Legal obligations for data recipients


Accredited data recipients are providers that may receive consumer data via Australia’s Consumer Data Right, after a rigorous consent process takes place. Accredited data recipients must meet many legal requirements, including the requirement to only collect and use data they require to provide a product or service. They must also meet IT requirements

Consent requirements 

Rigorous consent requirements apply to both the collection and use of Consumer Data Right data. They are governed by the Consumer Data Right Rules.

During the consent process, the accredited data recipient must:

  • give the consumer its name and accreditation number
  • let the consumer choose which types of data they want to share
  • let the consumer choose how long they’d like the data to be shared for, up to the maximum of 12 months
  • tell the consumer they can withdraw the consent at any time
  • tell the consumer how to withdraw the consent
  • give the consumer a Consumer Data Right receipt that includes the details of the consent and the name(s) of the data holder(s) which the accredited data recipient has collected data from.

For more information, see the Consumer Data Right Rules. You can also view specific requirements for accredited data recipients’ websites and apps on the IT requirements page

Privacy safeguards

The security and integrity of the Consumer Data Right is upheld by 13 privacy safeguards, contained in the Competition and Consumer Act 2010 and supplemented by the CDR Rules.

The privacy safeguards are regulated by the OAIC and set out the privacy rights and obligations for participants in the CDR. They cover:

  1. open and transparent management of CDR data
  2. anonymity and pseudonymity
  3. seeking to collect CDR data
  4. dealing with unsolicited CDR data from CDR participants
  5. notification of collection
  6. use or disclosure of CDR data
  7. direct marketing
  8. overseas disclosure of CDR data
  9. adoption or disclosure of government identifiers
  10. notification of disclosure
  11. quality of CDR Data
  12. security of CDR data and the handling of redundant data
  13. correction of CDR data.

The CDR Privacy Safeguard Guidelines outline how the OAIC interprets and applies the privacy safeguards when exercising its CDR functions and powers.

Consumer Data Right policy

All accredited data recipients must have a Consumer Data Right policy that consumers can easily understand and access. 

A CDR policy is a document that provides information to consumers about how their data will be managed and how they can make an enquiry or a complaint.

For information on how to develop a CDR policy, including what specific content must be included, see the OAIC’s Guide to developing a Consumer Data Right policy.

Records and reporting

All accredited data recipients must maintain records of Consumer Data Right data. The records must include:

  • consents to collect and use Consumer Data Right data provided by Consumer Data Right consumers
  • withdrawals of consents by consumers
  • notifications of withdrawals of authorisations received from data holders
  • Consumer Data Right complaint data
  • what data has been collected
  • whether a consumer has chosen to have their data deleted 
  • how the accredited data recipient has used the data
  • the process used to ask consumers for their consent
  • how the data was identified, how any de-identified data was used and who it was disclosed to
  • required information security records 
  • the accredited data recipient’s terms and conditions
  • a copy of the agreement, if accredited data recipients engage in a data-sharing arrangement with any outsourced service providers. The agreement must include information on the use and management of the data by these providers. 

Accredited data recipients must submit reports twice a year to the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC). 

Reports must be in the approved format and include:

  • a summary of any Consumer Data Right complaints 
  • information on any new goods or services that the accredited data recipient offers using Consumer Data Right data, with a description of what data is needed for those new goods or services and why 
  • a description of any material changes to any goods or services since the previous reporting period
  • the number of consumer data requests made by the accredited data recipient during the reporting period
  • the proportion of consumers who, at the date of the report, had requested their data be deleted. 

After accredited data recipients submit their reports, they must then provide a confirmation statement and verification report to the ACCC. 

Confirmation statements, also known as attestation statements, must be provided within three months after the first reporting period, and every second reporting period after that. 

Verification reports, also known as assurance reports, must be submitted within three months after the second reporting period, and every second reporting period after that. 

For more information, see the Consumer Data Right Rules. You may also like to download the reporting form template for accredited data recipients. 

Acting on breaches of the Rules

The ACCC and OAIC jointly monitor compliance and enforcement of the Consumer Data Right regulations. They work together to respond to any issues, including taking enforcement action if needed.

For more details on how the ACCC and OAIC undertake compliance and enforcement, view the Compliance and Enforcement Policy.

Related links

Would you like to find out more about participating in Consumer Data Right?