As of 2 July 2024, our online forms will be changing.  The current forms will no longer be available, and we kindly request any saved forms to be submitted by the same date.  The replacement forms will be available by 3 July 2024

Published 26 June 2024

Executive summary

In May 2023, the Office of the Australian Information Commissioner (OAIC) commenced a Privacy Safeguard 1 assessment of 19 Consumer Data Right (CDR) entities. The cohort included all active accredited persons listed on the CDR register that the OAIC had not previously assessed.

CDR entities must have and maintain a clearly expressed and up-to-date CDR policy.[1] Privacy Safeguard 1[2] and Rule 7.2 of the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules) outline requirements about a CDR policy’s content, format, and availability.

In this assessment, we found that the 19 accredited persons demonstrated a sound level of compliance overall.

For each of the 19 accredited persons, we identified between 2 to 15 areas of non-compliance or partial non-compliance, where CDR policies did not sufficiently address certain required information. The most common areas of non-compliance related to CDR policies not containing sufficient information about:

  • the purposes for which the accredited person may collect, hold, use or disclose CDR data
  • how a CDR consumer may seek correction of their CDR data
  • the events that CDR consumers will be notified about
  • how the entity deletes redundant CDR data
  • the accredited person’s process for managing CDR consumer complaints
  • options for review of CDR complaints
  • options for redress for CDR complaints.

A total of 134 recommendations were made to the 19 accredited persons to address the non-compliance identified in this assessment. All 19 accredited persons have accepted our findings and recommendations. Fourteen of the accredited persons have advised that they have already taken steps to address the recommendations.

Part 1: Introduction

Background

The CDR gives consumers greater control over their data by allowing them to safely share the data that businesses hold about them. This can help consumers compare products and services to find offers that best match their needs.

The OAIC protects the privacy of individuals by regulating the privacy aspects of the CDR. The OAIC has the power to assess and audit the compliance of certain CDR entities with their CDR privacy and confidentiality obligations.[3]

Policy about managing CDR data

The objective of Privacy Safeguard 1 is to ensure CDR entities handle CDR data in an open and transparent way. This requires CDR entities to embed privacy in their processes and encourages a ‘privacy-by-design’ approach.

Privacy Safeguard 1 requires CDR entities (including accredited persons) to have a clearly expressed and up-to-date policy (CDR policy) that:

  • is available free of charge, including being readily available on each online service where the CDR entity ordinarily deals with CDR consumers[4]
  • is distinct from the entity’s other privacy policies[5]
  • contains required information about:
    • how they manage CDR data[6]
    • how consumers can access and correct CDR data[7]
    • the consumer complaints process[8]
    • any sponsorship, representative and outsourcing arrangements.[9]

A CDR policy ensures CDR data is handled in an open and transparent way by allowing CDR consumers to understand how their CDR data will be managed throughout the CDR data lifecycle from collection to deletion. The CDR policy also empowers CDR consumers to actively engage with their CDR data by outlining how they can access and correct their CDR data, and how they can access the complaints handling process.

For more information, please see the Guide to developing a Consumer Data Right policy and Chapter 1 of the Consumer Data Right Privacy Safeguard Guidelines on the OAIC website.

Part 2: Summary of findings

Areas of good privacy practice

Overall, we found that the 19 accredited persons demonstrated a sound level of compliance and addressed most of the mandatory requirements in their CDR policies.

The 3 main areas of good privacy practice identified during this assessment are outlined below.

Distinct CDR policy

An accredited person’s CDR policy must be in the form of a document that is distinct from any of the CDR entity’s privacy policies.[10]

Almost all the accredited persons’ CDR policies were distinct policies that met most of the mandatory requirements for a CDR policy.  A distinct CDR policy provides clarity to the consumer by detailing CDR specific information in one location.

Classes of CDR data held

The 19 CDR policies that were assessed generally referred to the different classes of CDR data that each accredited person may hold with adequate detail.[11] This included CDR data that another entity (for example, an outsourced service provider) may hold on the accredited person’s behalf.

The classes of CDR data that must be referred to in a CDR policy vary by sector and are set out in the relevant designation instrument. For example, the designation instrument for the banking sector sets out 3 classes of information: customer information, product use information and information about the product.[12]

Disclosure of CDR data to a non-accredited person

The 19 CDR policies assessed generally outlined the circumstances in which the assessed accredited persons may disclose CDR data to a non-accredited person.[13] This allows consumers to understand how their CDR data is handled, and who may have access to it.

