Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2023
I, Stephen Jones, Assistant Treasurer and Minister for Financial Services, make the following rules.
Dated 11 July 2023
Stephen Jones
Assistant Treasurer and Minister for Financial Services
Contents
1 Name.....................................................1
2 Commencement...............................................1
3 Authority...................................................1
4 Schedules..................................................1
Schedule 1—Amendments 2
Competition and Consumer (Consumer Data Right) Rules 2020 2
This is the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2023.
(1) Each provision of this instrument specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.
Commencement information | ||
Column 1 | Column 2 | Column 3 |
Provisions | Commencement | Date/Details |
The whole of this instrument | The day after this instrument is registered. |
|
Note: This table relates only to the provisions of this instrument as originally made. It will not be amended to deal with any later amendments of this instrument.
(2) Any information in column 3 of the table is not part of this instrument. Information may be inserted in this column, or information in it may be edited, in any published version of this instrument.
This instrument is made under section 56BA of the Competition and Consumer Act 2010.
Each instrument that is specified in a Schedule to this instrument is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this instrument has effect according to its terms.
Competition and Consumer (Consumer Data Right) Rules 2020
1 Rule 1.6 (after the heading)
Insert:
2 Subrule 1.6(13)
Omit “It is intended that these rules will be amended at a later time to deal with additional sectors of the economy.”.
3 Subrule 1.7(1)
Insert in the appropriate alphabetical position:
ABN has the meaning given by the A New Tax System (Australian Business Number) Act 1999.
business consumer disclosure consent has the meaning given by rule 1.10A.
business consumer statement has the meaning given by rule 1.10A.
CDR business consumer has the meaning given by rule 1.10A.
direct or indirect OSP means a direct OSP or an indirect OSP.
direct OSP has the meaning given by rule 1.10.
indirect OSP has the meaning given by rule 1.10.
Note: For the meaning of the term:
in the banking sector, see clause 5.2 of Schedule 3; and
in the energy sector, see clause 5.2 of Schedule 4.
OSP chain principal has the meaning given by rule 1.10.
permitted use or disclosure has the meaning given by rule 7.5.
relates to direct marketing has the meaning given by rule 7.5.
trial product, in relation to a particular designated sector, has the meaning set out in the relevant sector Schedule.
4 Subrule 1.7(1) (definition of CDR principal)
Repeal the definition, substitute:
CDR representative principal has the meaning given by rule 1.10AA.
5 Subrule 1.7(1) (paragraph (a) of the definition of current)
After “rule 4.14” insert “or 4.20K”.
6 Subrule 1.7(1) (definition of meet the internal dispute resolution requirements)
Repeal the definition, substitute:
meet the internal dispute resolution requirements, for a particular designated sector, has the meaning set out in the relevant sector Schedule.
Note: For the meaning of the term:
in the banking sector, see clause 5.1 of Schedule 3; and
in the energy sector, see clause 5.1 of Schedule 4.
7 Subrule 1.7(1) (definition of outsourced service provider)
Repeal the definition.
8 Subrule 1.7(1) (subparagraph (a)(ii) of the definition of secondary user)
Omit “requrements”, substitute “requirements”.
9 Subrule 1.7(5)
Repeal the subrule (not including the heading), substitute:
(5) In these rules, unless the contrary intention appears, a reference to an accredited person making a consumer data request, collecting CDR data, obtaining consents, providing a consumer dashboard, or using or disclosing CDR data does not include a reference to an accredited person doing those things on behalf of an OSP principal in its capacity as a direct or indirect OSP of:
(a) another accredited person; or
(b) a CDR representative of itself or of another accredited person;
in accordance with the relevant CDR outsourcing arrangement.
10 Rule 1.8
Repeal the rule, substitute:
1.8 Data minimisation principle
Note: The data minimisation principle is relevant when:
a CDR consumer requests an accredited person or a CDR representative to provide goods or services to the CDR consumer or to another person; and
the accredited person or CDR representative needs to access the CDR consumer’s CDR data in order to provide those goods or services.
The data minimisation principle is also relevant when an accredited person or CDR representative uses CDR data to provide requested goods or services to a CDR consumer.
The data minimisation principle limits the CDR data that can be collected, and also limits the uses that can be made of collected CDR data.
(1) The collection of CDR data by an accredited person complies with the data minimisation principle if, when making a consumer data request on behalf of a CDR consumer, the accredited person does not seek to collect:
(a) more CDR data than is reasonably needed; or
(b) CDR data that relates to a longer time period than is reasonably needed;
in order for it, or a relevant CDR representative, to provide the goods or services requested by the CDR consumer.
(2) The use of CDR data by an accredited person or a CDR representative complies with the data minimisation principle if, when providing the requested goods or services, or using collected CDR data for any other purpose consented to by the CDR consumer, it does not use the collected CDR data, or CDR data directly or indirectly derived from it, beyond what is reasonably needed in order to provide the requested goods or services or fulfil the other purpose.
11 Subrule 1.9(2) (note)
Before “Jervis Bay Territory” insert “The”.
12 Rules 1.10, 1.10AA and 1.10A
Repeal the rules, substitute:
1.10 Meaning of direct OSP, indirect OSP and related terms
Persons in a chain of outsourced service providers
(1) In these rules, where a person who is an accredited person or a CDR representative is the principal in one or more CDR outsourcing arrangements:
(a) the provider in each such arrangement is a direct OSP (for “direct outsourced service provider”) of the person; and
(b) where a direct OSP of the person is also the principal in a further CDR outsourcing arrangement, the provider in the further arrangement is an indirect OSP of the person; and
(c) where an indirect OSP of the person is also the principal in a further CDR outsourcing arrangement, the provider in the further arrangement is also an indirect OSP of the person; and
(d) the person is the OSP chain principal of each direct and indirect OSP.
Note: Paragraph (c) can be applied repeatedly, so there may be a chain of indirect OSPs for each direct OSP.
(2) Paragraph (1)(d) does not apply in relation to a person who is an accredited person or CDR representative that is a direct or indirect OSP of an OSP chain principal.
Content of a CDR outsourcing arrangement
(3) In these rules, a CDR outsourcing arrangement is a written contract between a person (the OSP principal) and another person (the provider) under which:
(a) the provider will do one or both of the following:
(i) collect CDR data from a CDR participant in accordance with these rules on behalf of the OSP chain principal (for an OSP chain principal with unrestricted accreditation);
(ii) use or disclose service data to provide specified goods or services to the OSP principal; and
(b) the provider is required to comply with the following requirements in relation to any service data:
(A) the OSP principal’s CDR policy as it relates to deletion and de‑identification of CDR data and the treatment of redundant or de‑identified CDR data;
(B) section 56EG of the Act (privacy safeguard 4);
(C) section 56EI of the Act (privacy safeguard 6);
(D) section 56EJ of the Act (privacy safeguard 7);
(E) section 56EK of the Act (privacy safeguard 8);
(F) section 56EL of the Act (privacy safeguard 9);
(ii) the provider must take the steps in Schedule 2 to protect the service data as if it were an accredited data recipient;
(iii) the provider must not disclose service data other than:
(A) to another direct or indirect OSP of the OSP chain principal; or
(B) to the OSP chain principal; or
(C) in circumstances where the disclosure of the service data by the OSP chain principal would be permitted under these rules;
(iv) the provider must not use or disclose the service data other than in accordance with a contract with the OSP principal; and
(A) when directed by the OSP principal, do any of the things referred to in paragraphs (5)(a), (b), (c) or (d); and
(B) when directed by the OSP chain principal, do any of the things referred to in paragraphs (5)(a), (b), (c) or (d); and
(C) if the OSP chain principal is a CDR representative—when directed by the CDR representative principal of the OSP chain principal, do any of the things referred to in paragraphs (5)(b), (c) or (d);
(vi) if the provider is the OSP principal in a further CDR outsourcing arrangement (the arrangement), it must ensure that the other person in the arrangement complies with the requirements of the arrangement, including in relation to service data of the other person that was disclosed to it by the OSP chain principal or another direct or indirect OSP of the OSP chain principal.
Note: See rule 1.18 for the definition of “CDR data deletion process”.
(4) For subparagraph (3)(a)(ii), the provision of the specified goods or services must be:
(a) where the OSP principal is the OSP chain principal—for the purpose of enabling the OSP chain principal to provide CDR consumers for the service data with the goods and services for the purposes of which a relevant consent to collect the service data, or the CDR data from which it was directly or indirectly derived, was given; and
(b) otherwise—for the purpose of enabling the OSP principal to provide the goods and services specified in the CDR outsourcing arrangement for which it is the provider.
(5) For subparagraph (3)(b)(v), the things are the following:
(a) provide that person with access to any service data that it holds;
(b) in accordance with the CDR data deletion process, delete any service data that it holds and make the required records;
(c) provide to that person any such required records;
(d) direct any other person to which it has disclosed service data under a further CDR outsourcing arrangement to take corresponding steps.
Service data
(6) In these rules, service data, in relation to a person who is a direct or indirect OSP of an OSP chain principal, means any CDR data of a CDR consumer of the OSP chain principal held by the person that:
(a) was disclosed to the person by the OSP chain principal for the purposes of the relevant CDR outsourcing arrangement; or
(b) was collected from a CDR participant by the person on behalf of the OSP chain principal in accordance with the relevant CDR outsourcing arrangement; or
(c) was disclosed to the person by another direct or indirect OSP of the OSP chain principal in accordance with the relevant CDR outsourcing arrangement for the other direct or indirect OSP; or
(d) is directly or indirectly derived from such CDR data.
Note: Service data may be disclosed to other direct or indirect OSPs in accordance with provisions in the relevant CDR outsourcing arrangements.
(7) For paragraph (6)(a), where an accredited person gives a direct or indirect OSP (the provider) permission to access or use CDR data collected by the provider on behalf of the OSP chain principal in accordance with subparagraph (3)(a)(i), the accredited person is taken to disclose the CDR data to the provider.
1.10AA Meaning of CDR representative and related terms
A CDR representative cannot deal with a person in their capacity as a CDR business consumer.
(1) In these rules, a CDR representative arrangement is a written contract between a person with unrestricted accreditation (the CDR representative principal) and a person without accreditation (the CDR representative):
(a) under which the CDR representative will offer goods and services to CDR consumers, but not in their capacity as CDR business consumers, for which it will need to use or disclose CDR data of the CDR consumer; and
(b) under which, where the CDR representative has obtained the consent of a CDR consumer to the collection, use and disclosure of CDR data in accordance with rule 4.3A:
(i) the CDR representative principal will:
(A) make any appropriate consumer data request; and
(B) disclose the relevant CDR data to the CDR representative; and
(ii) the CDR representative will use or disclose the CDR data to provide the relevant goods or services to the CDR consumer; and
(c) that specifies that the provisions referred to in paragraphs (a) and (b) do not operate until the details of the CDR representative have been entered on the Register of Accredited Persons; and
(d) under which the CDR representative is required to comply with any rules that are expressed as applying to a CDR representative.
(2) A CDR representative arrangement may provide for the CDR representative:
(a) to seek any consent for the use or disclosure of service data that the CDR representative principal could seek in the same circumstances; and
(b) to make any use or disclosure of service data that would be:
(i) a permitted use or disclosure of the CDR data of the kind mentioned in paragraph 7.5(1)(j); or
(ii) a permitted use or disclosure of the CDR data that relates to direct marketing of the kind mentioned in paragraph 7.5(3)(e).
(3) A CDR representative arrangement must require the CDR representative:
(a) not to enter into another CDR representative arrangement; and
(b) not to engage a person as the provider in a CDR outsourcing arrangement in relation to service data except as provided in the CDR representative arrangement.
(4) A CDR representative arrangement must require the CDR representative to comply with the following requirements in relation to any service data:
(a) in holding, using or disclosing the service data, the CDR representative must comply with the following as if it were the CDR representative principal:
(i) section 56EE of the Act (privacy safeguard 2);
(ii) section 56EG of the Act (privacy safeguard 4);
(iia) section 56EI of the Act (privacy safeguard 6);
(iib) section 56EJ of the Act (privacy safeguard 7);
(iii) section 56EN of the Act, other than subsection (1) (privacy safeguard 11);
(iv) section 56EO of the Act (privacy safeguard 12);
(v) section 56EP of the Act, other than subsection (1) (privacy safeguard 13);
(b) the CDR representative must take the steps in Schedule 2 to protect the service data as if it were the CDR representative principal;
(c) the CDR representative must not use or disclose the service data other than in accordance with a contract with the CDR representative principal;
(d) the CDR representative must not use or disclose the service data unless the use or disclosure would be:
(i) a permitted use or disclosure of the CDR data of the kind mentioned in paragraph 7.5(1)(j); or
(ii) a permitted use or disclosure of the CDR data that relates to direct marketing of the kind mentioned in paragraph 7.5(3)(e);
(e) the CDR representative must, when so directed by the CDR representative principal:
(i) do any of the following:
(A) delete any service data that it holds in accordance with the CDR data deletion process;
(B) provide, to the CDR representative principal, records of any deletion that are required to be made under the CDR data deletion process; and
(ii) require its direct and indirect OSPs to do the same;
(f) the CDR representative must adopt and comply with the CDR representative principal’s CDR policy in relation to the service data;
(g) the CDR representative must comply with sections 56EK and 56EL of the Act (privacy safeguards 8 and 9) as if it were an accredited data recipient.
Note 1: For paragraph (4)(c), the CDR representative principal may be a direct or indirect OSP of the CDR representative, either as a result of provisions in the written agreement that make it also an CDR outsourcing arrangement under rule 1.10, or under a separate CDR outsourcing arrangement.
Note 2: For paragraph (4)(d), the permitted uses or disclosures are those that would be permitted if the representative were an accredited data recipient that had collected the CDR data under the consumer data request. They include disclosure to a direct or indirect OSP for the purposes of providing the relevant goods and services.
Note 3: For paragraph (4)(e), see rule 1.18 for the definition of “CDR data deletion process”.
(5) In these rules, service data, in relation to a CDR representative, consists of any CDR data that:
(a) was disclosed to the CDR representative for the purposes of the CDR representative arrangement; or
(b) is directly or indirectly derived from such CDR data.
(1) For these rules:
(a) a collection consent is a consent given by a CDR consumer under these rules for an accredited person to collect particular CDR data from a CDR participant for that CDR data; and
(b) a use consent is a consent given by a CDR consumer under these rules for an accredited data recipient of particular CDR data, or a CDR representative that holds the CDR data as service data, to use that CDR data in a particular way; and
(c) a disclosure consent is a consent given by a CDR consumer under these rules for an accredited data recipient of particular CDR data, or a CDR representative that holds the CDR data as service data, to disclose that CDR data:
(i) to an accredited person in response to a consumer data request (an AP disclosure consent); or
(ii) to an accredited person for the purposes of direct marketing; or
(iii) to a trusted adviser of the CDR consumer (a TA disclosure consent); or
(iv) to a specified person in accordance with an insight disclosure consent; or
(v) other than in the case of a CDR representative—to a specified person in accordance with a business consumer disclosure consent; and
(d) a direct marketing consent is a consent given by a CDR consumer under these rules for an accredited data recipient of particular CDR data, or a CDR representative that holds the CDR data as service data, to use or disclose the CDR data for the purposes of direct marketing; and
(e) a de-identification consent is a consent given by a CDR consumer under these rules for an accredited data recipient of particular CDR data, or a CDR representative that holds the CDR data as service data, to de‑identify some or all of the collected CDR data and do either or both of the following:
(i) use the de-identified data for general research;
(ii) disclose (including by selling) the de‑identified data.
(2) For these rules, each of the following is a category of consents:
(a) collection consents;
(b) use consents relating to the goods or services requested by the CDR consumer;
(c) direct marketing consents;
(d) de‑identification consents;
(e) AP disclosure consents;
(f) TA disclosure consents;
(g) insight disclosure consents;
(h) business consumer disclosure consents.
Insight disclosure consents
(3) For these rules, an insight disclosure consent in relation to particular CDR data of a CDR consumer held by an accredited data recipient, or a CDR representative that holds the CDR data as service data, is a disclosure consent given by the CDR consumer under these rules that:
(a) authorises the accredited data recipient or CDR representative to disclose the CDR data to a specified person for one or more of the following purposes:
(i) verifying the consumer’s identity;
(ii) verifying the consumer’s account balance;
(iii) verifying the details of credits to or debits from the consumer’s accounts; but
(b) where the CDR data relates to more than one transaction—does not authorise the accredited data recipient or CDR representative to disclose an amount or date in relation to any individual transaction.
(4) An accredited person must not make:
(a) the giving of an insight disclosure consent; or
(b) the specification of a particular person for the purposes of paragraph (3)(a);
a condition for supply of the goods or services requested by the CDR consumer.
Note: This subrule is a civil penalty provision (see rule 9.8).
(5) A CDR representative must not make:
(a) the giving of an insight disclosure consent; or
(b) the specification of a particular person for the purposes of paragraph (3)(a);
a condition for supply of the goods or services requested by the CDR consumer.
(6) A CDR representative principal contravenes this subrule if its CDR representative makes:
(a) the giving of an insight disclosure consent; or
(b) the specification of a particular person for the purposes of paragraph (3)(a);
a condition for supply of the goods or services requested by the CDR consumer.
Note: This subrule is a civil penalty provision (see rule 9.8).
(7) To avoid doubt, paragraphs (4)(a), (5)(a) and (6)(a) do not apply where the only good or service that is requested by the CDR consumer is for CDR data to be collected from a data holder and CDR insights disclosed in accordance with the insight disclosure consent.
Consents in relation to CDR representatives
(8) For an accredited person with a CDR representative, a consent given by a CDR consumer under these rules to the CDR representative for the accredited person to collect particular CDR data from a CDR participant for that CDR data and disclose it to the CDR representative is also a collection consent.
CDR business consumers
(9) For these rules, a CDR consumer is taken to be a CDR business consumer in relation to a consumer data request to be made by an accredited person if the accredited person has taken reasonable steps to confirm that:
(a) the CDR consumer is not an individual; or
(b) the CDR consumer has an active ABN.
(10) For these rules, a business consumer statement is a statement made by a CDR business consumer that:
(a) is given in relation to a consent in one of the following categories:
(i) use consents relating to the goods or services requested by the CDR business consumer;
(ii) TA disclosure consents;
(iii) insight disclosure consents;
(iv) business consumer disclosure consents; and
(b) certifies that the consent is given for the purpose of enabling the accredited person to provide goods or services to the CDR business consumer in its capacity as a business (and not as an individual).
Note: Only an accredited person is able to deal with a CDR consumer in the CDR consumer’s capacity as a CDR business consumer, and is hence able to invite a CDR consumer to provide a business consumer statement.
(11) For these rules, a business consumer disclosure consent in relation to particular CDR data of a CDR business consumer held by an accredited data recipient is a disclosure consent given by the CDR business consumer under these rules that:
(a) authorises the accredited data recipient to disclose the CDR data to a specified person; and
(b) includes a business consumer statement.
(12) An accredited person must not make:
(a) the giving of a business consumer disclosure consent; or
(b) the giving of a business consumer statement; or
(c) the specification of a particular person for the purposes of paragraph (11)(a);
a condition for supply of the goods or services requested by the CDR business consumer.
Note: This subrule is a civil penalty provision (see rule 9.8).
(13) To avoid doubt, paragraphs (12)(a) and (b) do not apply where the only good or service that is requested by the CDR business consumer is for CDR data to be collected from a data holder and provided to a specified person.
(14) An accredited person may not deal with a person in their capacity as a CDR business consumer before the earlier of the following:
(a) if the Data Standards Chair makes data standards about the matters referred to in both of subparagraphs 8.11(1)(a)(iv) and subparagraph 8.11(1)(c)(vi) before 1 December 2023—the day on which the last of those standards is made;
(b) 1 December 2023.
Note: This subrule is a civil penalty provision (see rule 9.8).
13 Subrules 1.10C(1), (3) and (4)
After “accredited person” insert “or CDR representative”.
14 At the end of rule 1.10C
Add:
15 Paragraph 1.10D(1)(a)
Omit “rule”, substitute “subrule”.
16 Subrule 1.13(1) (note 3)
After “will not” insert “be”.
17 Subrule 1.14(2A)
Omit “, on and after 1 July 2021,”.
18 After paragraph 1.14(3)(ea)
Insert:
(eb) if a business consumer statement has been given in relation to the consent—that fact;
19 Paragraph 1.14(3)(h)
Omit “rule 7.4 and rule 7.9”, substitute “rules 7.4 and 7.9”.
20 Subrule 1.14(3) (note 1)
Repeal the note, substitute:
21 Subrule 1.14(3) (note 2)
After “For” insert “limits on”.
22 At the end of subrule 1.15(3)
Add:
; (h) details of each amendment (if any) that has been made to the authorisation.
23 After subrule 1.15(3)
Insert:
(3A) Paragraph (3)(h) applies on and after 1 July 2024.
24 Subrule 1.15(5) (note 2)
Omit “subrule 4.6A(1)”, substitute “rule 4.6A”.
25 Rules 1.16 and 1.16A
Repeal the rules, substitute:
1.16 Obligations relating to outsourcing arrangements
OSPs of accredited person
(1) If an accredited person is the OSP chain principal of one or more direct or indirect OSPs, it must ensure that each direct and indirect OSP complies with its requirements under the relevant CDR outsourcing arrangement.
(2) The accredited person breaches this subrule if a direct OSP or indirect OSP of the accredited person fails to comply with a required provision of the relevant CDR outsourcing arrangement.
Note: This subrule is a civil penalty provision (see rule 9.8).
OSPs of CDR representative of accredited person
(3) If an accredited person is the CDR representative principal in a CDR representative arrangement under which it permits the CDR representative to engage direct or indirect OSPs, it must ensure that each such direct and indirect OSP complies with its requirements under the relevant CDR outsourcing arrangement.
(4) The accredited person breaches this subrule if a direct OSP or indirect OSP of the CDR representative fails to comply with a required provision of the relevant CDR outsourcing arrangement.
Note: This subrule is a civil penalty provision (see rule 9.8).
Accredited person acting as OSP for another accredited person
(5) If an accredited person collects CDR data on behalf of another accredited person (the principal) as a direct or indirect OSP:
(a) rules 7.4 and 7.9 apply only in relation to the principal; and
(b) paragraph 7.10(1)(a) requires the principal to be identified.
Meaning of required provision
(6) For this rule, a provision of a CDR outsourcing arrangement is a required provision if the arrangement would cease to be a CDR outsourcing arrangement under subrule 1.10(3) if the provision were removed.
1.16A Obligations relating to CDR representative arrangements
Compliance with CDR representative arrangement
(1) If an accredited person is the CDR representative principal in a CDR representative arrangement, it must ensure that the CDR representative complies with its requirements under the arrangement.
(2) The accredited person breaches this subrule if the CDR representative:
(a) fails to comply with a required provision of the CDR representative arrangement; or
(b) does one of the things referred to in subrule 1.10AA(2) in circumstances where the CDR representative arrangement does not provide for the CDR representative to do that thing.
Note: This subrule is a civil penalty provision (see rule 9.8).
Compliance with Division 4.3A
(3) The accredited person must ensure that the CDR representative complies with Division 4.3A.
(4) The accredited person breaches this subrule if the CDR representative fails to comply with a provision of Division 4.3A.
Note: This subrule is a civil penalty provision (see rule 9.8).
Meaning of required provision
(5) For this rule, a provision of a CDR representative arrangement is a required provision if it is a provision of a kind referred to in any of subrules 1.10AA(1), (3) and (4).
26 Subrule 1.17(5) (note)
Omit “2020”, substitute “2023”.
27 Division 1.5 (note to Division heading)
Repeal the note, substitute:
Note: The effect of this Division is that, from the point of view of a CDR consumer or an accredited person, the primary data holder for SR data is treated as if it were the relevant data holder: consumer data requests for the SR data are made to it; authorisations for disclosure are made to it; it is the entity that discloses or refuses to disclose the requested data; any complaints are made to it; it keeps the records that the CDR consumer can request under rule 9.5.
28 Subrule 1.22(3) (note)
Omit “rule”, substitute “subrule”.
29 Subrule 1.22(4) (note)
Omit “rule”, substitute “subrule”.
30 Subrule 1.22(5) (note)
Omit “rule”, substitute “subrule”.
31 Subrule 1.23(4) (note)
Omit “rule”, substitute “subrule”.
32 Subrule 1.23(5) (note)
Omit “rule”, substitute “subrule”.
33 Subrule 1.23(6) (note)
Omit “rule”, substitute “subrule”.
34 Paragraph 1.23(11)(b)
Omit ““(2) For paragraph (2)(a)”, substitute ““(3) For subrule (2)”.
35 Rule 4.1
Omit:
Before making a consumer data request on behalf of a CDR consumer, the consumer must first have consented to the accredited person collecting and using specified CDR data to provide the requested goods or services.
Subject to certain limitations, the requested data can be any CDR data that relates to the CDR consumer.
Collection and use of CDR data under this Part is limited by the data minimisation principle, under which the accredited person:
(a) must not collect more data than is reasonably needed in order to provide the requested goods or services; and
(b) may use the collected data only as reasonably needed in order to provide the requested goods or services or as otherwise consented to by the consumer.
A request may be for the CDR consumer’s required consumer data, their voluntary consumer data, or both. Schedule 3 to these rules:
• provides for what is required consumer data and voluntary consumer data for the banking sector; and
• sets out the circumstances in which CDR consumers are eligible in relation to a request for their banking sector CDR data.
substitute:
Subject to certain limitations, the requested data can be any CDR data that relates to the CDR consumer.
Collection and use of CDR data under this Part is limited by the data minimisation principle, under which:
• no more data may be collected than is reasonably needed in order to provide the requested goods or services; and
• the collected data may be used only as reasonably needed in order to provide the requested goods or services or as otherwise consented to by the CDR consumer.
A request may be for the CDR consumer’s required consumer data, their voluntary consumer data, or both. The sector Schedules to these rules:
• provide for what is required consumer data and voluntary consumer data for the particular designated sector; and
• set out the circumstances in which CDR consumers are eligible in relation to a request for their CDR data in that designated sector.
36 Rule 4.2
Before the flow chart, insert:
37 Subrule 4.3(2) (note 2)
Repeal the note, substitute:
38 At the end of subrule 4.3(2A)
Add:
Note 2: The CDR data may be collected and used only in accordance with the data minimisation principle: see rule 1.8.
39 Subrule 4.3A(2)
Repeal the subrule, substitute:
(2) The CDR representative may, in accordance with Division 4.3A, ask the CDR consumer to give:
(a) a collection consent for the CDR representative principal to collect the CDR consumer’s CDR data from the CDR participant and disclose it to the CDR representative; and
(b) a use consent for the CDR representative to use it in order to provide those goods or services.
Note 1: For a collection consent mentioned in paragraph (a), see subrule 1.10A(8).
For consents mentioned in paragraph (b), see rule 1.10A as applied to a CDR representative under subrule 1.10A(5).
Note 2: In order to provide goods or services in accordance with the CDR consumer’s request, it might be necessary for the CDR representative principal to request CDR data from more than 1 CDR participant.
Note 3: The CDR data may be collected and used only in accordance with the data minimisation principle: see rule 1.8.
40 Subrule 4.3A(5) (note)
Omit “rule 4.18”, substitute “rule 4.20O”.
41 Rule 4.3B (note after the heading)
Repeal the note, substitute:
Subrule (2) allows a CDR representative that receives such a consumer data request to obtain a disclosure consent from the consumer. Under paragraphs 7.5(1)(i) and (j), the CDR representative is then able to disclose the requested data.
42 Subrule 4.3B(2)
Repeal the subrule (not including the heading), substitute:
(a) a reference to an accredited data recipient were a reference to the CDR representative; and
(b) a reference to Division 4.3 were a reference to Division 4.3A.
43 Rule 4.3C
Repeal the rule.
44 Paragraph 4.4(1)(d)
Repeal the paragraph, substitute:
(d) can be collected and used in compliance with the data minimisation principle.
45 Paragraph 4.6A(b)
Omit “a Schedule to the rules”, substitute “a provision of these rules”.
46 Rule 4.6A (note 2)
Repeal the note, substitute:
Note 2: For paragraph (b)—for example, see subrules 4A.10(5) and (6) in relation to joint accounts.
47 At the end of subrule 4.7(1)
Add:
48 Paragraph 4.7A(1)(d)
Repeal the paragraph, substitute:
(d) can be collected and used in compliance with the data minimisation principle.
49 Subrule 4.7B(2) (note)
Omit “paragraph 7.5(1)(f)”, substitute “paragraph 7.5(1)(h)”.
50 Division 4.3 (at the end of the heading)
Add “—accredited persons”.
51 Rule 4.8
Repeal the rule, substitute:
This Division deals with:
(a) giving collection consents, use consents and disclosure consents to accredited persons; and
(b) amending such consents; and
(c) related matters.
Note: This Division does not cover collection consents for accredited persons to collect CDR data on behalf of CDR representatives; since those consents are given to the CDR representatives, they are covered by Division 4.3A.
52 Subrule 4.10(1)
Omit “give and”, substitute “give or”.
53 Subparagraph 4.10(1)(a)(i)
Omit “consumer experience”, substitute “relevant”.
54 After paragraph 4.11(1)(ba)
Insert:
55 Paragraph 4.11(1)(d)
After “data holder” insert “or accredited data recipient”.
56 Subrule 4.11(1) (note 1)
Omit “could not”, substitute “cannot”.
57 Subrule 4.11(1) (note 2)
After “12 months”, insert “(or 7 years for certain consents by a CDR business consumer)”.
58 Paragraph 4.11(3)(f)
Omit “an outsourced service provider”, substitute “a direct or indirect OSP”.
59 Paragraph 4.11(3)(i)
Omit “request;”, substitute “request:”.
60 Subrule 4.12(1)
Omit “An”, substitute “Subject to subrule (1A), an”.
61 After subrule 4.12(1)
Insert:
(a) not specify a period of time that is more than 7 years; and
(b) if specifying a period of time of more than 12 months, give the CDR business consumer the option of choosing a period for the consent of 12 months or less.
62 Subrule 4.12B(5)
Repeal the subrule.
63 At the end of subrule 4.12C(1)
Add:
64 At the end of rule 4.12C
Add:
(a) the CDR consumer is not an individual; or
(b) the CDR consumer has an active ABN.
Note: See subrule 1.10A(9).
65 Rule 4.13
Repeal the rule, substitute:
(1) A CDR consumer who has given a consent to an accredited person for the purposes of this Division may withdraw the consent at any time:
(a) by using the accredited person’s consumer dashboard; or
(b) by using a simple alternative method of communication to be made available by the accredited person for that purpose.
(2) If the consent is withdrawn under paragraph (1)(b), the accredited person must give effect to the withdrawal as soon as practicable, and in any case within 2 business days after receiving the communication.
Note: This subrule is a civil penalty provision (see rule 9.8).
(3) Withdrawal of a consent does not affect an election under rule 4.16 that the CDR consumer’s collected CDR data be deleted once it becomes redundant.
66 Rule 4.14
Repeal the rule, substitute:
(1) A consent given under this Division expires at the earliest of the following:
(a) if the consent is withdrawn in accordance with paragraph 4.13(1)(b)―the earlier of the following:
(i) when the accredited person gave effect to the withdrawal;
(ii) 2 business days after the accredited person received the communication;
(b) if the consent is withdrawn in accordance with paragraph 4.13(1)(a)―when the consent was withdrawn;
(c) the end of the period referred to in subrule (2) after the later of the following:
(i) the day the consent was given; or
(ii) if the period of the consent has been amended in accordance with this Division―the day the consent was last amended;
(d) at the end of the period the CDR consumer consented to in accordance with rule 4.11;
(e) if the consent expires as a result of the operation of another provision of these rules that references this paragraph―when the consent expires.
Note: Subrule 5.1B(6) is an example of a provision referencing paragraph (e). This relates to when a person with sponsored accreditation ceases to have a registered sponsor.
(2) For paragraph (1)(c), the period is:
(a) in the case of a consent given by a CDR business consumer that includes a business consumer statement—7 years; and
(b) in any other case—12 months.
(3) If:
(a) an accredited person is notified by a data holder, under rule 4.26A, of the withdrawal of an authorisation to disclose CDR data that relates to a collection consent given under this Division; and
(b) the collection consent has not expired in accordance with subrule (1);
the collection consent expires when the accredited person receives that notification.
Note: This would not result in the use consent relating to any CDR data that had already been collected expiring. However, see the notification requirement of rule 4.18A.
(4) If:
(a) an accredited person has a collection consent given under this Division to collect particular CDR data from a particular accredited data recipient; and
(b) the accredited data recipient has an AP disclosure consent to disclose that CDR data to that accredited person;
then if one of those consents expires, the other expires when the accredited person or accredited data recipient is notified of the first‑mentioned expiry.
Note: The notification is required by rule 4.18B.
(5) If an accredited person becomes a data holder, rather than an accredited data recipient, of particular CDR data as a result of subsection 56AJ(4) of the Act, all of that accredited person’s consents given under this Division that relate to that CDR data expire.
(6) If an accredited person’s accreditation is revoked or surrendered in accordance with rule 5.17, all of the accredited person’s consents expire when the revocation or surrender takes effect.
67 Rule 4.16
Repeal the rule, substitute:
4.16 Election to delete redundant data
(1) A CDR consumer who has given a consent relating to particular CDR data may:
(a) when giving the consent; or
(b) at any other time before the consent expires;
elect that the collected data, and any CDR data directly or indirectly derived from it, be deleted when it becomes redundant data.
Note 1: See rules 7.12 and 7.13 for the effect of an election.
Note 2: CDR data might become redundant data even before a consent expires.
(2) The CDR consumer may make the election:
(a) by communicating it to the accredited person in writing; or
(b) by using the accredited person’s consumer dashboard.
(3) This rule does not apply if the accredited person:
(a) has a general policy of deleting redundant data; and
(b) when seeking the consent, informs the CDR consumer that their CDR data will be deleted when it becomes redundant data.
Note: See paragraph 4.17(1)(a).
(4) This rule does not require the deletion of directly or indirectly derived CDR data that was de‑identified in accordance with the CDR data de‑identification process before the collected data from which it was derived became redundant.
68 Subrule 4.18(1)
Omit “The accredited person”, substitute “An accredited person”.
69 Paragraph 4.18(1)(aa)
Omit “this Part”, substitute “this Division”.
70 After rule 4.18
Insert:
4.18AA Notification of data holder or accredited data recipient if collection consent expires
(1) This rule applies if:
(a) an accredited person has made a consumer data request to a CDR participant, based on a collection consent given under this Division relating to particular CDR data and that CDR participant; and
(b) the request has not been completely resolved; and
(c) the consent expires for any reason.
(2) The accredited person must notify:
(a) if the CDR participant is a data holder―the data holder, in accordance with the data standards, that the consent has expired; and
(b) if the CDR participant is an accredited data recipient―the accredited data recipient as soon as practicable that the consent has expired.
Note: This subrule is a civil penalty provision (see rule 9.8).
71 Rule 4.18A (heading)
After “Notification”, insert “of CDR consumer”.
72 Rules 4.18B, 4.18C and 4.19
Repeal the rules, substitute:
4.18B Notification if collection consent or AP disclosure consent expires
(1) This rule applies if:
(a) an accredited person has made a consumer data request to an accredited data recipient on behalf of a CDR representative, based on a collection consent given under this Division relating to particular CDR data and that accredited data recipient; and
(b) the accredited data recipient has an AP disclosure consent relating to that CDR data; and
(c) the request has not been completely resolved.
(2) If the collection consent expires in accordance with these rules, the accredited person must notify the accredited data recipient as soon as practicable of the expiry.
Note 1: This subrule is a civil penalty provision (see rule 9.8).
Note 2: The AP disclosure consent that the accredited data recipient has expires when the notification is received—see subrule 4.14(4).
(3) If the AP disclosure consent expires in accordance with these rules, the accredited data recipient must notify the accredited person as soon as practicable of the expiry.
Note 1: This subrule is a civil penalty provision (see rule 9.8).
Note 2: The collection consent that the accredited person has expires when the notification is received—see subrule 4.14(4).
4.18C Notification of data holder or accredited data recipient if collection consent is amended
(1) This rule applies if:
(a) an accredited person has made a consumer data request to a CDR participant, based on a collection consent given under this Division relating to particular CDR data and that CDR participant; and
(b) the request has not been completely resolved; and
(c) the CDR consumer amends the consent.
(2) The accredited person must notify:
(a) if the CDR participant is a data holder―the data holder, in accordance with the data standards, that the consent has been amended; and
(b) if the CDR participant is an accredited data recipient―the accredited data recipient as soon as practicable that the consent has been amended.
Note: This subrule is a civil penalty provision (see rule 9.8).
4.19 Updating consumer dashboard
(1) An accredited person must update a CDR consumer’s consumer dashboard as soon as practicable after the information required to be contained on the dashboard changes.
Note: This subrule is a civil penalty provision (see rule 9.8).
(2) Where a CDR representative provides the consumer dashboard on behalf of a CDR representative principal (see subrule 1.14(5)), the CDR representative principal may arrange for the CDR representative to update the consumer dashboard on the CDR representative principal’s behalf.
73 Subrule 4.20(1)
After “use consent”, insert “given under this Division”.
74 After rule 4.20A
Insert:
Division 4.3A—Giving and amending consents—CDR representatives
Subdivision 4.3A.1—Preliminary
This Division deals with:
(a) giving collection consents, use consents and disclosure consents to CDR representatives; and
(b) amending such consents; and
(c) related matters.
The object of this Division is to ensure that a consent is:
(a) voluntary; and
(b) express; and
(c) informed; and
(d) specific as to purpose; and
(e) time limited; and
(f) easily withdrawn.
Subdivision 4.3A.2—Giving consents
Note: Under rule 4.3A, if a CDR representative asks a CDR consumer for their consent to collect and use their CDR data, it must do so in accordance with this Division, and in particular, rules 4.20D, 4.20E and 4.20F. A failure to do so could result in the CDR representative principal being liable for one or more civil penalty provisions: see section 56EF of the Act and rule 1.16A.
4.20D Requirements relating to CDR representative’s processes for seeking consent
A CDR representative’s processes for asking a CDR consumer to give or amend a consent:
(a) must:
(i) accord with any relevant data standards; and
(ii) having regard to any consumer experience guidelines developed by the Data Standards Body, be as easy to understand as practicable, including by use of concise language and, where appropriate, visual aids; and
(b) must not:
(i) include or refer to the CDR representative principal’s CDR policy or other documents so as to reduce comprehensibility; or
(ii) bundle consents with other directions, permissions, consents or agreements.
4.20E Asking CDR consumer to give consent
(1) When asking a CDR consumer to give a consent, a CDR representative must:
(a) allow the CDR consumer to choose the types of CDR data to which the consent will apply by enabling the CDR consumer to actively select or otherwise clearly indicate:
(i) in the case of a collection consent or a disclosure consent―the particular types of CDR data to which the consent will apply; and
(ii) in the case of a use consent―the specific uses of collected data to which they are consenting; and
(b) allow the CDR consumer to choose the period of the collection consent, use consent, or disclosure consent (as appropriate) by enabling the CDR consumer to actively select or otherwise clearly indicate whether the consent would apply:
(i) on a single occasion; or
(ii) over a specified period of time; and
(c) in the case of a disclosure consent―allow the CDR consumer to select the person to whom the CDR data may be disclosed; and
(d) ask for the CDR consumer’s express consent to the choices referred to in paragraphs (a), (b) and (c) for each relevant category of consents; and
(e) if the CDR representative intends to charge a fee for disclosure of CDR data, or pass on to the CDR consumer a fee charged by a data holder or accredited person for disclosure of CDR data:
(i) clearly distinguish between the CDR data for which a fee will, and will not, be charged or passed on; and
(ii) allow the CDR consumer to actively select or otherwise clearly indicate whether they consent to the collection or disclosure, as appropriate, of the CDR data for which a fee will be charged or passed on; and
(f) allow the CDR consumer to make an election in relation to deletion of redundant data in accordance with rule 4.20M.
Example: For a collection consent, a CDR representative could present the CDR consumer with a set of un‑filled boxes corresponding to different types of data, and permit the CDR consumer to select the boxes that correspond to the data they consent to the CDR representative collecting.
Note 1: A CDR representative cannot infer consent, or seek to rely on an implied consent.
Note 2: For paragraph (b), the specified period may not be more than 12 months: see subrule 4.20F(1). After the end of the period, redundant data would need to be dealt with in accordance with subsection 56EO(2) of the Act (privacy safeguard 12) and rules 7.12 and 7.13.
Note 3: For paragraph (e), a data holder could charge a fee for disclosure of voluntary consumer data, while an accredited data recipient could charge a fee for the disclosure of any CDR data.
(2) The CDR representative must not present pre‑selected options to the CDR consumer for the purposes of subrule (1).
Information presented to CDR consumer when asking for consent
(3) When asking a CDR consumer to give consent, the CDR representative must give the CDR consumer the following information:
(a) its name;
(b) the fact that the person is a CDR representative and that the CDR data will be collected by its CDR representative principal at its request;
(c) if the CDR representative is not located in Australia—the country in which it is located;
(d) the CDR representative principal’s name;
(e) the CDR representative principal’s accreditation number;
(f) in the case of a collection consent or a use consent―how the collection or use (as applicable) indicated in accordance with subrule (1) complies with the data minimisation principle, including how:
(i) in the case of a collection consent―that collection is reasonably needed, and relates to no longer a time period than is reasonably needed; and
(ii) in the case of a use consent―that use would not go beyond what is reasonably needed;
in order to provide the requested goods or services to the CDR consumer or make the other uses consented to;
(g) in the case of an insight disclosure consent—an explanation of the CDR insight that will make clear to the CDR consumer what the CDR insight would reveal or describe;
(h) if the CDR representative intends passing a fee on, or charging a fee, to the CDR consumer as described in paragraph (1)(e)―the following information:
(i) the amount of the fee;
(ii) the consequences if the CDR consumer does not consent to the collection, or to the disclosure, of that data;
(i) if the CDR representative is seeking a de‑identification consent—the additional information specified in rule 4.20L;
(j) a link to the CDR representative principal’s CDR policy;
(k) if the CDR data may be disclosed to, or collected by, a direct or indirect OSP (including one that is based overseas) of the CDR representative or of the CDR representative principal—a statement of that fact;
(l) a statement that the CDR consumer can obtain further information about the collections or disclosures for which consent is requested from the CDR representative principal’s CDR policy if desired;
(m) the following information about withdrawal of consents:
(i) a statement that, at any time, the consent can be withdrawn;
(ii) instructions for how the consent can be withdrawn;
(iii) a statement indicating the consequences (if any) to the CDR consumer if they withdraw the consent;
(n) the following information about redundant data:
(i) a statement, in accordance with rule 4.20N, regarding the CDR representative’s intended treatment of redundant data;
(ii) a statement outlining the CDR consumer’s right to elect that their redundant data be deleted;
(iii) instructions for how the election can be made.
Note: For paragraph (b), if the CDR representative is seeking the CDR consumer’s consent to de‑identification as referred to in paragraph (i), the CDR representative would need to indicate how that would comply with the data minimisation principle.
4.20F Restrictions on seeking consent
(2) A CDR representative must not ask for a collection consent or a use consent unless it would comply with the data minimisation principle in respect of that collection or those uses.
Note: See rule 1.8 for the definition of “data minimisation principle”.
(3) A CDR representative must not ask for a consent:
(a) that is not in a category of consents; or
(b) subject to subrule (4), for using the CDR data, including by aggregating the data, for the purpose of:
(i) identifying; or
(ii) compiling insights in relation to; or
(iii) building a profile in relation to;
any identifiable person who is not the CDR consumer who made the consumer data request.
(4) Paragraph (3)(b) does not apply in relation to a person whose identity is readily apparent from the CDR data, if the CDR representative is seeking consent to:
(a) derive, from that CDR data, CDR data about that person’s interactions with the CDR consumer; and
(b) use that derived CDR data in order to provide the requested goods or services.
Subdivision 4.3A.3—Amending consents
An amendment of a consent takes effect when the CDR consumer amends the consent.
Note: It is not possible for the CDR consumer to specify a different day or time.
4.20H Inviting CDR consumer to amend consent
(1) A CDR representative may invite a CDR consumer to amend a consent given in accordance with this Division only in accordance with this rule.
(2) The CDR representative may give the invitation:
(a) if the CDR representative principal’s consumer dashboard offers the consent amendment functionality referred to in subrule 1.14(2A)―via the consumer dashboard; or
(b) in writing directly to the CDR consumer.
Note: The CDR representative principal may allow the CDR representative to provide the consumer dashboard on its behalf—see subrule 1.14(5).
(3) The CDR representative may invite a CDR consumer to amend a current consent if:
(a) the amendment would better enable the CDR representative to provide the goods or services referred to in paragraph 4.3A(1)(a); or
(b) the amendment would:
(i) be consequential to an agreement between the CDR representative and the CDR consumer to modify those goods or services; and
(ii) enable the CDR representative to provide the modified goods or services.
(4) The CDR representative must not, for an invitation to amend the period referred to in paragraph 4.20E(1)(b):
(a) give the invitation any earlier than a reasonable period before the current consent is expected to expire; or
(b) give more than a reasonable number of such invitations within this period.
4.20I Process for amending consent
(1) Subject to this rule, if a CDR representative allows CDR consumers to amend consents, it must allow them to do so in the same manner that it asks for CDR consumers to give consents.
(2) Despite subrule 4.20E(2), in the case of an amendment to a consent, a CDR representative may present, as pre‑selected options, the following details of the current consent:
(a) the selections or indications referred to in paragraphs 4.20E(1)(a), (b) and (c);
(b) the election (if any) referred to in paragraph 4.20E(1)(f).
(3) In the case of an amendment to a consent, in addition to the information referred to in subrule 4.20E(3), the CDR representative must give the CDR consumer:
(a) a statement that indicates the consequences of amending a consent; and
(b) a statement that the CDR representative will be able to continue to use any CDR data that has already been disclosed to it to the extent allowed by the amended consent.
Subdivision 4.3A.4—Withdrawing consents
(1) A CDR consumer who has given a consent to a CDR representative for the purposes of this Division may withdraw the consent at any time:
(a) by using the CDR representative principal’s consumer dashboard; or
(b) by using:
(i) a method mentioned in subrule (2) to notify the CDR representative principal; or
(ii) a method mentioned in subrule (3) to notify the CDR representative.
Note 1: The CDR representative principal may allow the CDR representative to provide the consumer dashboard on its behalf—see subrule 1.14(5).
Note 2: If the withdrawal is made using the consumer dashboard, it has effect immediately (see rule 4.20K).
Withdrawal without using consumer dashboard
(2) The CDR representative principal must make available a simple method of communication for the withdrawal of consent, as an alternative to using the CDR representative principal’s consumer dashboard.
Note 1: The CDR representative principal may allow the CDR representative to provide the consumer dashboard on its behalf—see subrule 1.14(5).
Note 2: This subrule is a civil penalty provision (see rule 9.8).
(3) The CDR representative must make available a simple method of communication for the withdrawal of consent, as an alternative to using the CDR representative principal’s consumer dashboard.
Note: A failure to do this could make the CDR representative principal liable for a civil penalty (see rule 1.16A).
(4) If the consent is withdrawn under paragraph (1)(b), whichever of the CDR representative principal and the CDR representative received the communication must notify the other as soon as practicable.
(5) If the consent is withdrawn under paragraph (1)(b), the CDR representative principal must give effect to the withdrawal as soon as practicable, and in any case within 2 business days after the communication is received in accordance with paragraph (1)(b).
Note: This subrule is a civil penalty provision (see rule 9.8).
(6) If the consent is withdrawn under paragraph (1)(b), the CDR representative must give effect to the withdrawal as soon as practicable, and in any case within 2 business days after the communication is received in accordance with paragraph (1)(b).
Note: A failure to do this could make the CDR representative principal liable for a civil penalty (see rule 1.16A).
(7) Withdrawal of a consent does not affect an election under rule 4.20M that the CDR consumer’s collected CDR data be deleted once it becomes redundant.
Subdivision 4.3A.5—Duration of consent
(1) A consent given under this Division expires at the earliest of the following:
(a) if the consent is withdrawn in accordance with paragraph 4.20J(1)(a)―when the consent is withdrawn;
(b) if the consent is withdrawn in accordance with paragraph 4.20J(1)(b)―the earlier of the following:
(i) when the CDR representative principal and CDR representative give effect to the withdrawal;
(ii) 2 business days after the CDR representative principal or CDR representative receive the communication;
(c) the end of the period of 12 months after the later of the following:
(i) the day the consent was given; or
(ii) if the period of the consent has been amended in accordance with this Division―the day the consent was last amended;
(d) at the end of the period the CDR consumer consented to in accordance with rule 4.20E;
(e) if the consent expires as a result of the operation of another provision of these rules that references this paragraph—when the consent expires.
(2) If:
(b) the collection consent has not expired in accordance with subrule (1);
the collection consent expires when the CDR representative principal receives that notification.
Note: This would not result in the use consent relating to any CDR data that had already been collected expiring, so it may continue to be used by the CDR representative in accordance with those consents. However, see the notification requirement of rule 4.20Q.
(a) a CDR representative principal has a collection consent given under this Division to collect particular CDR data from a particular accredited data recipient; and
(b) the accredited data recipient has an AP disclosure consent to disclose that CDR data to that CDR representative principal;
then if one of those consents expires, the other expires when the CDR representative principal or accredited data recipient is notified of the first‑mentioned expiry.
Note: The notification is required by rule 4.18B.
(4) If a CDR representative principal’s accreditation is revoked or surrendered in accordance with rule 5.17, all of the consents of any of the CDR representative principal’s CDR representatives expire when the revocation or surrender takes effect.
Subdivision 4.3A.6—Information relating to de‑identification of CDR data
4.20L Additional information relating to de‑identification of CDR data
For paragraph 4.20E(3)(i), the additional information relating to de‑identification is the following:
(a) what the CDR data de‑identification process is;
(b) if it would disclose (by sale or otherwise) the de‑identified data to one or more other persons;
(i) that fact; and
(ii) the classes of persons to which it would disclose that data; and
(iii) why it would so disclose that data;
(c) if the CDR representative would use the de‑identified data for general research―that fact, together with a link to a description in the CDR representative principal’s CDR policy of:
(i) the research to be conducted; and
(ii) any additional benefit to be provided to the CDR consumer for consenting to the use;
(e) that the CDR consumer would not be able to elect, in accordance with rule 4.20M, to have the de‑identified data deleted once it becomes redundant data.
Subdivision 4.3A.7—Election to delete redundant data
4.20M Election to delete redundant data
(1) The CDR consumer who gives a consent relating to particular CDR data may:
(a) when giving the consent; or
(b) at any other time before the consent expires;
elect that the collected data, and any CDR data directly or indirectly derived from it, be deleted when it becomes redundant data.
Note 1: See rules 7.12 and 7.13 for the effect of an election.
Note 2: CDR data might become redundant data even before a consent expires.
(2) The CDR consumer may make the election:
(a) by communicating it to the CDR representative principal or CDR representative in writing; or
(b) by using the CDR representative principal’s consumer dashboard.
Note: The CDR representative principal may allow the CDR representative to provide the consumer dashboard on its behalf—see subrule 1.14(5).
(3) This rule does not apply if the CDR representative:
(a) has a general policy of deleting redundant data; and
(b) when seeking the consent, informs the CDR consumer that their CDR data will be deleted when it becomes redundant data.
Note: See paragraph 4.20N(1)(a).
(4) This rule does not require the deletion of directly or indirectly derived CDR data that was de‑identified in accordance with the CDR data de‑identification process before the collected data from which it was derived became redundant.
4.20N Information relating to redundant data
(1) For subparagraph 4.20E(3)(n)(i), the CDR representative must state whether they have a general policy, when collected CDR data becomes redundant data, of:
(a) deleting the redundant data; or
(b) de‑identifying the redundant data; or
(c) deciding, when the CDR data becomes redundant data, whether to delete it or de‑identify it.
(2) A CDR representative that gives the statement referred to in paragraph (1)(b) or (c) must also state:
(a) that, if it de‑identifies the redundant data:
(i) it would apply the CDR data de‑identification process; and
(ii) it would be able to use or, if applicable, disclose (by sale or otherwise) the de‑identified redundant data without seeking further consent from the CDR consumer; and
(b) what de‑identification of CDR data in accordance with the CDR data de‑identification process means; and
(c) if applicable, examples of how it could use the redundant data once de‑identified.
Note: For the CDR data de‑identification process, see rule 1.17.
Subdivision 4.3A.8—Notification requirements
(1) A CDR representative must give the CDR consumer a notice that complies with this rule (a CDR receipt) as soon as practicable after:
(a) the CDR consumer gives the CDR representative a collection consent, a use consent or a disclosure consent; or
(b) the CDR consumer amends such a consent in accordance with this Division; or
(c) the CDR consumer withdraws such a consent in accordance with rule 4.20J.
Note: A failure to do this could make the CDR representative principal liable for a civil penalty (see rule 1.16A).
(2) A CDR receipt given for the purposes of paragraph (1)(a) must set out:
(a) the details that relate to the consent that are listed in paragraphs 1.14(3)(a) to (f); and
(b) in the case of a collection consent―the name of each CDR participant the CDR consumer has consented to the collection of CDR data from; and
(ba) in the case of a disclosure consent―the name of the person the CDR consumer has consented to the disclosure of CDR data to; and
(c) any other information the CDR representative provided to the CDR consumer when obtaining the consent (see rule 4.20E).
(3) A CDR receipt given for the purposes of paragraph (1)(b) must set out details of each amendment that has been made to the consent.
(4) A CDR receipt given for the purposes of paragraph (1)(c) must set out when the consent expired.
(5) A CDR receipt must be given in writing otherwise than through the CDR representative principal’s consumer dashboard.
Note: The CDR representative principal may allow the CDR representative to provide the consumer dashboard on its behalf—see subrule 1.14(5).
(6) A copy of the CDR receipt may be included in the CDR representative principal’s consumer dashboard.
Note: The CDR representative principal may allow the CDR representative to provide the consumer dashboard on its behalf—see subrule 1.14(5).
4.20P Notification of data holder or accredited data recipient if collection consent expires
(1) This rule applies if:
(a) an accredited person has made a consumer data request on behalf of a CDR representative to a CDR participant based on a collection consent given under this Division relating to particular CDR data and a particular CDR participant; and
(b) the request has not been completely resolved; and
(c) the consent expires for any reason.
(2) The accredited person must notify:
(a) if the CDR participant is a data holder―the data holder, in accordance with the data standards, that the consent has expired; and
(b) if the CDR participant is an accredited data recipient―the accredited data recipient as soon as practicable that the consent has expired.
Note: This subrule is a civil penalty provision (see rule 9.8).
4.20Q Notification of consumer if collection consent expires
(1) This rule applies if, in relation to particular goods or services a CDR representative is providing as referred to in subrule 4.3A(1):
(a) the collection consent expires; but
(b) the use consent is current.
(2) The CDR representative must notify the CDR consumer as soon as practicable that, at any time, they:
(a) may withdraw the use consent; and
(b) may make the election to delete redundant data in respect of that CDR data under rule 4.20M.
Note: A failure to do this could make the CDR representative principal liable for a civil penalty (see rule 1.16A).
(3) The notification must be given in writing otherwise than through the CDR representative principal’s consumer dashboard.
Note: The CDR representative principal may allow the CDR representative to provide the consumer dashboard on its behalf—see subrule 1.14(5).
(4) The notification may also be included in the CDR representative principal’s consumer dashboard.
Note: The CDR representative principal may allow the CDR representative to provide the consumer dashboard on its behalf—see subrule 1.14(5).
4.20R Notification if collection consent or AP disclosure consent expires
(1) This rule applies if:
(a) a CDR representative principal has made a consumer data request to an accredited data recipient on behalf of a CDR representative, based on a collection consent given under this Division relating to particular CDR data and that accredited data recipient; and
(b) the accredited data recipient has an AP disclosure consent relating to that CDR data; and
(c) the request has not been completely resolved.
(2) If the collection consent expires in accordance with these rules, the CDR representative principal must notify the accredited data recipient as soon as practicable of the expiry.
Note 1: This subrule is a civil penalty provision (see rule 9.8).
Note 2: The AP disclosure consent that the accredited data recipient has expires when the notification is received—see subrule 4.20K(2).
(3) If the AP disclosure consent expires in accordance with these rules, the accredited data recipient must notify the CDR representative principal as soon as practicable of the expiry.
Note 1: This subrule is a civil penalty provision (see rule 9.8).
Note 2: The collection consent that the CDR representative principal has expires when the notification is received—see subrule 4.20K(2).
4.20S Notification if collection consent is amended
(1) This rule applies if:
(a) a CDR representative principal has made a consumer data request to a CDR participant on behalf of a CDR representative, based on a collection consent given under this Division relating to particular CDR data and a particular CDR participant; and
(b) the request has not been completely resolved; and
(c) the CDR consumer amends the consent.
(2) The CDR representative principal must notify:
(a) if the CDR participant is a data holder―the data holder, in accordance with the data standards, that the consent has been amended; and
(b) if the CDR participant is an accredited data recipient―the accredited data recipient as soon as practicable that the consent has been amended.
Note: This subrule is a civil penalty provision (see rule 9.8).
4.20T Updating consumer dashboard
Note: The CDR representative principal may allow the CDR representative to provide the consumer dashboard on its behalf—see subrule 1.14(5).
(2) The CDR representative principal must, as soon as practicable, make those changes.
Note 1: This subrule is a civil penalty provision (see rule 9.8).
4.20U Ongoing notification requirement—collection consents and use consents
(1) This rule applies in relation to a collection consent or a use consent given under this Division if:
(a) the consent is current; and
(b) 90 days have elapsed since the latest of the following:
(i) the CDR consumer gave the consent;
(ii) the CDR consumer last amended the consent;
(iii) the CDR consumer last used the CDR representative principal’s consumer dashboard;
(iv) the CDR representative or the CDR representative principal last sent the CDR consumer a notification in accordance with this rule.
(2) The CDR representative must notify the CDR consumer in accordance with this rule that the consent is still current.
Note: A failure to do this could make the CDR representative principal liable for a civil penalty (see rule 1.16A).
(3) The notification must be given in writing otherwise than through the CDR representative principal’s consumer dashboard.
(4) A copy of the notification may be included in the CDR representative principal’s consumer dashboard.
Note: The CDR representative principal may allow the CDR representative to provide the consumer dashboard on its behalf—see subrule 1.14(5).
75 Subrule 4.22A(1)
After “rule 4.18C”, insert “or 4.20S”.
76 At the end of subrule 4.23(1)
Add:
77 Rule 4.25
Repeal the rule, substitute:
4.25 Withdrawal of authorisation to disclose CDR data
(1) A CDR consumer who has given an authorisation to a data holder to disclose particular CDR data to an accredited person may withdraw the authorisation at any time:
(a) by using the data holder’s consumer dashboard; or
(b) by using a simple alternative method of communication to be made available by the data holder for that purpose.
(2) If the withdrawal was in accordance with paragraph (1)(b), the data holder must give effect to the withdrawal as soon as practicable, and in any case within 2 business days after receiving the communication.
Note: This subrule is a civil penalty provision (see rule 9.8).
78 Paragraph 4.26(1)(d)
Omit “paragraph 4.13(2)(b)”, substitute “rule 4.18AA or 4.20P”.
79 After rule 4.26
Insert:
4.26A Notifications of expired authorisations
If an authorisation to disclose particular CDR data to an accredited person is withdrawn or otherwise expires, the data holder must notify the accredited person in accordance with the data standards.
