-
On this page
Publication date: 15 January 2024
This page outlines the key privacy obligations relating to the disclosure of insights based on a consumer’s CDR data (‘CDR insights’). CDR insights can be shared with any third party, including those that are not accredited under the Consumer Data Right (CDR) system.
CDR insights are intended to allow accredited data recipients and CDR representatives to disclose CDR data outside the CDR system to either confirm, deny, or provide simple information to a person selected by the consumer, where this is for a limited, permitted purpose.
Key points
- CDR insights are insights based on a consumer’s CDR data. CDR insights remain ‘CDR data’.
- A consumer can only give a valid consent to disclose a CDR insight where it is for one of the purposes outlined in CDR Rules, subparagraphs 1.10A(3)(a)(i)-(iii).
- An accredited data recipient or CDR representative must not disclose a CDR insight if it includes or reveals sensitive information about a consumer.
- Where a CDR insight relates to more than one transaction from a consumer’s account, the accredited data recipient or CDR representative must not disclose the amount or date of any individual transaction.
- When seeking consent from a consumer (and prior to disclosure), an accredited data recipient or CDR representative must explain to the consumer what the CDR insight is and what it would reveal or describe about them.
- If an accredited data recipient or CDR representative intends to disclose an insight to someone outside the CDR system, they must explain to the consumer that the data will not be subject to the same protections under the CDR system.
- Unaccredited entities that receive CDR insights should consider whether they have any professional or other regulatory obligations (for example, under the Privacy Act 1988) in relation to their handling of a consumer’s data, and ensure they handle data transparently and confidentially.
What is a CDR insight?
CDR insights are insights based on a consumer’s CDR data.
These insights are intended to allow accredited data recipients and CDR representatives to disclose CDR data outside the CDR system to either confirm, deny, or provide simple information to a person selected by the consumer, where this is for a limited, permitted purpose.
Under the CDR Rules, a consumer can provide consent for an accredited data recipient or CDR representative to disclose CDR insights outside the CDR system for these limited purposes. This is known as an ‘insight disclosure consent’.
Insight disclosure consents can be provided by a consumer for the following permitted purposes:
- to verify the consumer’s identity
- to verify the consumer’s account balance, or
- to verify the details of credits to, and debits from, the consumer’s accounts (see CDR Rules, subparagraphs 1.10A(3)(a)(i)-(iii)).
In order to be a valid consent, an insight disclosure consent must be for one of these permitted purposes.
Where an accredited data recipient discloses CDR data for a purpose that is not permitted under the CDR Rules, the disclosure will breach Privacy Safeguard 6 and CDR Rules subrule 7.6(1) and paragraph 7.5(1)(e), which may result in civil penalties. Where a CDR representative discloses CDR data for a purpose that is not permitted, this will breach the terms of its CDR representative arrangement with its CDR representative principal, and the CDR representative principal will be in breach of CDR Rules, rule 7.6 (because any disclosure by a CDR representative is taken to have been by the CDR representative principal – CDR Rules, subrule 7.6(4)).
Some examples of use cases for insights that will likely comply with these permitted purposes are provided below:
- confirming the consumer’s account balance at a specific point in time (as this is for the purpose of verifying the consumer’s account balance – CDR Rules, subparagraph 1.10A(3)(a)(ii))
- confirming whether a consumer’s account balance is over a certain amount (as this is for the purpose of verifying the consumer’s account balance – CDR Rules, subparagraph 1.10A(3)(a)(ii))
- confirming whether a consumer has received a transfer of funds from a specific counterparty (as this is for the purpose of verifying the details of credits from a consumer’s account – CDR Rules, subparagraph 1.10A(3)(a)(iii)
- disclosing the consumer’s average income over a specific period of time (as this is for the purpose of verifying the details of credits to a consumer’s account – CDR Rules, subparagraph 1.10A(3)(a)(iii)).
While the examples above will likely fall within the permitted purposes for disclosing a CDR insight, in other instances, it might be less clear. In such cases, to ensure disclosures comply with the CDR Rules, an accredited data recipient or CDR representative should ensure they are able to justify why the disclosure was for a permitted purpose.
Some further examples are outlined below.
Example 1 – CDR insights regarding spending on certain categories of goods
An accredited data recipient wishes to provide a service where it discloses CDR insights about consumers, including amounts spent on certain categories of goods in any given period. One such category of goods is ‘amounts spent at major supermarkets’. As the types of debits that would be relevant to determining this insight can be clearly defined, this would generally meet the purpose of ‘verifying the details of…debits from the consumer’s account’ (CDR Rules, subparagraph 1.10A(3)(a)(iii)). Provided the consumer consents to this disclosure, the insight can likely be disclosed.
However, an insight purporting to reveal amounts spent on more specific categories of goods, such as ‘fresh foods’, or purporting to reveal information about an individual’s general attributes or behaviour based on their transaction history, may not be for a permitted purpose. This is because the types of debits that would be relevant to determining such an insight may not be able to be clearly defined. Such an insight is therefore unlikely to be for the purpose of verifying the details of particular debits from or credits to the consumer’s account.
Example 2 – Direct debit failures
An accredited data recipient wishes to provide a service where it discloses CDR insights about consumers, indicating whether a direct debit/payment has failed during any given period. As this is for the purpose of verifying the details of a consumer’s debits from their account, such an insight would generally meet the relevant permitted purpose in CDR Rules, paragraph 1.10A(3)(a).
By contrast, subjective predictions or analysis about average incomes over a period of time that indicate the accredited data recipient’s opinion about whether a direct debit is likely to fail, would not appear to be for a permitted purpose under the CDR Rules.
Disclosing a CDR insight
CDR insights can be disclosed to any person, provided the consumer has given valid consent (that is, consent in accordance with CDR Rules, subrule 1.10A(3), and any other relevant CDR Rules requirements).
This means that, unless the insight is disclosed to an accredited person, the CDR data will no longer be subject to the protections and safeguards of the CDR system. An accredited data recipient or CDR representative must explain this to the consumer in accordance with the relevant consumer experience standard (see CDR Rules, subrule 8.11(1A).
Privacy tip: While unaccredited recipients of CDR insights are not subject to CDR-specific obligations, they should still consider whether they have any professional or other regulatory obligations in relation to their handling of a consumer’s data. CDR insight recipients should also consider whether they have obligations under the Privacy Act 1988.
As a matter of best practice, CDR insight recipients should ensure that they handle data transparently and in a way that the consumer would expect.
Seeking consent to disclose
As noted above, before an accredited data recipient or CDR representative is permitted to disclose a CDR insight, the consumer needs to provide a valid consent known as an ‘insight disclosure consent’ (see CDR Rules, subrule 1.10A(3)).
An accredited data recipient must ask for an insight disclosure consent in accordance with Division 4.3 of the CDR Rules, while a CDR representativemust ask for an insight disclosure consent in accordance with Division 4.3A. These Divisions seek to ensure that consent is voluntary, express, informed, specific as to purpose, time limited, and easily withdrawn.
The CDR Rules also include a requirement for the accredited data recipient or CDR representative to give an explanation of the CDR insight to be disclosed, including what this would reveal or describe about the consumer (see CDR Rules, paragraphs 4.11(3)(ca) and 4.20E(3)(g)).
An accredited data recipient’s or CDR representative’s process for asking a consumer to give or amend an insight disclosure consent must:
- comply with any relevant consumer experience data standards and
- be as easy to understand as practicable, including by use of concise language and, where appropriate, visual aids, having regard to any consumer experience guidelines (see CDR Rules, subparagraphs 4.10(1)(a)(ii) and 4.20D(a)(ii)).
The disclosure of CDR data to insight recipients must also be consistent with the consumer experience standards for insight disclosure (see CDR Rules, subparagraph 8.11(1)(c)(v)).
Privacy tip: As a matter of best practice, where possible, accredited data recipients and CDR representatives should show the consumer the CDR insight prior to it being disclosed.
This will promote transparency and help to ensure that the consumer is providing informed consent for the disclosure of their CDR data.
No condition on supply of goods or services
Generally, an accredited data recipient or CDR representative must not make the giving of an insight disclosure consent, or the specification of a particular person to whom insights are to be disclosed, a condition for the supply of the goods or services requested by the CDR consumer (see CDR Rules, subrules 1.10A(4) & (5)).
This means that the accredited data recipient or CDR representative cannot tell the consumer that they will only provide goods or services if the consumer consents to insights from their CDR data being disclosed to a specified person, or if they nominate a particular person to receive the insights.
However, where the only service requested from an accredited data recipient or CDR representative by the CDR consumer is for CDR data to be collected from a data holder and CDR insights disclosed in accordance with an insight disclosure consent, the prohibition on making the giving of an insight disclosure consent a condition for the supply of goods or services does not apply (see CDR Rules, subrule 1.10A(7)). In this case, only the prohibition requiring the nomination of a particular person to receive CDR insights applies.
Prohibition on disclosing sensitive information
An accredited data recipient or CDR representative must not disclose a CDR insight if it includes or reveals sensitive information about a consumer as defined in the Privacy Act 1988 (see CDR Rules, subrule 7.5A(4)) and subparagraph 1.10A(1)(c)(iv)).
Sensitive information includes information or an opinion (that is also personal information) about an individual’s:
- racial or ethnic origin
- political opinions or membership of a political association
- religious beliefs or affiliations
- philosophical beliefs
- membership of a professional or trade association, or trade union
- sexual orientation or practices, or
- criminal record.
It also includes:
- health information
- genetic information
- biometric information used for automated biometric verification or identification,
- or biometric or templates (see s 6 of the Privacy Act 1988).
‘Health information’ includes information or an opinion, that is also personal information, about:
- the health, including an illness, disability or injury of an individual
- an individual's expressed wishes about the future provision of health services, or
- a health service provided to an individual (see s 6FA of the Privacy Act 1988).
It can also include information collected to provide a health service, information about donating body parts, organs or substances, or genetic information that could predict an individual’s health or the health of a genetic relative.
Examples of CDR data or insights that may include or reveal sensitive information may include details of transactions regarding:
- payments to a doctor, psychologist or other health service provider
- payments/reimbursements made to an individual’s bank account from Medicare, or
- payments to a political party, union or professional association.
Prohibition on disclosing details of more than one transaction
Where a CDR insight relates to more than one transaction from a consumer’s account, the accredited data recipient or CDR representative must not disclose the amount or date of any individual transaction (see CDR Rules, paragraph 1.10A(3)(b)).
In other words, while an insight may be derived from multiple transactions, the insight itself that is disclosed to the recipient must not detail the amounts or dates of any individual transactions.
This means that an accredited data recipient or CDR representative cannot disclose, for example, a full transaction list or a detailed business ledger from a consumer’s account in the form of a CDR insight.
Dashboard
An accredited data recipient must provide a consumer dashboard for each consumer who has provided a consent in relation to their CDR data (see CDR Rules, subrule 1.14(1)). CDR representatives may provide a consumer dashboard where their CDR representative principal arranges for them to do so (see CDR Rules, subrule 1.14(5)).
Where an insight disclosure consent is provided, the consumer’s dashboard must include a description of the CDR insight and to whom it was disclosed (see CDR Rules, paragraph 1.14(3)(ea)).
In accordance with Privacy Safeguard 10, when an accredited data recipient discloses a CDR insight they must also update each consumer dashboard as soon as practicable to indicate:
- what CDR data was disclosed
- when it was disclosed, and
- the person they disclosed it to (see CDR Rules, subrule 7.9(4)).
Where a CDR representative discloses a CDR insight, this is taken to be a disclosure by their CDR representative principal. This means that, under Privacy Safeguard 10, the CDR representative principal must update the consumer dashboard as soon as practicable to indicate the above details, or otherwise arrange for their CDR representative to do so on its behalf (see CDR Rules, subrule 4.19(2)).
An accredited data recipient (or CDR representative where they provide the dashboard) must also include certain information in the consumer’s dashboard, stating that they can request copies of these records and how to request a copy (see CDR Rules, subrule 1.14(3A)).
Record keeping and reporting
An accredited data recipient must keep and maintain records when it discloses a CDR insight. This includes:
- a copy of each CDR insight it discloses (that is, a copy of the actual insight itself)
- a record of who it disclosed the insight to, and
- a record of when the insight was disclosed (see CDR Rules, paragraph 9.3(2)(ed)).
A CDR representative principal must keep corresponding records relating to disclosures of CDR insights by each of their CDR representatives (see CDR Rules, paragraph 9.3(2A)(hd). CDR representative principals should consider whether including relevant contractual terms in the CDR representative arrangement would assist them to comply with these record keeping and reporting requirements.
In its regular reports to the Australian Competition and Consumer Commission and the Office of the Australian Information Commissioner, the accredited data recipient must state how many insight disclosure consents it received from consumers during the reporting period (see CDR Rules, subparagraph 9.4(2)(f)(viii)). A CDR representative principal must also include this information in relation to each of its CDR representatives in its regular reports (CDR Rules, subparagraph 9.4(2A)(ix)).