Openness and transparency: Energy retailers’ management of Consumer Data Right data

Summary

In October 2023, the Office of the Australian Information Commissioner (OAIC) assessed the CDR policies of AGL Energy Group, Origin Energy Group and EnergyAustralia Group (initial retailers).[1]

CDR policies ensure CDR data is handled in an open and transparent way by allowing CDR consumers to understand how their CDR data will be managed, and how they can access and correct their CDR data or make a complaint.

Our findings

This assessment found that the initial retailers demonstrated strong compliance, meeting an average of 82%[2] of the OAIC’s minimum requirements under Privacy Safeguard 1 and Rule 7.2 of the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules). In particular, the CDR policies contained all required information about how to correct CDR data, and the initial retailers had good governance and training systems to implement their CDR policies.

Recommendations

We made between 6 and 11 recommendations to each initial retailer to address non-compliance and privacy risks identified in this assessment. Most commonly, we recommended that the initial retailers include more information in their CDR policies about consumer access to CDR data, and the complaint handling process, including options for redress and review.

CDR policies must contain all the information required by the CDR legislation. Some of the CDR policies assessed referred to separate policies, such as complaints and dispute resolution policies, rather than incorporating required information in the CDR policy. This creates a risk that consumers will be unable to locate information required to access, correct and control their CDR data.

Takeaways

Similar principles apply to preparing a CDR policy, privacy policy or other customer-facing policy document. Organisations must ensure their policies address legislative requirements and provide a level of detail that readers will find genuinely informative and useful.

Organisations may also take a layered approach by providing a summary that links to the full CDR policy. However, the CDR policy itself should be a standalone document and must contain all information specifically required under the legislation.

Part 1: Introduction

Background

The CDR gives consumers greater control over their data by allowing them to safely share the data that businesses hold about them. This can help consumers compare products and services to find offers that best match their needs.

The OAIC protects the privacy of individuals by regulating the privacy aspects of the CDR. The OAIC has the power to assess and audit the compliance of certain CDR entities with their CDR privacy and confidentiality obligations, including the privacy safeguards.[3]

Policy about managing CDR data

The objective of Privacy Safeguard 1 is to ensure CDR entities handle CDR data in an open and transparent way. This requires CDR entities to embed privacy in their processes and encourages a ‘privacy-by-design’ approach.

Privacy Safeguard 1 requires CDR entities (including initial retailers) to have a clearly expressed and up-to-date policy (CDR policy) that:

• is available free of charge, and readily available on each online service where the CDR entity ordinarily deals with CDR consumers[4]
• is distinct from the entity’s privacy policies[5]
• contains required information about:
  • how they manage CDR data[6]
  • how consumers can access and correct CDR data[7]
  • the consumer complaints process.[8]

CDR policies ensure CDR data is handled in an open and transparent way by allowing CDR consumers to understand how their CDR data will be managed throughout the CDR data lifecycle from collection to deletion. CDR policies also empower CDR consumers to actively engage with their CDR data by outlining how they can access and correct their CDR data, and the complaints handling process. Within the energy sector, CDR policies must include processes for accessing and correcting Australian Energy Market Operator (AEMO) data.

Implementing the CDR policy

Privacy Safeguard 1 also requires CDR entities take reasonable steps to implement practices, procedures and systems that will ensure they comply with CDR legislation and the CDR Rules. This includes ensuring that CDR policies are compliant and effectively implemented.

The specific steps required to comply with Privacy Safeguard 1 may depend on the circumstances of the particular entity, but the requirement is generally understood as a matter of good governance.

For more information, please see the Guide to developing a Consumer Data Right policy and Chapter 1 of the Consumer Data Right Privacy Safeguard Guidelines.

Part 2: Summary of findings

Areas of good privacy practice

Overall, we found that the initial retailers demonstrated a strong level of compliance and addressed an average of 82% of the OAIC’s minimum requirements.

The CDR policies assessed were all found to be clearly expressed, distinct from the initial retailers’ privacy policies, and available through each online service that the initial retailers ordinarily use to deal with CDR consumers.[9] Two of the initial retailers’ CDR policies invited consumer feedback of their CDR policy – which is an important means for entities to evaluate their CDR policies.

The main areas of good privacy practice identified during this assessment are outlined below.

Governance arrangements

The initial retailers demonstrated robust and sophisticated governance structures to protect CDR data and implement their CDR policies.

The various initial retailers described having quality assurance programs that use direct observation, self-assessment and speech analytics to ensure that policies are complied with. One initial retailer advised that they use compliance software to record audit recommendations and legal obligations, allocate responsible staff and track matters to ensure that required actions are completed.

All the initial retailers had a senior manager that was responsible for the strategic leadership and overall management of CDR data, and staff to manage, advise and report on privacy safeguard issues.  Appointing leadership and operational staff with CDR responsibilities helps to embed a culture that respects and protects CDR data.

Correcting CDR data

A data holder’s CDR policy must contain information about how a consumer can seek correction of their CDR data.[10]

The CDR policies assessed were compliant in outlining how a CDR consumer can seek correction of their CDR data, including AEMO data. These CDR policies outlined that a consumer may seek correction of their CDR data and included where and how a correction request may be made.

Staff Training

Regularly training staff who deal with CDR data is a reasonable step that CDR entities must take to ensure that staff handle CDR data in accordance with their CDR policies.

The initial retailers advised that all staff with access to CDR data (including short-term staff and contractors) undergo training about handling CDR data and are provided refresher training at least annually. The initial retailers also indicated that they keep a register of staff who have attended training.

While the format of the training varied between the initial retailers, there was a robust mix of formal online and in-person training, and informal discussions, reminders and 'On-the-job’ training. One initial retailer described using computerized adaptive testing – where the number of questions and frequency of training would vary depending on the staff member’s answers and performance in previous tests. Varied and regular training accommodates staff with different learning styles and allows them to reinforce their knowledge.

Areas for improvement

Where this assessment identified areas for improvement, it was generally because there was an insufficient level of detail in the initial retailers’ CDR policies.

CDR policies must contain all the information required by the CDR legislation. Some of the CDR policies assessed referred to separate policies, such as complaints and dispute resolution policies, rather than incorporating required information in the CDR policy. This creates a risk that CDR consumers will be unable to locate information that CDR entities are legally required to provide, and CDR consumers may not be empowered to access, correct and control their CDR data.

The main areas for improvement identified during this assessment are outlined below.

Access to CDR data

A data holder’s CDR policy must contain information on how a CDR consumer can access their CDR data, including AEMO CDR data.[11] This allows the CDR consumer to review their CDR data and seek correction of inaccurate, incomplete, misleading or out of date data.

We recommended that 2 of the 3 initial retailers update their CDR policy to include a process for CDR consumers to access CDR data, including AEMO CDR data. As best practice, this could include a step-by-step procedure for accessing CDR data, with an option to make requests via a non-digital platform such as phone or post.

Process for handling a CDR consumer complaint

The CDR Rules require data holders to include certain information about handling CDR consumer complaints in their CDR policies,[12] such as the time periods associated with the various stages in the CDR consumer complaint process.[13] The key stages for dealing with CDR consumer complaints, should include:

• acknowledgement
• assessment and investigation
• providing a response.

Of the 3 CDR policies assessed, 2 contained only some of the key stages (and associated time periods) of the complaint process. Where timeframes were identified within the CDR policies, they were found to be acceptable. The CDR policies generally outlined that complaints would be acknowledged as soon as possible and no later than 5 business days after receiving the complaint, and that a response would be provided in at most 30 days.

Options for redress

CDR policies must include options for redress to ensure consumers are aware of the available remedies when making a CDR consumer complaint.[14]

While most of the CDR policies assessed contained some options for redress, the options provided were often framed to address customer enquiries as opposed to complaints. In the CDR policies, the examples of redress were limited to assisting customers with managing their CDR data or seeking to correct their CDR data.

This assessment recommended that the initial retailers update their CDR policies to include all foreseeable options for redress of complaints made through their dispute resolution processes.

Options for review

Where a consumer is dissatisfied with how their complaint has been initially handled, they may seek to have their matter reviewed. CDR policies must include information about options for review, both internally (if available) and externally.[15]

During the assessment, all the initial retailers advised that consumers could request an internal review of the outcome of their CDR consumer complaint. However, only 1 of the 3 CDR policies assessed indicated that this was the case.

All the CDR policies assessed stated that CDR consumers could seek external review by the relevant state or territory-based ombudsman. However, 2 of the CDR policies did not directly provide information such as the names of the relevant ombudsmen or their contact details.[16] The initial retailers all included the OAIC as an option for external review. However, one did not include OAIC contact details within the CDR policy.

Implementing the CDR policy

CDR entities must take steps that are reasonable in the circumstances to implement practices, procedures and systems that will ensure they comply with CDR legislation and enable them to deal with consumer inquiries or complaints about their compliance with the CDR legislation.[17]

Each of the initial retailers had at least one recommendation to support the implementation of their CDR policy. Some of the areas included:

• Developing processes for requesting, using, disclosing and deleting shared responsibility data, including unsolicited data, which is a key responsibility for retailers in the energy sector.
• Reviewing policies and procedures at least annually to ensure that they continue to meet the legislative requirements and accurately reflect current operations.
• Checking the CDR policy is clearly expressed by using readability tests[18] as a guide when reviewing the CDR policy.

Generally, the initial retailers met most of the assessment’s minimum requirements with only specific elements requiring improvement. The initial retailers indicated that, due to the recent designation of the CDR in the energy sector[19] and the relatively low volume of CDR data being managed, they had not had the opportunity to develop or use some of the practices, procedures and processes at the time of the assessment.

Part 3: About the assessment

Conduct of the assessment

Objective and scope

The objectives of this assessment were to promote and uphold privacy rights in the CDR ecosystem by:

• assessing whether the initial retailers are complying with Privacy Safeguard 1[20] and identifying any related privacy risks
• obtaining intelligence about emerging risks and trends to inform our guidance and future regulatory action
• deterring non‑compliance by demonstrating the OAIC’s active approach to CDR regulation.

Where privacy risk or non-compliance was identified, recommendations and best practice suggestions were made to help the initial retailers achieve good practice with their CDR policies.

Methodology

This risk and compliance-based assessment examined the initial retailers[21] in the energy sector in their roles as data holders:

• AGL Energy Group
• Origin Energy Group
• EnergyAustralia Group

The assessment consisted of a desktop review of:

• the initial retailers’ published CDR policies as of 12 October 2023
• the initial retailers’ responses to a questionnaire about the steps they take to implement their CDR policy
• any other relevant documents, records or information the initial retailers provided.

This was a point-in-time assessment that examined the initial retailers’ CDR policies and related obligations at the time of the assessment. Each of the initial retailers were offered an opportunity to confirm the currency of their published CDR policy. Where necessary, we also requested additional information or clarification from the initial retailers.

Recommendations and next steps

In total, we made 27 recommendations to address areas of non-compliance identified in this assessment.

At the conclusion of this assessment, we provided each data holder with an individual assessment report with specific findings. Where non‑compliance or privacy risks were identified, we recommended action and suggestions to rectify the relevant issues.

At the time of publishing this report, all the initial retailers have advised that they have taken steps to address the recommendations.

^[1] Schedule 4, cl 8.2 of the CDR Rules specifies the initial retailers

^[2] This percentage is based on the proportion of assessment criteria for which the organisations met the standard of best practice, compliant, no privacy risk or low privacy risk. Criteria that was not applicable to the specific organisations was disregarded.

^[3] Section 56ER of the Competition and Consumer Act; Subrule 9.6(2) of the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules). While assessments and audits are similar compliance functions, we refer to ‘assessments’ and ‘audits’ separately to be consistent with the terminology used respectively in the legislation.

^[4] Subsection 56ED(7) of the Competition and Consumer Act; Subrule 7.2(8) of the CDR Rules.

^[5]Paragraph 56ED(3)(b) of the Competition and Consumer Act; Subrule 7.2(2) of the CDR Rules.

^[6]Subsections 56ED(3)(a) and (5)-(6) of the Competition and Consumer Act; Subrules 7.2(3)-(5) and (7) of the CDR Rules.

^[7] Paragraphs 56ED(4)(a) and (5)(c) of the Competition and Consumer Act.

^[8] Paragraphs 56ED(4)(b) and (5)(d) of the Competition and Consumer Act; Subrule 7.2(6) of the CDR Rules.

^[9]Paragraph 56ED(7)(b) of the Competition and Consumer Act; Subrule 7.2(8) CDR Rules.

^[10] Paragraph 56ED(4)(a) of the Competition and Consumer Act.

^[11]Paragraph 56ED(4)(a) of the Competition and Consumer Act; Paragraph 28RA(3)(a) of the Competition and Consumer Regulations.

^[12]Subrule 7.2(6) of the CDR Rules.

^[13] Paragraph 7.2(6)(g) of the CDR Rules.

^[14] Paragraph 7.2(6)(h) of the CDR Rules.

^[15] Paragraph 7.2(6)(i) of the CDR Rules.

^[16] An energy retailer data holder must be a member of the relevant state or territory Energy and Water Ombudsman (EWO) scheme: Subrule 6.2 of the CDR Rules and Schedule 4, cl 5.2(1)(b) of the CDR Rules

^[17]Subsection 56ED(2) of the Competition and Consumer Act.

^[18] An example of a readability test is the Flesch-Kincaid test.

^[19] At the time of the assessment, the energy sector had been a part of the CDR system for approximately 12 months: https://www.cdr.gov.au/rollout.

^[20]The relevant requirements of Privacy Safeguard 1 considered in this assessment are outlined in subsections 56ED(2-4) and (7-8) of the Competition and Consumer Act and subrule 7.2 of the CDR Rules.

^[21] ‘Initial retailer’ is defined in Schedule 4, cl 8.2 of the CDR Rules.