Six of the 19 accredited persons indicated that they will not disclose any CDR data to a non-accredited person.

CDR policy tip:

CDR policies must contain information about the circumstances in which the CDR entity may disclose CDR data to an unaccredited person.

As best practice, the CDR policy ought to identify if the CDR entity does not disclose CDR data to an unaccredited person. This is a transparent approach that can also demonstrate a potentially reduced risk to the consumer as limiting the disclosure of CDR data reduces the opportunity for CDR data to be accessed or handled improperly.

Areas for improvement

The 7 major findings identified during this assessment are outlined below.

Purposes of CDR data

An accredited person’s CDR policy must address the purposes for which they may collect, hold, use or disclose CDR data.[14] Collecting, holding, using and disclosing data are distinct concepts,[15] and the Competition and Consumer Act requires accredited persons to address each of them separately.

In this assessment, we recommended that 9 accredited persons update their CDR policies to address each of the purposes for which they collect, hold, use or disclose CDR data to better inform the consumer of the purposes for which their data will be used.

This assessment found that these accredited persons’ CDR policies generally failed to address one of the 4 relevant purposes. For example, a CDR policy addressed the purposes for which CDR data is collected, used or disclosed but not the purpose for which the accredited person may hold the CDR data.

Seeking correction

CDR policies must explain how a CDR consumer may seek correction of their CDR data.[16] Chapter 13 of the OAIC’s Privacy Safeguard Guidelines sets out the obligations for accredited persons when they receive correction requests from CDR consumers.

Five accredited persons were found to be non-compliant or partially compliant with this requirement.  These CDR policies identified that CDR consumers could seek to correct their CDR data but did not provide enough detail about how they could make such a request.

Allowing CDR consumers to correct their CDR data ensures that they can effectively use the CDR to view their information and compare products and services. This is also a reasonable step accredited persons must take to ensure that CDR data is sufficiently accurate, up to date and complete.[17]

Notification events

Accredited persons have obligations to notify CDR consumers when certain events occur (notifiable events).[18] These events include when the:

  • consumer gives consent to collect, use or disclose data[19]
  • consumer amends[20] or withdraws consent[21]
  • accredited person collects the consumer’s CDR data[22]
  • accredited person discloses the consumer’s CDR data to another accredited person[23]
  • accredited person has ongoing notification requirements regarding the consumer’s consent[24]
  • consumer’s consent expires[25]
  • accredited person responds to a correction request[26]
  • accredited person has an eligible data breach affecting the consumer under the Notifiable Data Breaches scheme.[27]

These notification events are aimed at ensuring consumers are aware of, and have control over, how their CDR data is being handled.

Generally, the CDR policies assessed contained most of the required notification events. However, only 4 of the 19 CDR policies addressed every required notification event, and 4 other accredited persons addressed only 1 or none of the required notification events.

Deleting redundant data

Accredited persons must include information about how they delete redundant CDR data in their CDR policy.[28] Of the 19 CDR policies assessed, 11 contained insufficient information about how the accredited person deletes redundant CDR data.

Providing CDR consumers with information about how redundant CDR data is deleted allows consumers to make informed decisions and understand how their CDR data is handled. The CDR policy should describe the deletion process in a way that is helpful and meaningful to the consumer.

CDR policy tip:

When outlining how redundant CDR data is deleted in its CDR policy, an accredited person could include:

  • whether deleted data is irretrievably destroyed
  • references to applicable standards
  • how hard copy information is managed
  • how deletion is confirmed with third-parties such as CDR representatives and Outsourced Service Providers
  • whether back-ups are destroyed.

Handling CDR complaints

The CDR rules require accredited persons to include certain information about handling CDR consumer complaints in their CDR policies.[29] For accredited persons in the banking sector, CDR policies should include the key steps for dealing with CDR consumer complaints, including: [30]

  • acknowledgement
  • assessment and investigation, and
  • providing a response.

Of the 19 CDR policies assessed, 6 required further information about the process for handling CDR consumer complaints to ensure that CDR consumers had sufficient understanding.

