Skip to main content

Please be advised that our office will be closed from 5pm – Tuesday, 24 December, and will reopen on Thursday, 2 January 2025.

Consumer Data Right
  • On this page

Updated: 26 June 2024

Download the Guide to developing a Consumer Data Right policy (PDF, 490 KB)

View the Consumer Data Right policy video

This Guide aims to help data holders, accredited persons and those preparing for accreditation under the Consumer Data Right (CDR) system to prepare and maintain a CDR policy.

This Guide does not apply to the Australian Energy Market Operator Limited (AEMO) in its capacity as a data holder, as AEMO is not subject to Privacy Safeguard 1 in this capacity.[1] Accordingly, unless otherwise indicated, references in this Guide to data holders and CDR entities exclude AEMO.

This Guide sets out a suggested process for developing a CDR policy and outlines the minimum requirements for what must be included.

It also includes a checklist to help you consider all your obligations under the Competition and Consumer Act 2010 (Competition and Consumer Act)[2], the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules) and the Competition and Consumer Regulations 2010 (Competition and Consumer Regulations).

To ensure compliance with your legislative obligations, you should read this Guide together with the full text of Division V of Part IVD of the Competition and Consumer Act, the CDR Rules, Part 2BA of the Competition and Consumer Regulations and the CDR Privacy Safeguard Guidelines[3].

Introduction

All CDR entities must have and maintain a clearly expressed and up-to-date CDR policy.[4] A CDR policy must be a separate document to the general privacy policy.[5]

For this Guide, a ‘CDR entity’ is:

  • a data holder of CDR data (other than AEMO)
  • an accredited person who is or who may become an accredited data recipient of CDR data.[6]

This Guide uses ‘accredited persons’ to refer to accredited persons who are or who may become an accredited data recipient, unless otherwise indicated.

A CDR policy is a document that provides information to consumers about:

  • how CDR data is managed,[7] and
  • how they can make an inquiry or make a complaint.[8]

It is a key tool for ensuring that CDR participants manage CDR data in an open and transparent way.

Privacy Safeguard 1 and CDR Rule 7.2 set out the requirements for what information must be included in a CDR policy, what form it should be in, and how it should be made available.

To help you meet these obligations, this Guide sets out a suggested process for developing a CDR policy and outlines the minimum requirements for what must be included.

There is also a checklist to help you work out if you have considered all your CDR policy obligations.

CDR policy obligations for CDR representatives and outsourced service providers

CDR representatives

As a non-accredited entity, a CDR representative is not directly bound by Privacy Safeguard 1 (including the requirement to have and maintain a CDR policy). However, a CDR representative is required to adopt and comply with their CDR representative principal’s CDR policy in relation to service data,[9] under the terms of the CDR representative arrangement with their CDR representative principal.[10]

A CDR representative principal must ensure the CDR representative complies with the requirements of the CDR representative arrangement and is liable if the CDR representative breaches any of the CDR representative arrangement provisions in CDR Rules, subrules 1.10AA(1), (3) and (4) (including the requirement to adopt and comply with their CDR representative principal’s CDR policy).[11]

Outsourced service providers

Where an OSP is a non-accredited entity, they are not directly bound by Privacy Safeguard 1. However, all OSPs (whether accredited or unaccredited) are required to comply with the OSP principal’s CDR policy as it relates to deletion and de-identification of CDR data and the treatment of redundant or de-identified CDR data as if it were the OSP principal,[12] under the terms of the CDR outsourcing arrangement with their OSP principal.[13]

An OSP chain principal (or if the OSP chain principal is a CDR representative, their CDR representative principal) must ensure its OSPs (including OSPs engaged under further outsourcing arrangements) comply with the requirements of the CDR outsourcing arrangement, and is liable if an OSP breaches any of the CDR outsourcing arrangement provisions required by the CDR Rules.[14] This includes the requirement to comply with the OSP principal’s CDR policy as it relates to deletion and de-identification of CDR data and the treatment of redundant or de-identified CDR data.

For more information relating to OSPs and CDR representatives, see Chapter 1 (Open and transparent management of CDR data) of the CDR Privacy Safeguard Guidelines, and OAIC web guidance on the CDR representative model and CDR outsourcing arrangements.

How the CDR policy interacts with other existing privacy and data protection policies

It is important to understand how your CDR policy interacts with your obligations under the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Privacy Act), or other obligations (for example, those under the European Union General Data Protection Regulation).

Under Privacy Safeguard 1, all CDR entities must have a CDR policy about the entity’s management of CDR data. Many CDR entities will also be APP entities under the Privacy Act.[15] The Privacy Act requires APP entities to have an APP Privacy Policy about how the entity manages personal information (APP 1.3 and 1.4).

Your CDR policy must be distinct from your APP Privacy Policy, or any other existing privacy policies.[16] This means your CDR policy must be a separate document and must expressly address each of the applicable matters listed in Privacy Safeguard 1 and CDR Rule 7.2. For example, it would not be sufficient for a CDR entity to provide a link to its APP Privacy Policy to address how a consumer could make an inquiry or make a complaint (even where that APP Privacy Policy includes identical or substantially similar complaint process information).

Information associated with an individual may be both CDR data and personal information under the Privacy Act (for example, information about the consumer or their use of product). Where an APP entity handles data that is both CDR data and personal information under the Privacy Act, the CDR policy and the APP Privacy Policy should clearly set out whether the privacy safeguards or APPs apply to the consumer’s data. The Privacy Safeguard Guidelines provide guidance on when a privacy safeguard applies instead of an APP.

Privacy tip

There are several differences between the privacy safeguards under the CDR system and the APPs under the Privacy Act. Entities should be cautious about reusing sections of their APP Privacy Policy in a CDR policy, as they may risk breaching their Privacy Safeguard 1 obligations, and creating confusion for consumers.

Steps in developing a CDR policy

This section provides an overview of a suggested six-step process for developing your entity’s CDR policy.

These steps are intended to make it easier for you to meet your CDR policy obligations and to ensure that your CDR policy is genuinely informative and useful for consumers.

  • Step 1: Understand your obligations and how you handle CDR data
  • Step 2: Develop content, structure and presentation
  • Step 3: Write your CDR policy
  • Step 4: Test your CDR policy
  • Step 5: Make your CDR policy available
  • Step 6: Review and update your CDR policy

Step 1: Understand your obligations and how you handle or intend to handle CDR data

The first key step in developing a CDR policy is to ensure you have a clear understanding of what type (or types) of CDR entity you are, which obligations apply to you and how you handle (or intend to handle) CDR data. This includes understanding relevant practices, procedures and systems, and the arrangements you may have with third parties, such as CDR outsourcing arrangements or CDR representative arrangements. This will assist you to accurately and openly describe to your consumers how you will handle CDR data and enable you to deal with inquiries, requests and complaints under the CDR system.

You must include the mandatory requirements set out below under the section What information must be included in a CDR policy?

You must also understand your broader CDR privacy obligations regarding the collection, use and disclosure of CDR data. This will differ based on whether you are a data holder or an accredited person.

Where your entity performs more than one role in the CDR system (for example, as both a data holder and an accredited person), you may either have a single CDR policy that outlines how you handle CDR data in both capacities, or have separate CDR policies for each capacity.

Privacy tip

Having a clear understanding of how you handle CDR data, including relevant practices, procedures and systems, and other arrangements you may have with third parties (such as CDR outsourcing arrangements or CDR representative arrangements) will assist you to accurately and openly describe to your consumers how you manage CDR data and deal with inquiries, requests and complaints under the CDR system.

Step 2: Develop content, structure and presentation

Although the CDR policy must cover all the topics in Privacy Safeguard 1 and CDR Rule 7.2, the information does not have to be presented in that order. You should aim to make the CDR policy as easy as possible for the consumer to find the information that is most important to them.

If you are a data holder and an accredited person and have a single CDR policy for both capacities, it should be clear to the consumer whether a specific section of the CDR policy relates to your capacity as a data holder, an accredited person or both.

Below are some tips to make the content and structure useful and manageable for consumers.

  • Arrange the information in a way that makes sense so that it is easy to follow and intuitive to the reader. The presentation of the information should be clear and reflect your entity’s functions, activities and audience.
  • Focus on key topics that consumers are likely to be most concerned about, unaware of, won’t reasonably expect or may not understand easily.
  • Be as specific as possible about how your entity manages CDR data, as this will provide clarity and build trust. Unqualified use of vague words (such as ‘may’) could lead to concern about uses and disclosures that are not intended.
  • Take a layered approach to providing information about how your entity will handle CDR data, by providing a summary version that focuses on what the consumer should know with a link to the complete CDR policy. This will be particularly effective in the online environment.

Privacy tip

While the CDR policy must be a document,[17] you may also wish to consider other innovative formats or layouts to best communicate your privacy messaging to consumers, such as the use of interactive tables of contents, accordions, infographics, animation or video, or other forms of technology.

Step 3: Write your CDR policy

Once you have a clear idea of how your entity handles CDR data, what must be included in the CDR policy, and the proposed content and structure for your policy, you can begin drafting.

The CDR policy must be clearly expressed.[18]

To ensure the CDR policy is easy to read and understand:

  • use an active voice and simple language — avoid legal jargon, acronyms and terms that may only be understood in-house
  • use short sentences, break up text into paragraphs and group relevant sections together
  • use headings to assist navigation
  • avoid unnecessary length — include only relevant information.

You must also ensure the CDR policy is up-to-date, and that it reflects your current CDR data-handling practices (see Step 6: Review and update your CDR policy for guidance on keeping your CDR policy up-to-date).[19] The CDR policy should not include statements about possible future practices.

Step 4: Test your CDR policy

Test your CDR policy on the target audience or audiences, including likely readers. Where your resources are limited and systematic testing is not possible, you could consider providing it to colleagues from other internal business units to give you an idea of how easy it is to read.

Privacy tip

The CDR policy should be easy to read and understand. You can test this by using external standards, such as the Flesch-Kincaid grade level test. When setting a readability goal, you should consider who your consumers are to ensure your CDR policy suits their level of understanding. Generally, it is good to aim for a lower secondary school reading level.

Step 5: Make the CDR policy available

Your CDR policy must be freely and publicly available for consumers. If you are an accredited person or data holder, the CDR policy must be available through each online service that you ordinarily use to deal with consumers, such as your website or mobile applications.[20] Additionally, you must provide the CDR policy electronically (for example in a word document or pdf) or in hard copy if requested by the consumer.[21] If you are an accredited person with one or more CDR representatives, your CDR policy must also be available through each online service that your CDR representatives ordinarily use to deal with consumers.[22]

Appropriate accessibility measures should also be put in place so that the CDR policy may be accessed by all consumers (including consumers with a vision impairment, or those from a non-English speaking background). It is a good idea to provide information about how to request an accessible copy of the CDR policy in the same locations where consumers can access the policy.

Accredited persons and data holders will be requested to provide a hyperlink to the entity’s CDR policy to the Australian Competition and Consumer Commission.[23]

Privacy tip

The CDR policy should be prominently displayed, accessible and easy to download. For example, a prominent link or icon, displayed on the relevant pages of the website or mobile application, could provide a direct link to the CDR policy.

Step 6: Review and update your CDR policy

As there is a requirement to ensure the CDR policy is to up-to-date, the CDR policy should be reviewed regularly. This will help to ensure that the information in the CDR policy accurately reflects your current CDR data handling practices.[24]

You should review your CDR policy at least annually. You should also review your CDR policy where there are changes to your obligations (e.g. amendments to the CDR Rules), relevant changes to your CDR handling practices or organisation, or when you become aware of errors in the CDR policy. To assist readers, you could also:

  • include the date the CDR policy was last reviewed or updated
  • invite comments on the CDR policy to gain feedback and evaluate its effectiveness, and
  • explain how any comments will be dealt with.

What information must be included in a CDR policy?

Depending on whether you are an accredited person or data holder, there are different matters that need to be covered in your CDR policy.

Categories of information that must be included are:

The sections below cover each of these items in more detail. There is also a checklist at Attachment A below to help you work out whether you have considered all of the relevant requirements.

For further information, see Chapter 1 (Open and transparent management of CDR data) of the CDR Privacy Safeguard Guidelines.

Information about the consumer complaints process — for data holders and accredited persons

Both accredited persons and data holders must have a process to deal with consumer complaints, in the event that a consumer thinks you have not met your CDR related obligations under the Competition and Consumer Act and/or CDR Rules.[25] A CDR consumer complaint means any expression of dissatisfaction made by a CDR consumer to or about a CDR participant (or a CDR representative) that relates to the participant’s CDR compliance obligations,[26] or the goods and services provided to the consumer under the CDR system, for which a response or resolution could be reasonably expected.[27]

The CDR Rules specify that the CDR policy needs to include the following information about your internal dispute resolution processes for complaints relating to the management of CDR data:

  • where, how and when a complaint can be lodged (such as the contact information for lodging a complaint, as well as the circumstances in which a complaint may be lodged)
  • when a consumer should expect an acknowledgment of their complaint
  • the information that the consumer needs to provide
  • the process for handling consumer complaints[28]
  • the time periods associated with the various stages of the complaints process
  • options for redress,[29] and
  • options for review (i.e. review/appeal of the initial handling of a CDR consumer’s complaint) both internally (if available) and externally.[30]

Information on access to and correction of CDR data — for data holders and accredited persons

How to access CDR data

Both accredited persons and data holders must include information for consumers about how they may access their CDR data.[31]

A data holder may receive a request from an accredited person on the consumer’s behalf, or a consumer may make a request directly to the data holder.[32]

A data holder that is a retailer in the energy sector must also ensure that its CDR policy explains how a consumer may access their AEMO data.[33]

The CDR policy should also explain any alternative processes to accessing CDR data to those under the CDR system.

Privacy tip

For data holders who are APP entities, an individual’s right to access their personal information from that entity under the Privacy Act (APP 12) operates alongside the CDR system, and is not replaced by a privacy safeguard.[34] Where the data holder is an APP entity under the Privacy Act, and holds information about an individual that is both personal information (under the Privacy Act) and CDR data, the data holder must continue to provide individuals with access to that information on request under APP 12. This APP 12 access pathway and how it applies to CDR data should be set out in the data holder’s CDR policy.[35]

For further information about the CDR access requirements, see the Guide to privacy for data holders.

How to correct CDR data

Both accredited persons and data holders must include information for consumers about how they can correct their CDR data. The CDR policy should make clear that the consumer has a right to request correction of their CDR data.[36] For data holders, a consumer’s right to request correction under Privacy Safeguard 13 applies once the data holder has previously been required or authorised to disclose the CDR data.[37]

Where a data holder is also an APP entity under the Privacy Act, the data holder should provide additional information in its CDR policy about how a consumer who is an individual may seek correction of their personal information that is also CDR data under APP 13.[38]

A data holder that is a retailer in the energy sector must also ensure that its CDR policy explains how a CDR consumer may correct their AEMO data.[39]

For information about the correction requirements, see Chapter 13 (Correction of CDR data) of the CDR Privacy Safeguard Guidelines and the Guide to privacy for data holders.

Privacy tip

Any preferred procedures for consumers to make access or correction requests should be outlined in the CDR policy. For example, the CDR policy could provide a link to a form, and/or provide the contact details for consumers to make correction requests. However, consumers cannot be required to follow that procedure and entities must respond to correction requests from consumers, regardless of the way in which the request is made.

Specific requirements for data holders — acceptance of voluntary consumer or product data requests

In addition to the requirements set out above, a data holder’s CDR policy must:

  • make clear whether the entity accepts voluntary consumer or product data requests,[40] and
  • state whether the data holder charges fees for such requests (and if so, how consumers can obtain information about those fees).[41]

Specific requirements for accredited persons

In addition to the requirements set out above, an accredited person’s CDR policy must include information about:

More detail on these requirements is set out below.

What CDR data is held, and how it is held?

An accredited person’s CDR policy must refer to the different classes of CDR data that it holds or may hold.[43] This includes CDR data that another entity holds or may hold on the accredited person’s behalf, for example, by an outsourced service provider (OSP).[44]

The classes of CDR data for each sector will be set out in the relevant designation instrument. For example, for the banking sector the designation instrument sets out 3 classes of information: customer information, product use information and information about the product.[45] For the energy sector, the designation instrument sets out 4 classes of information: information about a customer or associate, information about the sale or supply of electricity, information about retail arrangements, and information about retail arrangements (natural gas).[46]

Privacy tip

To support consumer understanding of the different classes of CDR data, the accredited persons could list the types of CDR data they hold or may hold as defined in the Data Language Standards.

The CDR policy must also set out how the CDR data is held. This means providing general information about how CDR data is stored, including CDR data that another entity holds or may hold on the accredited person’s behalf (for example, by an OSP).[47]

Purposes for which CDR data is collected, held, used and disclosed

An accredited person must indicate the purposes for which it does each of the following (with the consumer’s consent): collects, holds, uses or discloses CDR data.[48]

Undertaking general research

If an accredited person wishes to undertake general research[49] using de-identified CDR data, its CDR policy must include:

  • a description of the research to be conducted, and
  • a description of any additional benefit to be provided to the consumer for consenting to the use.

Who CDR data may be disclosed to

An accredited person must include further specific information about disclosures of CDR data to non-accredited entities and entities located overseas, as set out below.

