Greater Choice and Control for Consumer Data

Following the recent introduction of the Consumer Data Right regime (CDR Regime) into the Competition and Consumer Act 2010 (CCA), the Office of Australian Information Commissioner (OAIC) published draft Privacy Safeguard Guidelines in October 2019.

The draft guidelines set out the OAIC’s understanding and interpretation of the privacy safeguards and the relevant Consumer Data Rules.

Background

The CDR Regime is aimed at providing greater choice and control to consumers over how their data is used and disclosed by businesses that provide goods and/or services to them. The CDR Regime enables consumers to

  • require information relating to themselves to be disclosed safely, efficiently and conveniently to either themselves or accredited persons; and
  • efficiently and conveniently access information about the goods or services.

The CDR Regime will firstly apply to the banking sector, followed by the energy sector, and eventually across the economy.

Privacy Safeguard Guidelines

The draft guidelines set out 13 privacy safeguards which are aimed at protecting the privacy or confidentiality of CDR data (i.e. information within a class specified in the designation instrument for each sector including derivatives from such information) of the relevant consumers. These guidelines cover:

  • open and transparent management of CDR data;
  • anonymity and pseudonymity;
  • soliciting CDR data from CDR participants;
  • dealing with unsolicited CDR data from CDR participants;
  • notifying of the collection of CDR data;
  • use or disclosure of CDR data by accredited data recipients or designated gateways;
  • use or disclosure of CDR data for direct marketing by accredited data recipient or designated gateways;
  • overseas disclosure of CDR data by accredited data recipients;
  • adoption or disclosure of government related identifiers by accredited data recipients;
  • notifying of the disclosure of CDR data;
  • quality of CDR data;
  • security of CDR data, and destruction or de-identification of redundant CDR data; and
  • correction of CDR data.

The Privacy Safeguard Guidelines clarify the intention of each privacy safeguard and provide guidance on how to avoid acts or practices that may breach the privacy safeguards. Although the majority of the privacy safeguards borrow similar principles from the Australian Privacy Principles (APPs) under the Privacy Act 1988, the Privacy Safeguard Guidelines expressly state that the APPs do not apply to the CDR entity in relation to CDR data. Instead, the CDR Regime will apply.

What’s next?

Currently, the OAIC is seeking feedback on the draft Privacy Safeguard Guidelines from the interested stakeholders and members of the community. The closing date for feedback is Wednesday 20 November 2019.

A copy of the draft Privacy Safeguard Guidelines are available for download here.

The Privacy Safeguard Guidelines should be read together with Division 5 of Part IVD of the CCA and the Consumer Data Rules, which set out the rules required to implement the CDR Regime in the relevant sectors. Currently, a proposed set of CDR rules for the banking sector are available here, together with the Explanatory Statement.

Wrays Industry Insights, Insights