-
On this page
Publication date: 15 January 2024
The sponsored accreditation model allows a person accredited to the ‘sponsored’ level (an ‘affiliate’) to provide goods or services directly to a consumer. To do so, they must have a written contract with an unrestricted accredited person (a ‘sponsor’) who discloses CDR data they hold as an accredited data recipient to the affiliate. The model is intended to provide an alternative to unrestricted accreditation and support a broader array of business arrangements.
The purpose of this page is to assist an entity to understand the privacy obligations they will have if they decide to become accredited to the sponsored level.
It outlines the key privacy obligations for affiliates, which fall under the following topics:
- Written contract
- Requesting a consumer’s CDR data
- Consent
- Liability
- Notification
- CDR policy
- Dashboards
- Third parties
These obligations apply in addition to an affiliate’s own privacy obligations as an accredited person and accredited data recipient (for example, to comply with the privacy safeguards).
For information regarding an affiliate’s accreditation obligations, see the ACCC’s Accreditation Guidelines.
For information on the privacy obligations for sponsors, see Sponsored accreditation model: Privacy obligations of sponsors. For more information on the sponsorship model, see the OAIC’s CDR Privacy Safeguard Guidelines.
Key points
- An affiliate is an entity that has been granted accreditation at the sponsored level and who has a sponsorship arrangement with an unrestricted accredited person (known as the ‘sponsor’).
- The ‘sponsorship arrangement’ is a written contract between a sponsor and their affiliate which meets the minimum requirements set out in CDR Rules, rule 1.10D.
- The sponsorship arrangement must provide for the sponsor to disclose CDR data to their affiliate, in response to a consumer data request from the affiliate.
- An affiliate may collect CDR data from an accredited data recipient or request that their sponsor collect CDR data on their behalf. They cannot collect CDR data from a data holder directly, or engage an outsourced service provider to collect CDR data on their behalf.
- Where an affiliate requested their sponsor collect a consumer’s CDR data, that data is taken also to have been collected by the affiliate. This ensures that limitations on uses and disclosures apply to affiliates.
- In general, as an affiliate and their sponsor are both accredited persons, each entity will be liable in their own right for their handling of CDR data.
- An affiliate may have more than one sponsor at a time.
- For examples of situations in which a sponsorship arrangement could be used, see pages 8–9 of the explanatory statement to the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2021.
- For an overview of the key similarities and differences between entities accredited to the unrestricted level and entities accredited to the sponsored level, see page 6 of the explanatory statement to the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2021.
Written contract
An affiliate must have a written contract with their sponsor that meets the minimum requirements in CDR Rules, subrule 1.10D(1). This written contract is known as a ‘sponsorship arrangement’.
The sponsorship arrangement must provide for the sponsor to disclose CDR data to their affiliate, in response to a consumer data request from the affiliate (CDR Rules, paragraph 1.10D(1)(a)).
The arrangement must also require the affiliate to provide the sponsor with appropriate information and access to their operations as needed for the sponsor to fulfil their obligations as a sponsor (CDR Rules, paragraph 1.10D(1)(b)). The sponsor’s obligations include ensuring the affiliate complies with the minimum information security controls in the CDR Rules.
An affiliate may also include a term in the arrangement for their sponsor to make consumer data requests, or to use or disclose CDR data, at the affiliate’s request (CDR Rules, subrule 1.10D(2)).
An affiliate may enter into multiple sponsorship arrangements (i.e. an affiliate can have more than one sponsor).
Requesting a consumer’s CDR data
There are certain restrictions on when and to whom an affiliate may make a consumer data request (CDR Rules, rule 5.1B).
These restrictions apply in addition to the ordinary restrictions for making a consumer data request (notably, the requirement for an accredited person to have a valid request from the consumer).
An affiliate must not make a consumer data request to collect CDR data unless they have a ‘registered sponsor’ (see CDR Rules, subrules 5.1B(2) and 5.1B(8)). If an affiliate has a registered sponsor, the affiliate may only make a consumer data request in the following ways:
- through their registered sponsor (by making a consumer data request to their sponsor to collect CDR data on their behalf), or
- to an accredited data recipient under CDR Rule 4.7A.
This means that an affiliate may only make a consumer data request to collect CDR data from accredited data recipients (including their registered sponsor). They cannot make a consumer data request to a data holder.
Where an affiliate requested their sponsor collect a consumer’s CDR data, that data is taken also to have been collected by the affiliate (CDR Rules, subrule 7.6(3)). This ensures that limitations on uses and disclosures apply to affiliates.
Consent
An affiliate is responsible for seeking consents from the consumer. This is regardless of whether the affiliate intends to collect the CDR data themselves (from an accredited data recipient) or request their sponsor do so on their behalf.
The consents that an affiliate may seek include collection consents, use consents and disclosure consents. Like all accredited persons, an affiliate must only seek to collect CDR data in response to a valid request from a consumer. The obtaining of consents from a consumer is a key component of a valid request.
Requirements when seeking consent
An affiliate must ask for consents in accordance with Division 4.3 of the CDR Rules. This Division seeks to ensure that consent is voluntary, express, informed, specific as to purpose, time limited, and easily withdrawn.