Disclosures to non-accredited entities:
  • Disclosures to any non-accredited entities: If an accredited person intends to disclose CDR data to any non-accredited entity, it must include the circumstances in which the accredited person intends to disclose such data.[50] Disclosures to non-accredited entities include disclosures:
    • to unaccredited direct or indirect OSPs under a CDR outsourcing arrangement[51]
    • to CDR representatives with whom the accredited person has a CDR representative arrangement[52]
    • to trusted advisers with a TA disclosure consent,[53] and
    • of CDR insights to specified persons with an insight disclosure consent.[54]
    • to specified persons with a business consumer disclosure consent.[55]
Disclosures to entities located overseas:
  • Disclosures to any overseas accredited persons: If an accredited person is likely to disclose CDR data to any overseas accredited persons, the CDR policy must state this fact,[56] and must also include the countries where they are likely to be located, where practicable.[57] If there are numerous countries where CDR data may be disclosed, one option would be to list those countries in an appendix or linked document. If it is impractical to list countries, the CDR policy could instead provide general regions.
  • Disclosures to any overseas, non-accredited OSPs (including by any CDR representatives or direct or indirect OSPs): If an accredited person, any CDR representative of the accredited person, or any direct or indirect OSP of either the accredited person or CDR representative is likely to disclose CDR data to an overseas, non-accredited direct or indirect OSP, the CDR policy must include the countries in which such direct or indirect OSPs are likely to be based, if practicable to specify this.[58] If there are numerous countries where CDR data may be disclosed, one option would be to list those countries in an appendix or linked document. If it is impractical to list countries, the CDR policy could instead provide general regions.

Overseas data storage practices

If an accredited person proposes to store CDR data outside of Australia or an external territory, it must specify the countries where it proposes to store the data in the CDR policy.[59]

When consumers will be notified about certain events

An accredited person’s CDR policy must specify the events it will notify the consumer about, in relation to their CDR data.[60]

The events that an accredited person is required to notify the consumer about include:

  • when a consumer gives consent to the person collecting, using and/or disclosing their CDR data[61]
  • when a consumer amends[62] or withdraws consent[63]
  • collection of a consumer’s CDR data[64]
  • disclosure of a consumer’s CDR data to an accredited person[65]
  • ongoing notification requirements about a consumer’s consent[66]
  • notification requirements in relation to the expiry of a CDR consumer’s consent[67]
  • responses to a consumer’s correction request,[68] and
  • any eligible data breaches affecting a consumer under the Notifiable Data Breach Scheme.[69]

Consequences of withdrawing consent

An accredited person must provide a statement in the CDR policy indicating the consequences for the consumer of withdrawing their consent to collect and use CDR data.[70] This may include the details of any early cancellation fees or loss of access to goods or services based on CDR data.

Deletion of CDR data

An accredited data recipient has obligations to destroy or de-identify any redundant CDR data that it holds under Privacy Safeguard 12 and the CDR Rules.

An accredited person must include the following information about the deletion of redundant CDR data in its CDR policy:

  • When redundant CDR data is deleted.[71] An accredited data recipient may be required to delete redundant CDR data, including where:
    • the consumer has elected for their redundant CDR data to be deleted[72]
    • the general policy is to delete redundant CDR data,[73] or
    • it is not possible to de-identify CDR data to the required extent.[74]
  • Elections to delete CDR redundant data. An accredited person must include information about:
    • how a consumer may elect for their redundant CDR data to be deleted[75]
    • how the election operates
    • the effect of an election, and
    • how a consumer may exercise their election.[76]

Note: An accredited person does not need to provide a consumer with an 'election to delete’ where it has a general policy of deleting redundant data, and where it informs the consumer when seeking consent that redundant CDR data will be deleted.[77]

In these circumstances, the CDR policy should outline that consumers do not need to elect for their redundant CDR data to be deleted because the accredited person has a general policy of deleting all redundant data. The CDR policy should also outline that, when seeking consent, the accredited person informs the consumer that their redundant data will be deleted.

  • How redundant CDR data is deleted.[78]
    • An accredited person should include a general description of how redundant CDR data is deleted in a way that is helpful and meaningful to the consumer.[79]

De-identification of CDR data

An accredited person must include the following information about the de-identification of CDR data in its CDR policy:

  • The circumstances in which CDR data is de-identified in accordance with a consumer’s request.[80]
  • The following information about de-identification of CDR data that is not redundant:[81]
    • how de-identified CDR data is used to provide goods or services to consumers[82]
    • the process for de-identification including, a description of techniques that are used to de-identify CDR data,[83] and
    • if de-identified CDR data is ordinarily disclosed to one or more persons:
      • the fact of this disclosure
      • the classes of persons to whom such data is ordinarily disclosed,[84] and
      • the purposes for which de-identified CDR data is disclosed.[85]
  • The following information about de-identification of redundant CDR data:[86]
    • how the entity ordinarily uses any de-identified redundant CDR data, including examples
    • the process for de-identification, including a description of techniques that are used to de-identify CDR data,[87] and
    • if de-identified redundant CDR data is ordinarily disclosed (by sale or otherwise) to one or more persons:
      • the fact of this disclosure
      • the classes of person to whom such data is ordinarily disclosed,[88] and
      • the purposes for which the de-identified data is disclosed. [89]

Information about sponsorship arrangements

Where an accredited person is a sponsor or an affiliate, it must ensure that its CDR policy includes a list of other accredited persons with whom the accredited person has a sponsorship arrangement, and the nature of the services one party provides to the other party under each arrangement.[90]

Information about CDR representative arrangements

Where an accredited person is a CDR representative principal under a CDR representative arrangement, its CDR policy must include:

  • a list of its CDR representatives
  • for each CDR representative, the nature of the goods and services that the CDR representative provides to customers using CDR data.[91]

Information about CDR outsourcing arrangements

Where an accredited person has one or more CDR outsourcing arrangements with OSPs, its CDR policy must include:

  • a list of the direct or indirect OSPs of the accredited person and of any CDR representative (whether based in Australia or overseas, and whether they are accredited or not)[92]
  • specific details about the nature of the services provided by these OSPs (for example, where an OSP is collecting CDR data on the accredited person’s behalf)[93]
  • the CDR data or classes of CDR data that may be disclosed to, or collected by, these OSPs.[94]

Attachment A — Checklist for your CDR policy

General — for all participants

Issue

Questions to consider

A clearly expressed and up-to-date CDR policy

  • Is your CDR policy clearly expressed, in plain English?
  • Does your CDR policy reflect your current practices?
  • Have you planned to undertake a review of your CDR policy?

Form and availability of CDR policy

  • Is your CDR policy in a different document to your privacy policy?
  • Is your CDR policy available free of charge?
Data holders

Issue

Questions to consider

Availability

  • Is your CDR policy readily available on all online platforms where you ordinarily deal with consumers?
  • Does your CDR policy let consumers know that, when requested, you will provide them with a copy of your policy electronically or in hard copy?

Complaints process

  • Does the CDR policy state where, how and when a complaint can be lodged?
  • Does the CDR policy state when a consumer should expect an acknowledgment of their complaint?
  • Does the CDR policy state the information that the consumer needs to provide when making a complaint?
  • Does the CDR policy outline the process for handling consumer complaints?
  • Does the CDR policy outline the time periods associated with various stages throughout the complaints process?
  • Does the CDR policy state the options for redress?
  • Does the CDR policy state the options for review both internally (if available) and externally?

Access to CDR data

  • Does the CDR policy provide information about how a consumer may access their CDR data?
  • If you are an APP entity under the Privacy Act, does the CDR policy state how consumers may seek access to their personal information under APP 12?
  • If you are a retailer in the energy sector, does the CDR policy state how consumers may seek access to their AEMO data?

Correction requests

  • Does the CDR policy provide specific details about how a consumer may correct their CDR data?
  • If you are an APP entity under the Privacy Act, does the CDR policy state how consumers may seek correction of their personal information under APP 13?
  • If you are a retailer in the energy sector, does the CDR policy state how consumers may correct their AEMO data?

Voluntary Consumer Data

  • Does the CDR policy state whether you accept requests for voluntary consumer or product data?
  • If so, are details about how fees can be obtained also provided?
Accredited persons

Issue

Questions to consider

Availability

  • Is your CDR policy readily available on all online platforms where you ordinarily deal with consumers?
  • If you have a CDR representative, is your CDR policy available on all the online platforms through which it ordinarily deals with consumers?
  • Does your CDR policy let consumers know that, when requested, you will give them a copy of your policy electronically or in hard copy?

Complaints process

  • Does the CDR policy state where, how and when a complaint can be lodged?
  • Does the CDR policy state when a consumer should expect an acknowledgment of their complaint?
  • Does the CDR policy state the information that the consumer needs to provide when making a complaint?
  • Does the CDR policy outline the process for handling consumer complaints?
  • Does the CDR policy outline the time periods associated with various stages throughout the complaints process?
  • Does the CDR policy state the options for redress?
  • Does the CDR policy state the options for review (both internally, if available) and externally?

Classes of CDR data held

  • Does the CDR policy state the classes of CDR data you hold or may hold?
  • Does the CDR policy state the classes of CDR data that other entities hold or may hold on your behalf?
  • Does the CDR policy state how CDR data is held?
  • Does the CDR policy state how CDR data is held by any other entities that hold or may hold CDR data on your behalf?

Purpose of CDR data handling

  • Are the purposes for which you collect, hold, use or disclose the CDR with the consent of the consumer made clear?

General research

  • Does the CDR policy clarify whether any CDR data   will be used for general research purposes? If so, does it provide a description of the research to be conducted and detail the additional   benefits for a consumer consenting to this use?

Access to CDR data

  • Does the CDR policy provide information about how a consumer may access their CDR data?

Correction requests

  • Does the CDR policy provide specific details about how consumers may correct their CDR data?

Disclosure

Any non-accredited entities

  • If you intend to disclose CDR data to any non-accredited entities (including OSPs), does your CDR policy include the circumstances in which you intend to disclose CDR data?

Overseas accredited persons

  • If you are likely to disclose CDR data to any accredited persons located overseas, does your CDR policy state this fact and include the countries where they are likely to be located?

Overseas non-accredited OSPs

  • If you, or any of your CDR representatives, or any direct or indirect OSPs of your entity or your CDR representatives, are likely to disclose CDR data to any non-accredited OSPs located overseas, does   your CDR policy include the countries where the direct or indirect OSPs are likely to be located?

Withdrawal of consent

  • Does your CDR policy include a statement explaining the consequences to the consumer if they withdraw their consent to collect or use CDR data?

Storage

  • Does your CDR policy provide a list of countries where you intend to store CDR data other than in Australia or an external territory?

Notification

  • Does your CDR policy contain information about when and in what circumstances you will provide a notification to the consumer?

Deletion of CDR data

  • Does your CDR policy include information about the circumstances in which you delete redundant CDR data?
  • Does your CDR policy include information about how a consumer may elect for their redundant CDR data to be deleted, including how the election operates and the effect of an election?
  • Does your CDR policy include information about how you delete redundant data?

De-identification of CDR data

  • Does your CDR policy include information about the   circumstances in which you must de-identify CDR data at a consumer’s request?
  • If applicable, does your CDR policy include information about the specified matters, including how de-identified   redundant data is ordinarily used?
  • If applicable, does your CDR policy include information about the specified matters, including how you use de-identified   CDR data that is not redundant?

CDR outsourcing arrangements

  • If you or your CDR representatives have any   outsourcing arrangements, does your CDR policy set out a list of your direct and indirect OSPs, and any direct and indirect OSPs of your CDR   representatives?
  • Does your CDR policy set out the nature of the services each of these OSP provides, and the CDR data or classes of CDR data that may be disclosed to, or collected by, each provider?

Sponsorship arrangements

  • If you are an affiliate or a sponsor, does your CDR   policy set out a list of other accredited persons with whom you have a sponsorship arrangement, and the nature of the services one party provides to   the other under each arrangement?

CDR representative arrangements

  • If you are a CDR representative principal, does your CDR policy set out a list of the representatives with whom you have a CDR representative arrangement, and the nature of the goods and services that the representatives provide to consumers using CDR data?

[1]Competition and Consumer Regulations, paragraph 28RA(2)(a)(i).

[2]The privacy safeguards are set out in the Competition and Consumer Act, Part IVD, Division V.

[3] The CDR Privacy Safeguard Guidelines provide guidance on the privacy safeguards and related CDR Rules.

[4] Section 56ED(3) of the Competition and Consumer Act.

[5] CDR Rules, subrule 7.2(2).

[6]An accredited person ‘may become’ an accredited data recipient when it is seeking to collect CDR data. This means that an accredited person must ensure that it has a CDR policy before it seeks to collect CDR data.

[7] Competition and Consumer Act, paragraph 56ED(3)(a).

[8]See Competition and Consumer Act, paragraphs 56ED(4)(b) (for data holders), 56ED(5)(d) (for accredited persons).

[9] CDR Rules, paragraph 1.10AA(4)(f). Note that a CDR representative will also have obligations under Australian Privacy Principle 1 (open and transparent management of personal information) in the Privacy Act if they are an APP entity.

[10] A CDR representative arrangement is a written contract between a CDR representative and their CDR representative principal. The requirements for this arrangement are outlined in CDR Rules, rule 1.10AA.

[11] CDR Rules, rule 1.16A.

[12]CDR Rules, paragraph 1.10(3)(b)(i)(A).

[13] A CDR outsourcing arrangement is a written contract between an OSP principal and their provider that meets the minimum requirements listed in CDR Rules, subrule 1.10(3).

[14]CDR Rules, rule 1.16.

[15]The Privacy Act 1988 covers most Australian Government agencies and organisations with an annual turnover of more than $3 million, which includes any accredited person or data holders that meet this threshold. It also covers all accredited persons under the CDR system in relation to information is that is personal information but is not CDR data. See Privacy Act, subsection 6E(1D).

[16] CDR Rules, subrule 7.2(2).

[17] CDR Rules, subrule 7.2(2).

[18] Subsection 56ED(3) of the Competition and Consumer Act.

[19] Subsection 56ED(3) of the Competition and Consumer Act.

[20] Competition and Consumer Act, subsection 56ED(7) and CDR Rules, subrule 7.2(8).

[21] Competition and Consumer Act, subsection 56ED(8) and CDR Rules, subrule 7.2(9).

[22] CDR Rules, subrule 7.2(8). Note that a CDR representative is required to adopt and comply with its CDR representative principal’s CDR policy (CDR Rules, paragraph 1.10AA(4)(f)).

[23] CDR Rules, paragraphs 5.24(i)(ii) and 5.25(1)(b)(ii)(B). In addition, under CDR Rule 5.14, accredited persons are also required to notify the ACCC if there is a change to, or the accredited person becomes aware of, an error in the link to the CDR policy previously provided.

[24] Competition and Consumer Act, subsection 56ED(3).

[25]Competition and Consumer Act, subsections 56ED(4)(b) and (5)(d) and CDR Rules, subrule 7.2(6).

[26] Compliance with Part IVD of the CCA, the CDR rules or binding data standards.

[27] See CDR Rules, rule 1.7 for the meaning of ’CDR consumer complaint’.

[28] Internal dispute resolution requirements are set out in the CDR Rules. See CDR Rules, subrule 5.12(1) (for accredited persons) and rule 6.1 for data holders as well as the sector specific internal dispute resolution requirements set out in the relevant sector Schedule (clause 5.1 of Schedule 3 (for the banking sector) and clause 5.1 of Schedule 4 (for the energy sector).

[29]‘Redress’ in this context means options for remedy, rather than options for review. This could include resolution options such as correction, apology, etc.

[30]CDR Rules, subrule 7.2(6). The CDR policy should clearly state the fact that a complaint may be taken to a recognised external dispute resolution scheme and provide the name of the relevant external dispute resolution scheme. The CDR policy should also state that a complaint may be taken to the Office of the Australian Information Commissioner. In addition, it is good practice for a CDR policy to outline the procedures and contact details for complaining to these external complaint bodies.

[31] Competition and Consumer Act, paragraphs 56ED(5)(c) and 56ED(4)(a).

[32] For the banking sector, a data holder’s obligations under Part 3 of the CDR Rules (regarding consumer data requests made by consumers) have not yet commenced: clause 6.6 of Schedule 3 to the CDR Rules. Part 3 does not apply in relation to energy sector data: clause 8.5 of Schedule 4 to the CDR Rules.

[33]Competition and Consumer Regulations, paragraph 28RA(3)(a).

[34]However, APP 12 does not apply to an accredited data recipient of CDR data, in relation to that data (Competition and

Consumer Act, paragraph 56EC(4)(a).

[35] Note: APP entities only have APP 12 obligations in relation to consumers who are individuals (not businesses).

[36] Competition and Consumer Act, paragraphs 56ED(4)(a) and 56ED(5)(c).

[37] Competition and Consumer Act, paragraph 56EP(1)(c).

[38] Where a data holder has not previously been required or authorised to disclose a consumer’s CDR data, a consumer is unable to make a correction request under Privacy Safeguard 13. However, where the data holder is an APP entity, the consumer will be able to make a correction request under APP 13. This is because APP 13 will continue to apply to CDR data that is personal information in all other circumstances. For further information, see Chapter 13 (Correction of CDR data) of the CDR Privacy Safeguard Guidelines.

[39] Competition and Consumer Regulations, paragraph 28RA(3)(a).

[40]CDR Rules, paragraph 7.2(3)(a). Voluntary product data means CDR data for which there are no consumers that is not required product data (clause 3.1 of Schedule 3, and clause 3.1 of Schedule 4, to the CDR Rules). Voluntary consumer data means CDR data for which there are consumers that is not required consumer data (clause 3.2 of Schedule 3, and clause 3.2 of Schedule 4 to the CDR Rules).

[41]CDR Rules, paragraph 7.2(3)(b).

[42] Competition and Consumer Act, subsection 56ED(5)(i) and CDR Rules, subrule 7.2(4)(j).

[43] Competition and Consumer Act, paragraph 56ED(5)(a).

[44]An accredited person (other than those with sponsored accreditation) who is an OSP chain principal may engage a third party to seek to collect CDR data on their behalf in accordance with the CDR Rules. For further information, see CDR Rules, paragraph 1.10(3)(a)(i) and Chapter 3 (Seeking to collect CDR data from CDR participants) of the CDR Privacy Safeguard Guidelines.

[45] See sections 6-8 of the Consumer Data Right (Authorised Deposit‑Taking Institutions) Designation 2019.

[46] See sections 7-10 of the Consumer Data Right (Energy Sector) Designation 2020.

[47]Subsection 4(1) of the Competition and Consumer Act provides that a person ‘holds’ information if they have possession or control of a record within the meaning of the Privacy Act. If a person has a right or power to deal with particular data, the person has effective control of the data and therefore ‘holds’ the data. See Chapter B (Key Concepts) of the CDR Privacy Safeguard Guidelines for further information about the meaning of ‘holds’.

[48] Competition and Consumer Act, paragraph 56ED(5)(b).

[49] CDR Rules, paragraph 7.2(4)(h). General research relates to research an accredited data recipient wishes to undertake using de-identified CDR data, that does not relate to the provision of goods or services to any particular consumer. CDR Rules, paragraph 7.5(1) (b)(i) permits the use of CDR data for general research, where it is in accordance with a current de-identification consent, and de-identified in accordance with the CDR data de-identification processes.

[50] Competition and Consumer Act, paragraph 56ED(5)(g).

[51] Note that an accredited person must also include in its CDR policy further details about its direct and indirect OSPs of the accredited person and any CDR representatives – see CDR Rules, paragraphs CDR Rules, paragraphs 7.2(4)(f) – (g).

[52]Note that an accredited person who is a CDR representative principal also needs to include in its CDR policy details of CDR representative arrangements – see CDR Rules, paragraphs 7.2(4)(d) – (e).

[53] See CDR Rules, subparagraph 1.10A(1)(c)(iii) for information about TA disclosure consents.

[54] See CDR Rules, subparagraph 1.10A(1)(c)(iv) and subrule 1.10A(3) for information about insight disclosure consent.

[55]See CDR Rules, subparagraph 1.10A(1)(c)(v), paragraph 1.10A(2)(h) and subrules 1.10A(10) and (11) for information about business consumer disclosure consents.

[56] Competition and Consumer Act, paragraph 56ED(5)(e).

[57] Competition and Consumer Act, paragraphs 56ED(5)(e)-(f).

[58] CDR Rules, paragraph 7.2(4)(i).

[59] CDR Rules, subrule 7.2(7).

[60] Competition and Consumer Act, paragraph 56ED (5)(h).

[61]CDR Rules, paragraph 4.18 (1)(a). See Chapter C (Consent) of the CDR Privacy Safeguard Guidelines.

[62] CDR Rules, paragraph 4.18 (1)(aa). See Chapter C (Consent of the CDR Privacy Safeguard Guidelines.

[63] CDR Rules, paragraph 4.18 (1)(b). See Chapter C (Consent)  of the CDR Privacy Safeguard Guidelines.

[64]CDR Rules, rule 7.4. See Chapter 5 (Notifying of collection of CDR data) of the CDR Privacy Safeguard Guidelines.

[65] CDR Rules, subrule 7.9(2) See Chapter 10 (Notifying of the disclosure of CDR data) of the CDR Privacy Safeguard Guidelines).

[66] CDR Rules, rule 4.20. See Chapter C (Consent) of the CDR Privacy Safeguard Guidelines.

[67] CDR Rules, rule 4.18A.

[68] CDR Rules, rule 7.15. See Chapter 13 (Correction of CDR data) of the CDR Privacy Safeguard Guidelines.

[69]See Chapter 12 (Security of CDR data and destruction and de-identification of redundant CDR data) of the CDR Privacy Safeguard Guidelines, s 56ES of the Competition and Consumer Act, and Part IIIC, Division 3 of the Privacy Act. Further information is available on the OAIC’s Notifiable Data Breaches scheme webpage.

[70] CDR Rules, paragraph 7.2(4)(a).

[71] CDR Rules, paragraph 7.2(4)(k)(i). See also para 56ED(5)(i) of the Competition and Consumer Act.

[72] A consumer who gave a consent for an accredited person to collect and use CDR data may elect that the CDR data, and any data derived from it, be deleted when it becomes redundant CDR data: CDR Rules, rule 4.16. See Chapter C (Consent) and Chapter 12 (Security of CDR data and destruction of de-identification of redundant CDR data) of the CDR Privacy Safeguard Guidelines for further information.

[73] Where an accredited data recipient advised the consumer of a general policy of deletion, the accredited data recipient must delete the redundant CDR data, even if its general policy has since changed. See Chapter 12 (Security of CDR data and destruction of de-identification of redundant CDR data) of the CDR Privacy Safeguard Guidelines for further information.

[74]CDR Rules, subrule 1.17(4). See Chapter 12 (Security of CDR data and destruction of de-identification of redundant CDR data) of the CDR Privacy Safeguard Guidelines for further information about de-identification of CDR data and the ‘required extent’.

[75] CDR Rules, paragraph 7.2(4)(k)(ii).

[76] CDR Rules, paragraph 7.2(4)(m). A consumer’s right to elect for their redundant CDR data to be deleted is contained in CDR Rules, rule 4.16. See Chapter C (Consent) and Chapter 12 (Security of CDR data and destruction of de-identification of redundant CDR data) of the CDR Privacy Safeguard Guidelines for further information about this right.

[77]CDR Rules, subrule 4.16(3).

[78]CDR Rules, paragraph 7.4(k)(iii).

[79] This could include whether redundant CDR data is irretrievably destroyed, reference to any applicable standards, how the accredited person manages hard copy information, how it confirms third party deletion and whether back-ups are secured. Part B of the OAIC’s Guide to securing personal information outlines questions entities should consider when destroying personal information. Also see Chapter 12 of the CDR Privacy Safeguard Guidelines for information on the CDR deletion process.

[80] Competition and Consumer Act, paragraph 56ED(5)(i). A consumer may provide consent for an accredited data recipient to de-identify their CDR data for the purpose of disclosure (including selling) and/or for use in general research (see CDR Rules, paragraphs 1.10A(1)(e) and 7.5(1)(aa).  Where the accredited data recipient seeks or intends to seek a de-identification consent, it must provide certain information about de-identification in its CDR policy as outlined in CDR Rules, paragraph 7.2(4)(j).

[81] These requirements are contained in CDR Rules, paragraph 7.2(4)(j) and subrule 7.2(5). Examples where this would be applicable include where the accredited data recipient intends to use de-identified CDR data for general research, and/or disclose (including by selling) the de-identified data in accordance with a de-identification consent. See CDR Rules, paragraphs 1.10A(1)(e) and 7.5(1)(aa).

[82]CDR Rules, paragraph 7.2(4)(j)(i).

[83]CDR Rules, paragraph 7.2(5)(a). The aim of this requirement is to give consumers greater transparency. This should therefore include a general description of how redundant CDR data is de-identified, with the aim being to assist consumers to understand how the entity gives effect to this de-identification obligation, in a way that is helpful and meaningful to them.

[84]In the context of the CDR policy, ‘classes of persons’ means the types of entities or persons an accredited data recipient usually discloses de-identified data to (‘classes of persons’ is not defined in the CDR system. Accordingly, it has its ordinary meaning). Entities or persons do not need to be listed individually in the CDR policy, but should be described with enough specificity so that the consumer can understand the nature of those parties who will hold or have access to de-identified data.

[85] CDR Rules, paragraph 7.2(5)(b)(i)-(iii).

[86]These requirements are contained in CDR Rules, paragraph 7.2(4)(l) and subrule 7.2(5).

[87] CDR Rules, paragraph 7.2(5)(a). The aim of this requirement is to give consumers greater transparency. Therefore this should include a general description of how redundant CDR data is de-identified, with the aim being to assist consumers to understand how the entity gives effect to this de-identification obligation, in a way that is helpful and meaningful to them.

[88] In the context of the CDR policy, ‘classes of persons’ means the types of entities or persons an accredited data recipient usually discloses de-identified data to (‘classes of persons’ is not defined in the CDR system. Accordingly, it has its ordinary meaning). Entities or persons do not need to be listed individually in the CDR policy, but should be described with enough specificity so that the consumer can understand the nature of those parties who will hold or have access to de-identified data.

[89] CDR Rules, paragraph 7.2(5)(b).

[90] CDR Rules, paragraphs 7.2(4)(b) - (c).

[91] CDR Rules, paragraphs 7.2(4)(d) and (e).

[92] CDR Rules, paragraph 7.2(4)(f).

[93] CDR Rules, paragraph 7.2(4)(g)(i).

[94] CDR Rules, paragraph 7.2(4)(g)(ii). The ‘classes of CDR data’ are set out in the designation instrument for the relevant sector. In the banking sector, the designation instrument sets out three classes of information: customer information, product use information and information about a product. In the energy sector, the designation instrument sets out four classes of information: customer or associate information, information about the sale or supply of electricity, information about retail arrangements, and information about retail arrangements (natural gas).

Version changes

Version

Currency dates

Changes and other comments

1.0

12-Jun-2020 to 22-Sep-2021

-

2.0

23-Sep-2021 to 22-Dec-22

Updated guidance to reflect amendments to Part IVD of the Competition and Consumer Act 2010 introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020, including changes to reflect that Privacy Safeguard 1 (including the requirement to have a CDR policy) applies to accredited persons who are or who may become an accredited data recipient.

Updated guidance on what information must be included in an entity’s CDR policy to reflect amendments to the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules) introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, including that information about undertaking general research must be included in a CDR policy.

Updated guidance on the information a CDR policy must provide about who CDR data may be disclosed to, to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2020, that allows an outsourced service provider to collect CDR data.

New guidance on the interaction between the CDR policy and existing privacy and data protection policies.

New guidance on having a CDR policy where an entity performs more than one role in the CDR system (for example, where the entity is a data holder and an accredited person).

Updated privacy tip on ensure the CDR policy is easily read and understood.

Clarifications to guidance, including:

  • that   an accredited person’s CDR policy must include information about the CDR data   that another entity holds or may hold on the accredited person’s behalf (for   example, an outsourced service provider)
  • information   about the de-identification CDR data in a CDR policy.

3.0

22-Dec-22 to – 26 Jun-24

Updated guidance to reflect amendments to the CDR Rules made by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2021, Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2021 and Competition and Consumer Amendment (Consumer Data Right) Regulations 2021 including:

  • new   CDR policy content requirements for accredited persons in relation to   sponsorship and CDR representative arrangements
  • a   requirement for accredited persons to make their CDR policy readily available   through online services of their CDR representatives
  • additional   guidance and context related to the expansion of CDR into the energy sector,   including a requirement for energy retailer data holders to explain how a CDR   consumer may access and correct their AEMO data
  • additional   detailed guidance about CDR policy requirements.

4.0

26-Jun-24 to …

Updated guidance to reflect amendments to the CDR Rules made by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2023 including:

  • updated   terminology to reflect amendments in relation to CDR outsourcing arrangements   and CDR representative arrangements
  • new   and amended CDR policy content requirements for accredited persons regarding   disclosure, outsourcing arrangements and sponsorship arrangements
  • that   businesses may consent to accredited data recipients sharing their CDR data   with specified persons who are not accredited under a business disclosure   consumer consent.

Updated guidance on:

  • the   interaction between CDR policies and existing APP privacy policies
  • CDR   policies for entities who are both a data holder and an accredited person
  • ensuring   CDR policies are up-to-date (including that CDR policies must reflect current   CDR data-handling practices, and not possible future practices)
  • the   meaning of CDR consumer complaints
  • information   CDR policies need   to include about internal dispute resolution processes for complaints   relating to the management of CDR data
  • providing   information in CDR policies about alternative access pathways to CDR data
  • providing   information in CDR policies on the election to delete redundant data (where   an accredited person has a general policy of deleting redundant data).

Guidance for designated gateways has been removed as there are currently no designated gateways in the banking sector or energy sector.