Accredited data recipients are providers that may receive consumer data via Australia’s Consumer Data Right, after a rigorous consent process takes place. Accredited data recipients must meet many legal requirements, including the requirement to only collect and use data they require to provide a product or service. They must also meet IT requirements.
Rigorous consent requirements apply to both the collection and use of Consumer Data Right data. They are governed by the Consumer Data Right Rules.
During the consent process, the accredited data recipient must:
- give the consumer its name and accreditation number
- let the consumer choose which types of data they want to share
- let the consumer choose how long they’d like the data to be shared for, up to the maximum of 12 months
- tell the consumer they can withdraw the consent at any time
- tell the consumer how to withdraw the consent
- give the consumer a Consumer Data Right receipt that includes the details of the consent and the name(s) of the data holder(s) which the accredited data recipient has collected data from.
Consumer Data Right policy
All accredited data recipients must have a Consumer Data Right policy that consumers can easily access.
The Consumer Data Right policy must contain specific information about the provider’s internal dispute resolution processes, including:
- where, when and how a Consumer Data Right consumer can complain
- when the consumer can expect acknowledgment of their complaint
- what information the consumer needs to provide in the complaint
- the accredited data recipient’s process for handling complaints
- how long the stages of the process take
- options for redress
- options for review, both internally (if available) and externally.
An accredited data recipient’s Consumer Data Right policy must also:
- let the consumer know the consequences of withdrawing consent
- include a list of any outsourced service providers that help the accredited data recipient to deliver the product or service (for example, a third-party provider that helps the accredited data recipient to analyse Consumer Data Right data)
- include information about its de-identification and/or deletion process for redundant data.
For more information, see the Consumer Data Right Rules.
Records and reporting
All accredited data recipients must maintain records of Consumer Data Right data. The records must include:
- consents to collect and use Consumer Data Right data provided by Consumer Data Right consumers
- withdrawals of consents by consumers
- notifications of withdrawals of authorisations received from data holders
- Consumer Data Right complaint data
- what data has been collected
- whether a consumer has chosen to have their data deleted
- how the accredited data recipient has used the data
- the process used to ask consumers for their consent
- how the data was identified, how any de-identified data was used and who it was disclosed to
- required information security records
- the accredited data recipient’s terms and conditions
- a copy of the agreement, if accredited data recipients engage in a data-sharing arrangement with any outsourced service providers. The agreement must include information on the use and management of the data by these providers.
Accredited data recipients must submit reports twice a year to the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC).
Reports must be in the approved format and include:
- a summary of any Consumer Data Right complaints
- information on any new goods or services that the accredited data recipient offers using Consumer Data Right data, with a description of what data is needed for those new goods or services and why
- a description of any material changes to any goods or services since the previous reporting period
- the number of consumer data requests made by the accredited data recipient during the reporting period
- the proportion of consumers who, at the date of the report, had requested their data be deleted.
After accredited data recipients submit their reports, they must then provide a confirmation statement and verification report to the ACCC.
Confirmation statements, also known as attestation statements, must be provided within three months after the first reporting period, and every second reporting period after that.
Verification reports, also known as assurance reports, must be submitted within three months after the second reporting period, and every second reporting period after that.
The security and integrity of the Consumer Data Right system is maintained by 13 privacy safeguards, contained in the Competition and Consumer Act 2010 and supplemented by the Consumer Data Right Rules.
These privacy safeguards are governed by the OAIC and set out the privacy rights and obligations for users of the scheme, including the requirement for informed consent to collect, disclose, hold or use Consumer Data Right data.
The Consumer Data Right Rules outline a five-step process for complying with this requirement:
- Define and implement security governance in relation to Consumer Data Right data, including documentation of information security and management processes and a formal information security policy.
- Define the boundaries of the data environment, including documenting these boundaries.
- Have and maintain an information security capability that complies with the information security controls in the Consumer Data Right Rules.
- Implement a formal controls assessment program to assess the effectiveness of the accredited data recipient’s information security capability.
- Manage and report security incidents, including data security response plans.
Acting on breaches of the Rules
The ACCC and OAIC jointly monitor compliance and enforcement of the Consumer Data Right regulations. They work together to respond to any issues, including taking enforcement action if needed.
For more details on how the ACCC and OAIC undertake compliance and enforcement, view the Compliance and Enforcement Policy below.