Options for redress

Accredited persons are required to include options for redress in their CDR policies to ensure consumers are aware of the available remedies when making a CDR consumer complaint.[31]

Seventeen of the 19 accredited persons’ CDR policies did not include sufficient information about options for redress of complaints made through their dispute resolution processes.

CDR policy tip:

CDR policies should contain all foreseeable options for redress.

Paragraph RG 271.161 of ASIC’s Internal Dispute Resolution Regulatory Guide 271 outlines examples of options for redress such as correcting records or providing an explanation, refund, fee waiver, apology or compensation payment.

Options for review

Where a consumer is dissatisfied with an accredited person’s internal dispute resolution process, they may, in some circumstances, seek to have their matter reviewed. CDR policies must include information about these options for review, both internally (if available) and externally.[32]

Only three of the 19 accredited persons’ CDR policies gave consumers the option to request an internal review of the outcome of their CDR consumer complaint.

CDR policy tip:

CDR policies must outline any options to review CDR consumer complaints internally (if available) and externally.

As best practice, if a CDR entity does not offer a means of reviewing the outcome of CDR consumer complaints internally, this ought to be stated in the CDR policy.

Most of the CDR policies assessed stated that CDR consumers could seek external review by the Australian Financial Complaints Authority (AFCA). [33] However, 7 of the CDR policies did not state that a consumer also has the option to seek external review by the OAIC.

CDR policy tip:

Accredited persons should outline all relevant options for consumers seeking review for their dispute:

  • The OAIC can review matters relevant to privacy, including   the handling of CDR data and privacy obligations under CDR legislation.
  • External dispute resolution schemes can review privacy matters, as with the OAIC, but   can also handle other issues such as complaints about products and services.

CDR policies should include information about how consumers can request a review from each relevant entity, such as contact details.

Part 3: About the assessment

Conduct of assessment

Objective and scope

The object of this assessment was to examine the compliance of 19 accredited persons’ CDR policies against the requirements of Privacy Safeguard 1 and the CDR Rules.

Where non-compliance was identified, recommendations and best practice suggestions were made to help the accredited persons achieve good practice with their CDR policies.

Methodology

This compliance-based assessment examined a sample of 19 active accredited persons that had not been previously assessed by the OAIC. While these CDR entities may hold more than one role within the CDR system, they were assessed in their capacity as accredited data recipients or as accredited persons who may become accredited data recipients.

The 19 accredited persons that were assessed are listed in Attachment A of this report.

The assessment consisted of a desktop review of:

  • the entities’ published CDR policies as at 8 May 2023
  • any additional information the entities provided.

Each of the 19 accredited persons were offered an opportunity to confirm the currency of their published CDR policy. Where necessary, we also requested additional information or clarification from the accredited persons.

This was a point-in-time assessment that examined the accredited persons’ CDR policies and related obligations at the time of the assessment.

CDR policy tip:

CDR entities should review their CDR policies on a regular scheduled basis and following certain events to ensure currency and accuracy for CDR consumers.[34]

CDR policies should be reviewed when:

  • a review is scheduled (at least annually)
  • CDR legislation, guidance, or policies change
  • the entity’s organisational structure or processes change
  • relevant risks are identified or change.

Recommendations and next steps

In total, we made 134 recommendations to address areas of non-compliance identified in this assessment.

At the conclusion of this assessment, we provided each accredited person with an individual assessment report with specific findings. Where non‑compliance was identified, we recommended action that should or must be taken to rectify the relevant issues.

All the accredited persons have accepted our findings and recommendations. At the time of publishing this report, 14 of the 19 accredited persons have advised that they have taken steps to address the recommendations.

Attachment A

The following accredited persons were assessed in this assessment:

  • Beyond Bank Australia Limited
  • Bud APAC Pty Limited[35]
  • Cuscal Limited
  • Fiskil Pty Ltd
  • Greenr Global Pty Ltd Limited
  • Hive Empire Pty Ltd (Finder)
  • Idux Pty Ltd
  • Liberty Financial Pty Ltd
  • NextGen.Net Pty Ltd
  • Payble Pty Ltd[36]
  • PayOK Holdings Pty Ltd[37]
  • Savings.com.au Pty Ltd
  • SISS Data Services Pty Limited
  • Skript Pty Ltd
  • Suncorp-Metway Limited
  • Verifier Australia Pty Ltd
  • Waave Technologies Pty Ltd
  • Wych Australia Pty Ltd
  • Zepto Payments Pty Ltd

[1] Subsection 56ED(3) of the Competition and Consumer Act 2010

[2] Section 56ED of the Competition and Consumer Act

[3] Section 56ER of the Competition and Consumer Act; Rule 9.6(2) of the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules). While assessments and audits are similar compliance functions, we refer to ‘assessments’ and ‘audits’ separately to be consistent with the terminology used respectively in the Competition and Consumer Act and the CDR Rules.

