-
On this page
Publication date: 15 January 2024
The sponsored accreditation model allows a person accredited to the ‘sponsored’ level (an ‘affiliate’) to provide goods or services directly to a consumer. To do so, they must have a written contract with an unrestricted accredited person (a ‘sponsor’) who discloses CDR data they hold as an accredited data recipient to the affiliate. The model is intended to provide an alternative to unrestricted accreditation and support a broader array of business arrangements.
The purpose of this page is to assist accredited persons to understand the privacy obligations they will have if they decide to become a sponsor. It outlines the key privacy obligations for sponsors, which fall under the following topics:
- Written contract
- Disclosure
- Notification
- CDR policy
- Record keeping and reporting
These privacy obligations apply in addition to a sponsor’s own privacy obligations as an accredited person and accredited data recipient (for example, to comply with the privacy safeguards).
A sponsor must also comply with specific obligations in Schedule 1, clause 2.2 of the CDR Rules, including in relation to undertaking due diligence, and in relation to their affiliate’s compliance with information security requirements. Further information on these conditions is available in the ACCC’s Accreditation guidelines.
For information on the privacy obligations for affiliates, see Sponsored accreditation model: privacy obligations of an affiliate. For more information on the sponsorship model, see the OAIC’s CDR Privacy Safeguard Guidelines.
Key points
- A sponsor is a person accredited at the unrestricted level who has entered into a written contract (‘sponsorship arrangement’) with an affiliate that contains the requirements set out in CDR Rules, rule 1.10D.
- The role of the sponsor is to disclose CDR data to their affiliate so that the affiliate may use that data to provide goods or services directly to a consumer. The sponsor may also collect CDR data on behalf of their affiliate, and use or disclose CDR data at the request of their affiliate.
- A sponsor must also comply with specific obligations in Schedule 1, clause 2.2 of the CDR Rules, including in relation to undertaking due diligence, and in relation to their affiliate’s compliance with information security requirements.
- In general, as a sponsor and their affiliate are both accredited persons, each entity will be liable in their own right for their handling of CDR data.
- For examples of situations in which a sponsor could engage an affiliate, see pages 8–9 of the explanatory statement to the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2021.
Written contract
A sponsor must have a written contract with their affiliate that meets the minimum requirements in CDR Rules, subrule 1.10D(1). This written contract is known as a ‘sponsorship arrangement’.
The sponsorship arrangement must provide for the sponsor to disclose CDR data that it holds as an accredited data recipient, to their affiliate, in response to a consumer data request from the affiliate (CDR Rules, paragraph 1.10D(1)(a)).
The arrangement must also require the affiliate to provide the sponsor with appropriate information and access to their operations as needed for the sponsor to fulfil their obligations (CDR Rules, paragraph 1.10D(1)(b)). The sponsor’s obligations include ensuring the affiliate complies with the minimum information security controls in the CDR Rules.
The arrangement may also provide for the sponsor to make consumer data requests, or to use or disclose CDR data, at their affiliate’s request (CDR Rules, subrule 1.10D(2)). Where a sponsor makes a consumer data request, or uses or discloses CDR data at their affiliate’s request, the sponsor remains liable for their own conduct and must ensure they comply with the relevant CDR Rules and privacy safeguards. For example, a sponsor can only use or disclose CDR data at an affiliate’s request where that request is permitted under Privacy Safeguards 6, 7, 8 and 9 and is in accordance with the relevant consumer’s consent.
Privacy tip: Where the parties decide to provide for the sponsor to make consumer data requests at their affiliate’s request, the sponsor should consider an additional term in the written contract that requires the affiliate to provide the sponsor with evidence that the affiliate has obtained the consents required for a ‘valid request’ under CDR Rules, rule 4.3. This will ensure that a sponsor does not collect CDR data in breach of Privacy Safeguard 3.
A sponsor may enter into multiple sponsorship arrangements (i.e. can have more than one affiliate).
Disclosure
A sponsor may disclose CDR data to the affiliate for the following purposes, being so that the affiliate can:
- use CDR data to provide goods or services requested by the consumer in compliance with the data minimisation principle and in accordance with a current use consent from the consumer (other than a direct marketing consent) (CDR Rules, paragraphs 7.5(1)(f), 7.5(1)(a))
- de-identify CDR data in accordance with the CDR Rules to use for general research and/or for disclosing (including by selling) the de-identified data, in accordance with a current de-identification consent from the consumer (CDR Rules, paragraphs 7.5(1)(f), 7.5(1)(b))
- directly or indirectly derive CDR data from the collected CDR data in accordance with the above purposes (CDR Rules, paragraphs 7.5(1)(f), 7.5(1)(c))
- disclose to the consumer any of their CDR data for the purpose of providing the goods or services requested by the consumer (CDR Rules, paragraphs 7.5(1)(f), 7.5(1)(d)), or
- subject to rule 7.5A, disclose the CDR consumer’s CDR data in accordance with a current disclosure consent (CDR Rules, paragraphs 7.5(1)(f), 7.5(1)(e)).
When disclosing CDR data to their affiliate, the sponsor must disclose CDR data only to the extent reasonably needed for each of these purposes.
A sponsor is not permitted under the CDR Rules to disclose CDR data to their affiliate for any direct marketing purposes.
See Privacy Safeguard 6 and CDR Rule 7.5.
Notification
A sponsor must provide the consumer with the following notifications:
- Where a sponsor collects a consumer’s CDR data on behalf of an affiliate, the sponsor and affiliate may decide which of them will be responsible for notifying the consumer of that collection under Privacy Safeguard 5 by updating the consumer dashboard.[1] In addition to the information required by CDR Rule, subrule 7.4(1),[2] the dashboard must also indicate that the CDR data was collected by the sponsor on behalf of the affiliate (CDR Rules, paragraph 7.4(2)).
- A sponsor must also notify the consumer of other matters as set out in subdivision 4.3.5 of the CDR Rules. See Chapter C (Consent) for further information (‘Notification requirements’). Examples include notification requirements triggered by the receipt of a collection consent, or the amendment/expiry of the collection consent. Because a collection consent given to an affiliate is taken to also have been given to the sponsor, both the affiliate and the sponsor would be required to provide these notifications. However, in such a situation, the CDR Rules provide that the sponsor and affiliate may choose which of them will provide the notification (CDR Rules, rule 4.20A).
Privacy tip: A sponsor and their affiliate may each be required to notify a consumer of the same matters. Where this occurs, the sponsor may choose for their affiliate to provide the notification only. Where it is the affiliate that has the consumer-facing relationship, or a greater consumer-facing role, it may be preferable for the affiliate, rather than the sponsor, to provide the notification. This will enhance consumer understanding and reduce the risk of confusion.
Where this option is chosen, the sponsor should consider including an obligation for the affiliate to provide the relevant notification/s as an additional requirement in the written contract between the parties. This will help minimise the risks that both parties provide the notification (which can lead to notification fatigue), or that neither party provides the notification (which would constitute a breach of the relevant CDR Rule or privacy safeguard).
CDR policy
A sponsor must ensure their CDR policy includes a list of their affiliates, and, for each affiliate, information about the nature of the services provided by the affiliate to the sponsor and vice versa (CDR Rules, paragraphs 7.2(4)(b), 7.2(4)(c)).
Record keeping and reporting
A sponsor must keep and maintain records in relation to their sponsorship arrangements, including records that explain:
- any sponsorship arrangement to which they are a party
- the use and management of the CDR data provided to, or collected by, their affiliates under each sponsorship arrangement.
The required records are set out in CDR Rules, paragraph 9.3(2)(i).
A sponsor must prepare and submit a report on a bi-annual basis to the Office of the Australian Information Commissioner and Australian Competition and Consumer Commission that contains information including the number of sponsorship arrangements to which it was a party during the period (CDR Rules, subparagraph 9.4(2)(f)(ix)), and the number of consumer data requests it made and received in its capacity as a sponsor (CDR Rules, subparagraph 9.4(2)(f)(i) and (iii)).
See CDR Rules, rules 9.3 and 9.4 for further general information in relation to records and reporting.