacy processes regularly.[22] Chapter 1 of the OAIC’s CDR privacy safeguard guidelines suggests steps to implement practices, procedures and systems under Privacy Safeguard 1.

When assessing what is reasonable given the accredited persons’ specific circumstances, the OAIC considered:

  • the CDR Rules and other legislative obligations that apply to the accredited person
  • the nature of the accredited person
  • the amount of CDR data handled by the accredited person
  • the possible adverse consequences for a consumer in the case of a breach, and
  • the practicability, including time and cost involved.

However, we did not excuse the accredited persons from implementing particular practices, procedures or systems by reason only that it would be inconvenient, time-consuming or impose some cost to do so. Instead, we considered whether the burden was excessive in the circumstances.

Areas of good privacy practice

We found all accredited persons were taking steps to establish and promote a culture that respects privacy and good information handling practices when managing CDR data.

All accredited persons had appointed senior staff responsible for strategic leadership of  CDR and officers responsible for day-to-day management of CDR data.

The accredited persons generally demonstrated good practice by implementing procedures and systems to review their CDR policies at least annually (or after any legislative and operational changes). They had identified staff who were responsible for reviewing their CDR policy.

In assessing accredited persons’ internal policies, procedures and systems to ensure compliance with their CDR obligations, we did not identify any privacy risks for CBA. We identified one medium risk in relation to Adatree. We identified one medium risk and one low privacy risk in relation to Frollo. These 3 accredited persons had the fewest number of findings of privacy risk.

Areas for improvement

This section identifies areas where 3 or more accredited persons had similar findings.

Accredited persons may have existing practices, procedures and systems to handle personal information in accordance with the Privacy Act, and can extend these to ensure compliance with their CDR obligations.[23] However, there are areas where CDR carries obligations that are additional to the Privacy Act or other regulatory regimes.

Three accredited persons relied on organisation-wide practices, procedures and systems that did not address CDR-specific obligations. We found this to be a medium risk to CDR data and made recommendations that these accredited persons should:

  • develop and document CDR-specific practices, procedures and systems to ensure they handle data according to their CDR policies, or
  • ensure organisation-wide policies and procedures for handling data are consistent with their CDR policies.

Five accredited persons had deficiencies in their internal practices, procedures and systems to deal with consumer complaints. Most (but not all) of these deficiencies were a consequence of partial or non-compliance relating to the consumer complaints information they included in their CDR policies. Internal documents should set out how the accredited person carries out the processes it describes in its CDR policy. This includes outlining options for redress and ensuring both the OAIC and AFCA are listed as options for external review. We assessed these deficiencies as medium privacy risks.

Part 3: Context

Objective and scope of the assessment

The objective of the assessments was to examine whether the accredited persons were managing CDR data in an open and transparent way.

Specifically, the OAIC evaluated whether the accredited persons had:

  • a CDR policy that was separate to any existing privacy policy and included all the content required of an accredited person under Privacy Safeguard 1 and CDR Rule 7.2
  • taken reasonable steps in accordance with Privacy Safeguard 1 to implement practices, procedures and systems that support the effective management of CDR data and ensure compliance with their CDR obligations.[24]

Conduct of the assessment

The accredited persons provided the OAIC with copies of their CDR policies and any related or relevant documents outlining internal practices, procedures and systems relating to their compliance with the privacy safeguards. They also completed questionnaires that gathered information about their compliance with Privacy Safeguard 1. The accredited persons provided these policies, documents and questionnaire responses to the OAIC on or before 18 February 2022. They provided additional information in April 2022.

We conducted ‘point in time’ assessments. Our observations and opinions are only applicable to the time period in which we conducted the assessment. We looked at the accredited persons’ CDR policies that were in place on 18 February 2022, and information about internal processes, procedures and systems that they had in place between February and April 2022.

We conducted a desktop review of these policies, documents and questionnaire responses against the requirements of Privacy Safeguard 1 and the related CDR Rules. We provided reports to each of the accredited persons, including recommendations to address any privacy risks.

Our assessment focused on identifying areas of non-compliance with specific CDR obligations and privacy risks to the effective handling of CDR data. Our aim was to help entities improve their CDR policies and related internal practices, procedures and systems.