[4] Subsection 56ED(7) of the Competition and Consumer Act

[5] Paragraph 56ED(3)(b) of the Competition and Consumer Act; Rule 7.2(2) of the CDR Rules

[6] Paragraph 56ED(3)(a) of the Competition and Consumer Act

[7] Paragraphs 56ED(5)(c) and 56ED(4)(a) of the Competition and Consumer Act

[8] Paragraphs 56ED(4)(b) and (5)(d) of the Competition and Consumer Act

[9]Paragraphs 7.2 (4) (b) (d) and (g) of the CDR Rules

[10] Subrule 7.2(2) of the CDR Rules

[11]Paragraph 56ED(5)(a) of the Competition and Consumer Act; Paragraph 1.53 of Chapter 1 of the OAIC’s CDR Privacy Safeguard guidelines.

[12] Sections 6-8 of the Consumer Data Right (Authorised Deposit‑Taking Institutions) Designation 2019

[13]Paragraph 56ED(5)(g) of the Competition and Consumer Act

[14] Paragraph 56ED(5)(b) of the Competition and Consumer Act; Paragraph 1.53 of Chapter 1 of the OAIC’s CDR Privacy Safeguard guidelines

[15]‘Collect’, ‘hold’, ‘use’ and ‘disclosure’ are defined in Chapter B (Key concepts) of the Privacy Safeguard Guidelines.

[16] Paragraph 56ED(5)(c) of the Competition and Consumer Act; Paragraph 1.53 of Chapter 1 of the OAIC’s CDR Privacy Safeguard Guidelines

[17]Section 56EN of the Competition and Consumer Act

[18] Paragraph 56ED(5)(h) of the Competition and Consumer Act; Paragraph 1.53 of Chapter 1 of the OAIC’s CDR Privacy Safeguard Guidelines

[19] Paragraph 4.18 (1)(a) of the CDR Rules

[20]Paragraph 4.18 (1)(aa) of the CDR Rules

[21]Paragraph 4.18 (1)(b) of the CDR Rules

[22] Rule 7.4 of the CDR Rules

[23] Subrule 7.9(2) of the CDR Rules

[24] Rule 4.20 of the CDR Rules

[25] Rule 4.18A of the CDR Rules

[26]Rule 7.15 of the CDR Rules

[27] Section 56ES of the Competition and Consumer Act

[28]Subparagraph 7.2(4)(k)(iii) of the CDR Rules; Paragraph 1.54 of Chapter 1 of the OAIC’s CDR Privacy Safeguard Guidelines

[29]Paragraph 7.2(6)(f) of the CDR Rules; Paragraph 1.54 of Chapter 1 of the OAIC’s CDR Privacy Safeguard Guidelines.

[30] This is consistent with paragraph RG 271.173(c) of Australian Securities & Investments Commission’s (ASIC’s) Regulatory Guide 271 Internal Dispute Resolution (RG 271). Under rule 5.12 and clause 5.1 of Schedule 3 of the CDR Rules, accredited persons must comply with the provisions of RG 271 regarding certain aspects of their internal dispute resolution procedures or processes.

[31] Paragraph 7.2(6)(h) of the CDR Rules and paragraph 1.54 of Chapter 1 of the OAIC’s CDR Privacy Safeguard Guidelines.

[32]Paragraph 7.2(6)(i) of the CDR Rules; Paragraph 1.54 of Chapter 1 of the OAIC’s CDR Privacy Safeguard Guidelines.

[33] Accredited persons in the banking sector must be a member of the Australian Financial Complaints Authority (AFCA) external dispute resolution scheme.

[34] Subsection 56ED(2) of the Competition and Consumer Act

[35]Bud APAC surrendered its accreditation on 1 December 2023.

[36] Payble surrendered its accreditation on 5 March 2024

[37]PayOK surrendered its accreditation on 31 January 2024.

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia