Data holders are providers that currently ‘hold’ consumer data. In banking (which is the first industry the Consumer Data Right applies to), the initial data holders are the four major banks: Australia and New Zealand Banking Group Limited (ANZ), Commonwealth Bank of Australia (CBA), National Australia Bank (NAB) and Westpac Banking Corporation (Westpac). Over time all Australian banks will be included in line with the Consumer Data Right timetable.
Data holders need to do two main things under Consumer Data Right. They must:
- transfer a consumer’s data in a machine-readable format when they receive a request via the secure Consumer Data Right system
- publicly release general product data about products they offer, covering interest rates, fees and charges, discounts and other features.
In doing these things, data holders need to meet consent, IT, reporting and security requirements.
As Consumer Data Right rolls out, it will become mandatory for providers to be set up and registered as data holders. Banking is first, followed by the energy sector. In some circumstances, applicants can seek an exemption. You can view the exemption register for details on all exemptions granted by the Australian Competition and Consumer Commission.
Under Consumer Data Right, rigorous consent requirements apply to the collection and use of consumer data. These requirements are governed by the Consumer Data Right Rules and the Data Standards Body’s Consumer Data Standards. You can also view specific requirements for data holders’ websites and apps on the IT requirements page.
- Consumer consents to having their Consumer Data Right data collected and used by an accredited data recipient.
- Accredited data recipient requests the data from the data holder.
- Data holder gets the consumer’s authorisation to disclose the data to the accredited data recipient.
This process serves as a check so consumers can confirm the authorisation details the data holder provides, which must include:
- the name of the accredited data recipient that made the request
- the period for which the data can be collected, including existing data (for example, any data produced before 1 January 2020) and future data that is yet to be produced (for example, any data produced between 1 January 2022 and 30 January 2022)
- the type of data that’s being requested (for example, transaction data from their everyday banking account, or savings history from their term deposit banking account)
- whether the authorisation is for a single use or covers a longer period (and the exact date range) up to the maximum of 12 months
- a statement that their authorisation can be withdrawn at any time and
- instructions on how to withdraw their authorisation.
The consumer can withdraw authorisation at any time either in writing or via the data holder’s website or app.
If the consumer withdraws authorisation, the data holder must action that request as soon as possible, within two business days at the most. The data holder must also notify the accredited data recipient that authorisation has been withdrawn.
The security and integrity of the Consumer Data Right is upheld by 13 privacy safeguards, contained in the Competition and Consumer Act 2010 and supplemented by the CDR Rules.
While most of the privacy safeguards apply to accredited data recipients, there are certain obligations that relate to data holders, including requirements to:
- implement practices, procedures and systems to ensure compliance with the Consumer Data Right
- have a Consumer Data Right policy that provides information to consumers about how they can make an enquiry or complaint and how they can access and correct their data
- notify consumers when their data is disclosed to another provider
- ensure data transferred to another provider is correct, and inform the consumer if incorrect data has been disclosed
- respond to data correction requests by the consumer.
These privacy safeguard obligations for data holders and how to comply are set out in chapters 1, 10, 11 and 13 of the OAIC’s Privacy Safeguard Guidelines.
Consumer Data Right policy
All data holders must have a CDR policy that consumers can understand and access easily.
A CDR policy is a document that provides information to consumers about how they can make an enquiry or complaint, how they can access and correct their data, and whether the data holder accepts requests for voluntary data.
For information on how to develop a CDR policy, including what specific content must be included, see the OAIC's Guide to developing a CDR policy.
Records and reporting
All data holders must maintain records of Consumer Data Right data.
The records must include:
- consumer authorisations to disclose the data
- withdrawals of authorisations to disclose the data
- notifications of withdrawals of consent to collect the data
- disclosures of the data made in response to consumer data requests
- instances when the data has not been disclosed because of an exemption from the obligation to disclose
- Consumer Data Right complaint data.
Data holders must submit reports twice a year to the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC).
The reports must be in the approved format and contain specific information, including:
- a summary of any Consumer Data Right complaints
- the number of general product data requests, consumer data requests made by consumers, and consumer data requests made by accredited data recipients on behalf of consumers during the reporting period
- the number of data requests that were refused during the reporting period, with information on the rule or data standard on which the refusal was based.
For more information, see the Consumer Data Right Rules, as well as guidance on the reporting forms for product data-related obligations.
You may also like to download the reporting form template for data holders.
General product data and specific consumer data can be used for product comparisons.
Consumer data can also be used for other purposes. For example, a budgeting app that’s been accredited under Consumer Data Right could use a consumer’s banking information to create an accurate budget. Similarly, a small business’s banking data could be used by an accounting app to help them manage their books.
As the Consumer Data Right system develops over time, other innovative uses will emerge.
Acting on breaches of the Rules
The ACCC and OAIC jointly monitor compliance and enforcement of the Consumer Data Right regulations. They work together to respond to any issues, including taking enforcement action if needed.
For more details on how the ACCC and OAIC undertake compliance and enforcement, view the Compliance and Enforcement Policy.