For more information about privacy risk ratings refer to the OAIC’s ‘Risk based assessments – privacy risk guidance’ in Appendix A of chapter 7 of the OAIC’s Guide to privacy regulatory action. This is available at oaic.gov.au/about-us/our-regulatory-approach/guide-to-privacy-regulatory-action.

Implementing the recommendations

On finalising the assessment the OAIC wrote to the accredited persons outlining our expectation that they respond with a plan for implementing our recommendations.

At the time of publishing this report, 5 of the 7 accredited persons had taken steps to implement the OAIC’s recommendations. All accredited persons had accepted the recommendations that were not yet implemented.

Six months after we sent the accredited persons the final report, we will follow up each accredited person to ensure they have fully implemented the recommendations.

Footnotes

[1] This power is set out in section 56ER of the Competition and Consumer Act (2010) (Competition and Consumer Act).

[2] Accredited persons have been accredited by the ACCC to collect CDR data. If an accredited person collects CDR data they become an accredited data recipient (ADR), but not all accredited persons are ADRs.

[3] Accredited persons must pass the ACCC Conformance Test Suite before they receive an ‘active’ status on the Consumer Data Right Public Register.

[4]Commonwealth Bank of Australia and Regional Australia Bank are both data holders as well as accredited persons. We assessed them in their roles as accredited persons.

[5] As set out in Part IVD of the Competition and Consumer Act and the CDR Rules.

[6] This is outlined in subsection 56ED(3) of the Competition and Consumer Act and Rule 7.2(2) of the CDR Rules.

[7] This is outlined in subsections 56ED(7) and 56ED(8) of the Competition and Consumer Act and CDR Rules 7.2(8) and 7.2(9).

[8] This is outlined in subsection 56ED(4) of the Competition and Consumer Act and Rules 7.2(6) of the CDR Rules.

[9] For maximum penalties, see subsection 56BN(3) and paragraph 76(1A)(b) of the Competition and Consumer Act.

[10] See paragraph 56ED(5)(a) of the Competition and Consumer Act and paragraph 1.53 of Chapter 1 of the OAIC’s CDR privacy safeguard guidelines. The classes of CDR data are defined in the designation instrument for banking, available at https://www.legislation.gov.au/Details/F2019L01153.

[11] See paragraph 56ED(5)(b) of the Competition and Consumer Act and paragraph 1.53 of Chapter 1 of the OAIC’s CDR privacy safeguard guidelines.

[12] These are defined in Chapter B (Key concepts) in the OAIC’s Privacy safeguard guidelines, available here

[13] See paragraph 56ED(5)(c) of the Competition and Consumer Act and paragraph 1.53 of Chapter 1 of the OAIC’s CDR privacy safeguard guidelines.

[14] Accredited persons must include this information in their CDR policies. See paragraph 56ED(5)(h) of the Competition and Consumer Act and paragraph 1.53 of Chapter 1 of the OAIC’s CDR privacy safeguard guidelines.

[15] See CDR Subrule 7.2(4)(k)(iii) of the Competition and Consumer Act and paragraph 1.54 of Chapter 1 of the OAIC’s CDR privacy safeguard guidelines.

[16] See CDR Rule 7.2(6) and paragraph 1.54 of Chapter 1 of the OAIC’s CDR privacy safeguard guidelines.

[17] See clause 5.1 of schedule 3 to the CDR rules

[18] See CDR Subrule 7.2(6)(f) and paragraph 1.54 of Chapter 1 of the OAIC’s CDR privacy safeguard guidelines.

[19] See CDR Subrule 7.2(6)(h) and paragraph 1.54 of Chapter 1 of the OAIC’s CDR privacy safeguard guidelines.

[20] See CDR Subrule 7.2(6)(i) and paragraph 1.54 of Chapter 1 of the OAIC’s CDR privacy safeguard guidelines.

[21] This is outlined in subsection 56ED(2) of the Competition and Consumer Act.

[22] This guidance is outlined in Chapter 1 of the OAIC’s CDR Privacy Safeguard Guidelines and the OAIC’s Guide for developing a CDR policy.

[23] See paragraph 1.29 in Chapter 1 of the OAIC’s CDR Privacy Safeguard Guidelines.

[24] This is outlined in subsection 56ED(2) of the Competition and Consumer Act.

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia