This is a cut-down version of the ACCC’s Privacy Policy, focussing specifically on privacy issues relating to the Consumer Data Right. For further information please refer to the ACCC’s full-form Privacy Policy.

Purpose and scope

The purpose of this policy is to provide information about:

  • what personal information we collect
  • how we handle that information
  • how you can access your personal information or make a complaint about our handling of your personal information.

We are subject to the Privacy Act 1988 (Privacy Act) and the Australian Privacy Principles (APPs) contained in Schedule 1 of the Privacy Act. The APPs set out the manner in which agencies and organisations may collect, store, use and disclose personal information and how a person can access and/or correct records containing their personal information.

We are also subject to the Privacy (Australian Government Agencies – Governance) APP Code (Privacy Code) which came into force on 1 July 2018.

Personal information

Personal information is defined in the Privacy Act as any ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  • whether the information or opinion is true or not, and
  • whether the information or opinion is recorded in a material form or not’ (s 6(1)).

Note: Information that is purely about a business and not an individual is not personal information and will not be covered by this Privacy Policy. Please refer instead to the ACCC/AER Information Policy.

Sensitive information

Sensitive information is a special subset of personal information which requires greater protection under the Privacy Act. ‘Sensitive information’ is defined in the Privacy Act as:

  • information or an opinion about an individual’s:
    • racial or ethnic origin
    • political opinions
    • membership of a political association
    • religious beliefs or affiliations
    • philosophical beliefs
    • membership of a professional or trade association
    • membership of a trade union;
    • sexual orientation or practices, or
    • criminal record; that is also personal information
  • health information about an individual
  • genetic information about an individual that is not otherwise health information
  • biometric information that is to be used for the purpose of automated biometric verification or biometric identification, or
  • biometric templates.

Personal information under the Privacy Act, APPs and Privacy Code is any information that is about a reasonably identifiable individual. This may include information which is CDR data for a CDR consumer while held by a CDR participant. The framework of privacy protections in Australian law continues to apply to the ACCC in respect of this information.

What personal information is collected and why

Directly from you

We will only ask for and collect personal information:

  • for a lawful purpose that is reasonably necessary for, or directly related to, one or more of our functions or activities
  • by lawful and fair means.

If you do not wish to provide us with your personal information, you may contact us anonymously, or by using a pseudonym. By remaining anonymous, or by using a pseudonym, we may be limited in our ability to assist you. In relation to an accreditation application, if all mandatory information is not provided, we will not be able to assess your application and your application will be returned to you for completion.

The types of personal information we will ask you for vary depending on the nature of your interaction with us. For example:

  • if you submit a question on our website, the personal information we collect may include your name and contact details (such as your email address, postal address and telephone number). This allows us to assist you and respond to your request. If you apply for accreditation, we may ask for additional information including:
    • details of the applicant’s primary business contact. To apply for accreditation, an applicant must provide a business contact and their personal details for verification purposes. This will include their name, position title, birth date and contact details to ensure we can verify that the contact is a true representative of the applicant with the authority to act on its behalf
    • sensitive information (for example, about your criminal history, or whether you have been insolvent or bankrupt, or banned from managing a company). This is to enable us to discharge our legislative requirements, for instance, to assess and verify whether you are a fit and proper person
    • personal and sensitive details of all associated persons of the applicant. Associated persons include all decisions makers in relation to the management of CDR data.

From third parties

Generally we will collect personal information directly from you. In some instances, we may collect personal information from third parties about you. For example:

  • as part of the accreditation process, we may request an identity verification check from an external party. This external party may provide personal information to us about your identity
  • a CDR consumer’s personal information may be included in the records required to be kept by CDR participants and disclosed to the ACCC.

If the ACCC or AER receives personal information about you from a third party, and this information is relevant to our work, we will take reasonable steps in the circumstances to notify you of certain matters concerning that collection. However please note that in some circumstances, it may not be reasonable for us to notify you.

When you visit this website

We do not collect any personal information purely from your visit to our website.

Our objective in maintaining an active and expanding Consumer Data Right website is to improve communication with the community at large, specifically to:

  • make it possible to provide timely information about Consumer Data Right
  • encourage feedback from you.

We operate our website using Australian Government web hosting facilities. When visiting this site, a record of your visit is logged. The following clickstream data is recorded and is used by us for statistical purposes:

  • your IP address
  • your top level domain name (for example, .com, .gov, .au, .uk)
  • the type of browser you are using
  • your operating system (for example, Windows, Mac)
  • the date and time of the visit to the site
  • the pages accessed and the documents downloaded
  • the internet address of the site from which you linked directly to our site.

No attempt will be made to identify users or their browsing activities except in the unlikely event of a data breach, or an investigation when a law enforcement agency or other government agency may exercise its legal authority to inspect our internet web server logs.

We provide a number of online forms for enquiries, complaints, reports, submissions and web feedback. Not all of our online forms provide facilities for the secure transmission of information across the internet. You should be aware that there are inherent risks transmitting information across the internet using non-secure forms. Our secure forms can be identified by the padlock symbol and an address starting with https://.

Use of cookies

Our site uses cookies to better serve you when you return to the website. A cookie is a piece of data that a site can send to your browser, which may then be stored on your computer as an anonymous tag that identifies your computer but not you.

You can set your browser to notify you before you receive a cookie, giving you the chance to decide whether to accept it. You can also set your browser to turn off cookies. If you do so, some pages in the site may not work properly.

Cookies are either persistent or session based. Persistent cookies are stored on your computer, contain an expiry date, and may be used to track your browsing behaviour upon return to the issuing site. Session cookies are short-lived, are used only during a browsing session, and expire when you quit your browser.

Our site uses both kinds of cookies to provide a rich and session based experience. The cookies are used to enable us to track users’ browsing patterns in order to provide statistical information to improve the usability of the site.

Please also refer to more information on cookies on the ACCC Consultation Hub.

Website analytics

Our website uses Google Analytics, which transmits website traffic data to servers offshore. Google Analytics does not identify individual users or associate your IP address with any other data held by Google. We use this data to help us make the website better by understanding how our website is used. In using our website, you should also refer to and ensure you understand the Google Analytics Terms of Use. You can opt out of Google Analytics cookies by installing an add-on for your web browser.

How we will handle your personal information

We will handle your personal information in accordance with the requirements in the Privacy Act. We will only use or disclose personal information for the particular purpose for which it was collected, unless one of the following applies:

  • we obtain your consent to use personal information for a different purpose (that is, a secondary purpose)
  • you would reasonably expect us to use or disclose your personal information for a secondary purpose, and that purpose is related to the primary purpose of collecting (or, for sensitive information, directly related to the primary purpose) the personal information
  • the secondary use or disclosure is required or authorised by or under an Australian law or a court/tribunal order
  • we reasonably believe that the secondary use or disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body (including the ACCC).

In some instances, we may disclose your personal information to third parties. For example, with:

  • external service providers who we engage to assist us with our functions, including our ICT service providers, to allow them to provide services to us
  • an overseas recipient for the purposes of performing identity verification services
  • other regulators — for example, the Australian Prudential Regulatory Authority, the Australian Securities and Investments Commission, the Australian Financial Complaints Authority and the Information Commissioner.

We will store your personal information on secure servers in accordance with Commonwealth policies and requirements. Storage of personal information (and the disposal of documents when no longer required) is managed in accordance with the Australian Government records management regime, including the Archives Act 1983 (Archives Act), Records Authorities and General Disposal Authorities.

We also have a number of systems for storing and managing Commonwealth records and protecting personal information. For example personal information may be subject to access restrictions.

We have in place, policies and information protection procedures, including (where appropriate):

  • physical secure file storage
  • password protection of electronic databases
  • the provision of secure rooms
  • electronic information ‘firewalls’ between branches
  • the provision of information to staff on a ‘need to know’ basis.

The ACCC (including its staff and internal and external consultants) are subject to a number of general prohibitions on making an unauthorised disclosure of information.

If you provide your personal information to us, and later request us to remove your personal information from our systems, we may be limited in our ability to do so due to our legal obligations to maintain Commonwealth records. A request for personal information to be removed from our systems may also affect our ability to progress your accreditation application.

Accessing your personal information

To request access to your personal information, please email

When making your request, please provide sufficient information to enable us to identify records held by us that contain your personal information and to verify that the information contained in the records is your personal information.

We will provide you access to your personal information except in certain circumstances where we are not required to by law.

Where access is refused, the ACCC will act in accordance with the Privacy Act and the APPs.

Correcting or removing your personal information

You can request to correct your personal information by:

  • contacting the staff member or area of the ACCC that you had contact with, or
  • emailing, providing sufficient information to enable us to identify records held by us that contain your personal information and the correction you wish to make.

If we are unable to correct your personal information in the manner you request, we will act in accordance with the procedures outlined in the Privacy Act and the APPs.

Please note that if you provide your personal information to us, and later request us to remove your personal information from our systems, we may be limited in our ability to do so due to our legal obligations to maintain Commonwealth records.

Making a complaint

If you believe the ACCC has breached the APPs, you can lodge a complaint with the ACCC by email to We will respond to your complaint as soon as possible.

You may also wish to read our Service Charter.

Users enquiring about their rights and remedies for breaches of privacy can access detailed information at the Office of the Australian Information Commissioner.

ACCC Privacy Policy

For further information please refer to the ACCC Privacy Policy.