Where an affiliate intends for their sponsor to collect the consumer’s CDR data, it is still the responsibility of the affiliate to seek the collection consent. When seeking the collection consent, the affiliate must provide the consumer with the following information:
- a statement of the fact that the affiliate’s sponsor will be collecting the consumer’s CDR data
- the sponsor’s name
- the sponsor’s accreditation number
- a link to the sponsor’s CDR policy, and
- a statement that the consumer can obtain further information about the sponsor’s collection of CDR data (and subsequent disclosure of that data to the affiliate) from the sponsor’s CDR policy.
See CDR Rules, subrules 4.3(2B) and 4.11(3). See generally Chapter C (Consent) for further general information.
Expiry of consent
In addition to the expiry situations outlined in CDR Rules, rule 4.14, any collection consents given to an affiliate expire upon the affiliate ceasing to have any registered sponsor. However, any use consents and disclosure consents continue in effect (CDR Rules, subrule 5.1B(6)).
This means that if an affiliate ceases to have a registered sponsor, they can no longer rely on previously obtained collection consents, but may continue to use and/or disclose the CDR data in accordance with the relevant consents. The affiliate would be required to notify a consumer of this fact under CDR Rules, rule 4.18A.
Liability
In general, as an affiliate and their sponsor are both accredited persons, each entity will be liable in their own right for their handling of CDR data.
In addition, where a sponsor collects a consumer’s CDR data at the request of their affiliate, that data is taken also to have been collected by the affiliate (CDR Rules, subrule 7.6(3)). This ensures that the limitations on permitted uses and disclosures in Subdivision 7.2.3 apply to affiliates when they have used their sponsor to collect data from data holders.
Notification
An affiliate must notify the consumer of certain matters, as listed below.
- Where a sponsor collects a consumer’s CDR data on behalf of an affiliate, the sponsor and affiliate may decide which of them will be responsible for notifying the consumer of that collection under Privacy Safeguard 5 by updating the consumer dashboard (CDR Rules, subrule 7.4(2)). In addition to the information required by CDR Rules, subrule 7.4(1), the relevant party must ensure that the notification also indicates that the CDR data was collected by the sponsor on behalf of the affiliate.
- An affiliate must also notify the consumer of other matters as set out in Subdivision 4.3.5 of the CDR Rules. See Chapter C (Consent) for further information (‘Notification requirements’). Examples include notification requirements triggered by the receipt of a collection consent, or the amendment/expiry of the collection consent. Because a collection consent given to an affiliate is taken to also have been given to the sponsor, both the affiliate and the sponsor would be required to provide these notifications. However, in such a situation, the CDR Rules provide that the sponsor and affiliate may choose which of them will provide the notification (CDR Rules, rule 4.20A).
Privacy Tip: An affiliate and their sponsor may each be required to notify a consumer of the same matters. Where this occurs, the affiliate may choose for their sponsor to provide the notification only. Where it is the affiliate that has the consumer-facing relationship, or a greater consumer-facing role, it may be preferable for the affiliate, rather than the sponsor, to provide the notification. This will enhance consumer understanding and reduce the risk of confusion.
Where the parties decide that the sponsor will provide the notification/s, the affiliate should consider including an obligation for the sponsor to provide the relevant notification/s as an additional requirement in the sponsorship arrangement (i.e. written contract) between the parties. This will help minimise the risks that both parties provide the notification (which can lead to notification fatigue), or that neither party provides the notification (which would constitute a breach of the relevant CDR Rule or privacy safeguard).
CDR policy
An affiliate must ensure their CDR policy includes a list of their sponsors, and, for each sponsor, information about the nature of the services provided by the sponsor to the affiliate and vice versa (CDR Rules, paragraphs 7.2(4)(b) and 7.2(4)(c)).
Dashboards
An affiliate must provide a consumer dashboard for each consumer who has provided a consent to the affiliate in relation to their CDR data. Where the affiliate is intending for their sponsor to collect the consumer’s CDR data, the affiliate is required to provide the consumer dashboard (CDR Rules, subrules 1.14(1) and 7.4(2)). The consumer dashboard must include the sponsor’s name and accreditation number (CDR Rules, paragraph 1.14(3)(ha)).
Restrictions on engaging third parties
An affiliate must not engage an outsourced service provider to collect CDR data on their behalf (CDR Rules, subrule 5.1B(4)). However, an affiliate may disclose CDR data to an outsourced service provider for the purposes of that provider providing goods or services to the affiliate using that data.
An affiliate must not have a CDR representative (CDR Rules, subrule 5.1B(5)).
Record keeping and reporting
An affiliate must keep and maintain records in relation to their sponsorship arrangements, including records that explain:
- any sponsorship arrangement to which they are a party
- the use and management of CDR data collected by their sponsor under each sponsorship arrangement.
The required records are set out in CDR Rules, paragraph 9.3(2)(i).
An affiliate must prepare and submit a report on a bi-annual basis to the Office of the Australian Information Commissioner and Australian Competition and Consumer Commission that contains the number of sponsorship arrangements to which it was a party during the period (CDR Rules, paragraph 9.4(2)(f)(ix), and the number of consumer data requests it made to its sponsors and to other accredited persons.
See CDR Rules, rules 9.3 and 9.4 for further general information in relation to records and reporting.