Legal obligations for data recipients

 

Following the registration of Treasury Laws Amendment (Consumer Data Right) Act 2024, the name ‘Data Recipient Accreditor’ has changed to ‘CDR Accreditor’. We are working towards making this name change in all ACCC documentation, guidelines and online information.

Until this is completed, the term ‘Data Recipient Accreditor’ should be read as a reference to ‘CDR Accreditor’. The name change does not change the functions and powers of the CDR Accreditor or impact applications, data recipients, data holders or consumers.

Overview

Accredited data recipients are providers that may receive consumer data via Australia’s Consumer Data Right, after a rigorous consent process takes place. Accredited data recipients must meet strict legal requirements, including the requirement to only collect and use data they require to provide a product or service. They must also meet IT requirements

This page provides general guidance only and should not be relied on as a statement of the law. We encourage participants to obtain their own professional advice regarding individual compliance matters to ensure they understand their obligations under the CDR framework.

Consent requirements 

Rigorous consent requirements apply to collection, use and disclosure of Consumer Data Right data. They are governed by the Consumer Data Right Rules.

During the consent process, the accredited data recipient must:

  • give the consumer its name and accreditation number
  • let the consumer choose which types of data they want to share
  • let the consumer choose how long they’d like the data to be shared for, up to the maximum of 12 months
  • tell the consumer they can withdraw the consent at any time
  • tell the consumer how to withdraw the consent
  • give the consumer a Consumer Data Right receipt that includes the details of the consent and the name(s) of the data holder(s) which the accredited data recipient has collected data from
  • tell the consumer about any fees that may apply
  • inform the consumer about their right to have redundant data deleted
  • ensure the consumer is aware of any affiliate and sponsor arrangements that may apply.

The Consumer Data Right Rules specify additional information that must be provided in relation to specific consent types. Accredited data recipients also have regard to consumer experience guidelines in designing their consent processes. For more information, please refer to Part 4 of the Consumer Data Right Rules. You can also view specific requirements for accredited data recipients’ websites and apps on the IT requirements page

Privacy safeguards

The security and integrity of the Consumer Data Right is upheld by 13 privacy safeguards, contained in the Competition and Consumer Act 2010 and supplemented in Part 7 of the Consumer Data Right Rules.

The privacy safeguards are regulated by the Office of the Australian Information Commissioner (OAIC) and set out the privacy rights and obligations for participants in the Consumer Data Right. They cover:

  1. open and transparent management of CDR data
  2. anonymity and pseudonymity
  3. seeking to collect CDR data
  4. dealing with unsolicited CDR data from CDR participants
  5. notification of collection
  6. use or disclosure of CDR data
  7. direct marketing
  8. overseas disclosure of CDR data
  9. adoption or disclosure of government identifiers
  10. notification of disclosure
  11. quality of CDR Data
  12. security of CDR data and the handling of redundant data
  13. correction of CDR data.

The CDR Privacy Safeguard Guidelines outline how the OAIC interprets and applies the privacy safeguards when exercising its CDR functions and powers.

Consumer Data Right policy

All accredited data recipients must have a Consumer Data Right policy that consumers can easily understand and access. 

A CDR policy is a document that provides information to consumers about how their data will be managed and how they can make an enquiry or a complaint.

For information on how to develop a CDR policy, including what specific content must be included, see the OAIC’s Guide to developing a Consumer Data Right policy.


Records and reporting

All accredited data recipients must maintain records of Consumer Data Right data. The records must include:

  • consents to collect, use or disclose Consumer Data Right data provided by Consumer Data Right consumers
  • amendments to or withdrawals of consents by consumers
  • notifications of withdrawals of authorisations received from data holders
  • Consumer Data Right complaint data and CDR consumer complaints
  • what data has been collected
  • what data has been disclosed
  • whether a consumer has chosen to have their data deleted 
  • how the accredited data recipient has used the data
  • the process used to ask consumers for their consent, including a video of the process
  • how any CDR data was de-identified, how any de-identified data was used and who it was disclosed to
  • required information security records 
  • the accredited data recipient’s terms and conditions
  • details of any CDR outsourced service provider arrangements, sponsorships, or CDR representative arrangements.

For more information on records that must be kept and maintained by accredited data recipients, see rule 9.3(2) of the Consumer Data Right Rules.

Accredited data recipients must submit reports twice a year to the Australian Competition and Consumer Commission (ACCC) and the OAIC. 

Reports must be in the approved format and include:

  • a summary of any Consumer Data Right complaints for the reporting period
  • information on any new goods or services that the accredited data recipient offers using Consumer Data Right data, with a description of what data is needed for those new goods or services and why 
  • a description of any material changes to any goods or services since the previous reporting period
  • the number of consumer data requests made by the accredited data recipient during the reporting period
  • the proportion of consumers who, at the date of the report, had requested their data be deleted.

For more information on reports that must be prepared by accredited data recipients, please see Rule 9.4 Reporting. 

After accredited data recipients submit their reports, they must then provide a confirmation statement and verification report to the ACCC. 

Confirmation statements, also known as attestation statements, must be provided within three months after the first reporting period, and every second reporting period after that. 

Verification reports, also known as assurance reports, must be submitted within three months after the second reporting period, and every second reporting period after that. 

Acting on alleged breaches

The ACCC and OAIC jointly monitor compliance with and enforcement of the Consumer Data Right regulatory framework. They work together to respond to any issues, including taking enforcement action if needed.

For more details on how the ACCC and OAIC undertake compliance and enforcement, view the Compliance and Enforcement Policy.

Related links

Would you like to find out more about participating in Consumer Data Right?

Yes, I would like to find out more