Note: This rule is a civil penalty provision (see rule 9.8).
80 Subrule 5.1B(6)
Omit “subrule 4.14(1)(f)”, substitute “paragraph 4.14(1)(e)”.
81 Subrule 5.1B(7) (note)
Omit “subrule 4.14(2)”, substitute “subrule 4.14(6)”.
82 Subrule 5.2(2) (note 2)
Omit “paragraph 5.14(c)”, substitute “paragraph 5.14(1)(c)”.
83 Subparagraph 5.4(1)(a)(iv)
After “Authority”, insert “Limited”.
84 Paragraph 5.4(1)(c)
Omit “purpose”, substitute “purposes”.
Repeal the rule, substitute:
5.12 Obligations of accredited person
(1) An accredited person must:
(a) take the steps outlined in Schedule 2 which relate to protecting CDR data from:
(i) misuse, interference and loss; and
(ii) unauthorised access, modification or disclosure; and
(b) meet the internal dispute resolution requirements in relation to one or more designated sectors; and
(c) meet the external dispute resolution requirements for each designated sector in which the person operates; and
(d) have addresses for service; and
(e) if the applicant is a foreign entity—have a local agent that has addresses for service; and
(f) ensure that it is licensed or otherwise authorised to use any CDR logo, including as required by the data standards.
Note 1: See sector Schedules for how this provision might operate differently for different designated sectors.
Note 2: For the banking sector, see clause 7.4 of Schedule 3.
Note 3: For paragraph (a), the steps outlined in Schedule 2 relate to privacy safeguard 12 (see subsection 56EO(1) of the Act and rule 7.11 of these rules).
Note 4: For paragraph (b), see rule 1.7 for the meaning of “meet the internal dispute resolution requirements”. See also:
for the banking sector—clause 5.1 of Schedule 3;
for the energy sector—clause 5.1 of Schedule 4.
Note 5: For paragraph (c), see rule 1.7 for the meaning of “meet the external dispute resolution requirements”. See also:
for the banking sector—clause 5.2 of Schedule 3;
for the energy sector—clause 5.2 of Schedule 4.
Note 6: For paragraphs (d) and (e), see rule 1.7 for the meaning of “addresses for service”.
Note 7: This subrule is a civil penalty provision (see rule 9.8).
(2) An accredited person must:
(a) be, having regard to the fit and proper person criteria, a fit and proper person to be accredited at that level; and
(b) have adequate insurance, or a comparable guarantee, in light of the risk of CDR consumers not being properly compensated for any loss that might reasonably be expected to arise from a breach of obligations under any of the following to the extent that they are relevant to the management of CDR data:
(i) the Act;
(ii) any regulation made for the purposes of the Act;
(iii) these rules.
86 Subrule 5.14(1) (note)
Omit “rule”, substitute “subrule”.
87 Subrule 5.14(3)
Repeal the subrule (including the heading), substitute:
CDR representative principals
(3) An accredited person that enters into a CDR representative arrangement as the CDR representative principal must notify the Data Recipient Accreditor that they have done so as soon as practicable, but no later than 5 business days after the event.
88 Paragraph 5.14(4)(e)
After “provided by”, insert “the”.
89 Subrule 5.14(5)
Omit “principal”, substitute “CDR representative principal”.
90 Subrule 5.23(4) (note 1)
Omit “subrule 4.14(2)”, substitute “subrules 4.14(6) and 4.20K(2)”.
91 Rule 5.27 (note)
Repeal the note.
92 Rule 6.1
Repeal the rule, substitute:
6.1 Requirement for data holders―internal dispute resolution
A data holder in relation to a particular designated sector must meet the internal dispute resolution requirements in relation to that sector.
Note 1: See rule 1.7 for the meaning of “meets the internal dispute resolution requirements”. See also:
for the banking sector—clause 5.1 of Schedule 3;
for the energy sector—clause 5.1 of Schedule 4.
Note 2: An accredited person must also meet those internal dispute resolution requirements: see paragraph 5.12(1)(b).
Note 3: This rule is a civil penalty provision (see rule 9.8).
93 Rule 6.2
Repeal the rule, substitute:
6.2 Requirement for data holders―external dispute resolution
A data holder must meet the external dispute resolution requirements for each designated sector in which the data the holder operates.
Note 1: See the definition of “recognised external dispute resolution scheme” in subrule 1.7(1), and see subrule 1.7(3) for the interpretation of references to “data holder”.
Note 2: An accredited person must also meet the external dispute resolution requirements: see paragraph 5.12(1)(c). See also:
for the banking sector—clause 5.2 of Schedule 3;
for the energy sector—clause 5.2 of Schedule 4.
Note 3: This rule is a civil penalty provision (see rule 9.8).
94 Rule 7.1
Omit “Part IV of the Act”, substitute “Part IVD of the Act”.
95 Paragraphs 7.2(4)(aa) and (ab)
Repeal the paragraphs.
96 Paragraphs 7.2(4)(e) and (f)
Repeal the paragraphs, substitute:
(f) a list of the direct and indirect OSPs of the accredited person and of any CDR representative (whether based in Australia or based overseas, and whether or not any is an accredited person);
97 Subparagraph 7.2(4)(h)(iii)
Renumber as subparagraph (ii).
98 Paragraph 7.2(4)(i)
Repeal the paragraph, substitute:
(i) is based overseas; and
(ii) is not an accredited person;
—the countries in which such direct or indirect OSPs are likely to be based if it is practicable to specify those countries in the policy;
99 Subrule 7.2(4) (notes 1, 2 and 3)
Repeal the notes, substitute:
Note 2: This subrule is a civil penalty provision (see rule 9.8).
100 Subrule 7.2(5)
Omit “subparagraphs (4)(e)(ii) and (g)(ii)”, substitute “subparagraphs (4)(j)(ii) and (l)(ii)”.
101 Subrule 7.3A(2)
Omit “subrule (2)”, substitute “subrule (1)”.
102 After rule 7.3A
Insert:
7.3B Rule relating to privacy safeguard 4—destruction of unsolicited data—outsourced service providers
(1) An accredited person breaches this subrule if a direct or indirect OSP of:
(a) the accredited person; or
(b) a CDR representative of the accredited person;
fails to comply with section 56EG of the Act in relation to service data of a CDR consumer as if:
(c) it were an accredited person; and
(d) it had collected the service data.
Note 1: See rule 1.10 for the definition of “service data” in relation to a CDR outsourcing arrangement.
Note 2: This subrule is a civil penalty provision (see rule 9.8).
(2) For subrule (1), it is irrelevant whether the action of the direct or indirect OSP in relation to the service data is in accordance with the CDR outsourcing arrangement.
103 Subrule 7.4(2)
Repeal the subrule, substitute:
(2) Where the CDR data was collected by a sponsor on behalf of an affiliate:
(a) the sponsor is not required to provide the consumer dashboard; and
Note: The affiliate, as an accredited person that makes the consumer request through the sponsor, is required to provide the consumer dashboard under subrule 1.14(1).
(b) the sponsor and the affiliate may choose which of them will be responsible for updating the consumer’s dashboard in accordance with subrule (1); and
(c) the dashboard must also indicate that the CDR data was collected by the sponsor on behalf of the affiliate.
Note 1: See also paragraph 1.14(3)(ha).
Note 2: See subrule 1.16(5) for how this rule applies where the CDR data is collected by an accredited person acting as a direct or indirect OSP to the accredited data recipient.
104 Rules 7.5, 7.5A and 7.6
Repeal the rules, substitute:
7.5 Meaning of permitted use or disclosure and relates to direct marketing
Permitted uses or disclosures that do not relate to direct marketing
(1) For these rules, for an accredited data recipient that has collected CDR data under a consumer data request under Part 4 on behalf of a CDR consumer, each of the following is a permitted use or disclosure:
(a) using the CDR consumer’s CDR data to provide goods or services requested by the CDR consumer (the existing goods or services):
(i) in compliance with the data minimisation principle; and
(ii) in accordance with a current use consent from the CDR consumer, other than a direct marketing consent;
(b) in accordance with a current de-identification consent, de‑identifying the CDR consumer’s CDR data in accordance with the CDR data de‑identification process and:
(i) using the de‑identified data for general research; or
(ii) disclosing (including by selling) the de‑identified data;
(c) directly or indirectly deriving CDR data from the collected CDR data in order to use the data in accordance with paragraph (a) or (b);
(d) for the purpose of providing the existing goods or services—disclosing, to the CDR consumer, any of their CDR data;
(e) subject to rule 7.5A, disclosing the CDR consumer’s CDR data in accordance with a current disclosure consent;
(f) disclosing the CDR consumer’s CDR data to:
(i) a direct or indirect OSP of the accredited data recipient; or
(ii) the other party in a sponsorship arrangement;
where the disclosure is made:
(iii) for the purpose of doing the things referred to in paragraphs (a) to (e); and
(iv) to the extent reasonably needed to do those things;
(g) disclosing (by sale or otherwise), to any person, CDR data that has been de‑identified in accordance with the CDR data de‑identification process on becoming redundant data;
(h) where the accredited data recipient collected the CDR data on behalf of another accredited person in its capacity as a direct or indirect OSP of that person—using or disclosing the CDR data in accordance with the relevant CDR outsourcing arrangement;
(i) disclosing CDR data to an accredited person if the CDR consumer has:
(i) given the accredited person:
(A) a collection consent to collect the CDR data from the accredited data recipient; and
(B) a use consent; and
(ii) given the accredited data recipient an AP disclosure consent to disclose the CDR data to the accredited person;
(j) where the accredited data recipient is a CDR representative principal—disclosing the CDR data to a CDR representative for the purposes of a use or disclosure by the CDR representative that would be a permitted use or disclosure under paragraphs (a) to (g) or (i), if the CDR representative were an accredited data recipient that had collected the CDR data under the consumer data request.
(2) However:
(a) a disclosure is not a permitted use or disclosure unless it is done in accordance with the data standards; and
(b) none of the uses of CDR data referred to in subrule 4.12(3) is a permitted use or disclosure.
Note: The same list of uses appears in subrule 4.20F(3).
Permitted uses or disclosures that relate to direct marketing
(3) For these rules, a use or disclosure of the CDR consumer’s CDR data by an accredited data recipient that is not itself a permitted use or disclosure under subrule (1) is nevertheless a permitted use or disclosure that relates to direct marketing if it consists of one of the following:
(a) in accordance with a direct marketing consent from the CDR consumer—sending to the CDR consumer:
(i) information about upgraded or alternative goods or services to existing goods or services; or
(ii) an offer to renew existing goods or services when they expire; or
(iii) information about the benefits of existing goods or services; or
(iv) information about other goods or services provided by another accredited person, if the accredited data recipient:
(A) reasonably believes that the CDR consumer might benefit from those other goods or services; and
(B) sends such information to the CDR consumer on no more than a reasonable number of occasions;
(b) in accordance with a direct marketing consent from the CDR consumer—disclosing CDR data to an accredited person to enable the accredited person to provide the goods or services referred to in subparagraph (a)(iv), if the CDR consumer has:
(i) given the accredited person:
(A) a collection consent to collect the CDR data from the accredited data recipient; and
(B) a use consent; and
(ii) given the accredited data recipient a disclosure consent to disclose the CDR data to the accredited person;
(c) using the CDR data in a way and to the extent that is reasonably needed in order to send to the CDR consumer something permitted under paragraph (a) or paragraph (b) (including by analysing the CDR data to identify the appropriate information to send);
(d) disclosing the CDR consumer’s CDR data to a direct or indirect OSP of the accredited data recipient:
(i) for the purpose of doing the things referred to in paragraphs (a), (b) or (c); and
(ii) to the extent reasonably needed to do those things;
(e) where the accredited data recipient is a CDR representative principal—disclosing the CDR data to a CDR representative for the purposes of a use or disclosure by the CDR representative that would be a permitted use or disclosure under paragraph (a), (c) or (d) if the CDR representative were an accredited data recipient that had collected the CDR data under the consumer data request.
7.5A Limitation to disclosures of CDR data under a disclosure consent
(1) Despite paragraph 7.5(1)(e), disclosure of CDR data to an accredited person under an AP disclosure consent is not a permitted use or disclosure until the earlier of the following:
(a) 1 July 2021;
(b) the day the Data Standards Chair makes the data standard about the matter referred to in subparagraph 8.11(1)(c)(iii).
(2) Despite paragraph 7.5(1)(e), disclosure of CDR data to a trusted adviser under a TA disclosure consent is not a permitted use or disclosure until the earlier of the following:
(a) 1 February 2022;
(b) the day the Data Standards Chair makes the data standard about the matter referred to in subparagraph 8.11(1)(c)(iv).
(3) Despite paragraph 7.5(1)(e), disclosure of a CDR insight under an insight disclosure consent is not a permitted use or disclosure until the earlier of the following:
(a) 1 February 2022;
(b) the day the Data Standards Chair makes the data standard about the matters referred to in subrule 8.11(1A).
(4) Despite paragraph 7.5(1)(e), disclosure of a CDR insight under an insight disclosure consent is not a permitted use or disclosure if the CDR insight includes or reveals sensitive information within the meaning of the Privacy Act 1988.
(5) Despite paragraph 7.5(1)(e), disclosure of CDR data in accordance with a business consumer disclosure consent is not a permitted use or disclosure until earlier of the following:
(a) if the Data Standards Chair makes data standards about the matters referred to in both of subparagraphs 8.11(1)(a)(iv) and subparagraph 8.11(1)(c)(vi) before 1 December 2023—the day on which the last of those standards is made;
(b) 1 December 2023.
7.6 Use or disclosure of CDR data by accredited data recipients and related persons
(1) Subject to the Act and these rules, an accredited data recipient that has collected CDR data under a consumer data request under Part 4 made on behalf of a CDR consumer must not use or disclose it, or CDR data directly or indirectly derived from it, other than for a permitted use or disclosure (whether or not one that relates to direct marketing).
Note: This subrule is a civil penalty provision (see rule 9.8).
(2) For this rule:
(a) any use or disclosure of service data by a direct or indirect OSP of:
(i) an accredited data recipient; or
(ii) a CDR representative of the accredited data recipient;
is taken to have been by the accredited data recipient; and
(b) it is irrelevant whether the use or disclosure is in accordance with the relevant CDR outsourcing arrangement.
Note: See rule 1.10AA for the definition of “service data” in relation to a direct or indirect OSP.
(3) For this rule, any CDR data collected by an accredited person at the request of an affiliate is taken also to have been collected by the affiliate.
(4) For this rule:
(a) any use or disclosure of service data by a CDR representative is taken to have been by the CDR representative principal; and
(b) it is irrelevant whether the use or disclosure is in accordance with the CDR representative arrangement.
Note: See rule 1.10AA for the definition of “service data” in relation to a CDR representative arrangement.
(5) For this rule:
(a) any collection of service data by a direct or indirect OSP of an accredited person is taken to have been by the accredited person; and
(b) it is irrelevant whether the collection is in accordance with the relevant CDR outsourcing arrangement.
Note: See rule 1.10AA for the definition of “service data” in relation to a CDR outsourcing arrangement.
105 After rule 7.8A
Insert:
7.8B Rule relating to privacy safeguards 8 and 9—failure by direct or indirect OSP to comply with safeguards
Privacy safeguard 8—overseas disclosure
(1) An accredited person breaches this subrule if a direct or indirect OSP of:
(a) the accredited person; or
(b) a CDR representative of the accredited person;
fails to comply with section 56EK of the Act in relation to service data of a CDR consumer as if it were an accredited data recipient of the service data.
Note 1: See rule 1.10AA for the definition of “service data” in relation to a CDR representative arrangement.
Note 2: This subrule is a civil penalty provision (see rule 9.8).
Privacy safeguard 9—government related identifiers
(2) An accredited person breaches this subrule if a direct or indirect OSP of:
(a) the accredited person; or
(b) a CDR representative of the accredited person;
fails to comply with section 56EL of the Act in relation to service data of a CDR consumer as if it were an accredited data recipient of the service data.
Note 1: See rule 1.10AA for the definition of “service data” in relation to a CDR representative arrangement.
Note 2: This subrule is a civil penalty provision (see rule 9.8).
106 Subrule 7.9(1) (note 2)
Omit “clause 4A.13”, substitute “rule 4A.13”.
107 Subrule 7.9(1) (note 4)
Repeal the note, substitute:
108 After subrule 7.9(3)
Insert:
(a) what CDR data was disclosed; and
(b) when the CDR data was disclosed; and
(c) the person to whom it was disclosed.
109 Subrule 7.9(5)
Repeal the subrule, substitute:
110 Subrule 7.10(1) (note 3)
Omit “a principal”, substitute “an OSP principal”.
111 Subrule 7.10A(2)
Omit “subrule (2)”, substitute “subrule (1)”.
112 Subrule 7.11(2)
Repeal the subrule, substitute:
(3) For this rule, where an accredited data recipient is a CDR representative principal, a failure by:
(a) the CDR representative; or
(b) any direct or indirect OSP of the CDR representative;
to comply with Schedule 2 in relation to service data is taken to be a failure by the CDR representative principal.
113 Subrule 7.12(2) and (3)
Repeal the subrules, substitute:
(a) to apply the CDR data de‑identification process to the redundant data; and
(b) direct any direct OSP or CDR representative of the accredited data recipient (the recipient of the redundant data) that had been provided with a copy of the redundant data:
(i) to delete the redundant data, as well as any CDR data that has been directly or indirectly derived from it, and notify the accredited data recipient of the deletion; and
(ii) to, if the recipient of the redundant data has provided any such data to its own direct OSP (the further recipient), give the direction set out in this paragraph to the further recipient as if the further recipient were itself the recipient of the redundant data.
Note: If the redundant data cannot be de‑identified in accordance with the CDR data de‑identification process, it must be deleted in accordance with the CDR data deletion process: see subrule 1.17(4).
(3) For this rule, where an accredited data recipient is a CDR representative principal, a failure by a CDR representative to comply with subsection 56EO(2) of the Act in relation to service data as if:
(a) it were a CDR entity; and
(b) the references in this rule to provisions in Division 4.3 were references to the corresponding provisions in Division 4.3A;
is taken to be a failure by the CDR representative principal.
114 Subrule 7.16(2)
Omit “subrule (2)”, substitute “subrule (1)”.
115 Paragraph 8.11(1)(a)
Repeal the paragraph, substitute:
(i) making, responding to and managing product data requests and consumer data requests; and
(ii) obtaining, managing, amending and withdrawing authorisations and consents; and
(iii) making, responding to and managing requests by the primary data holder for SR data under rules 1.22 and 1.23;
(iv) obtaining and managing business consumer statements;
116 At the end of paragraph 8.11(1)(c)
Add:
117 Paragraph 8.11(1A)(a)
Repeal the paragraph, substitute:
118 After subrule 8.11(1A)
Insert:
119 After paragraph 9.3(1)(f)
Insert:
120 After paragraph 9.3(2)(d)
Insert:
(da) CDR consumer complaints;
121 After paragraph 9.3(2)(ed)
Insert:
(ee) the number of business consumer statements received;
(ef) disclosures of CDR data under a business consumer disclosure consent, and persons to whom the CDR data was disclosed;
(eg) any steps taken for the purposes of subrule 1.10A(9) to confirm that a CDR consumer is a CDR business consumer;
122 Paragraph 9.3(2)(i)
Repeal the paragraph, substitute:
(i) any sponsorship arrangement to which the accredited data recipient is a party; and
(ii) the use and management by the other party to each such arrangement of CDR data collected by it or provided to it under the arrangement;
(ia) if applicable:
(i) any CDR outsourcing arrangement to which the accredited data recipient, or a direct or indirect OSP of the accredited data recipient, is a party; and
(ii) the use and management by each direct or indirect OSP of CDR data collected by it or provided to it under the relevant CDR outsourcing arrangement; and
(iii) the steps that the accredited data recipient has taken to ensure that each direct or indirect OSP complies with the requirements of the relevant CDR outsourcing arrangement, including how their direct OSPs ensure compliance by indirect OSPs;
123 After paragraph 9.3(2A)(g)
Insert:
124 After paragraph 9.3(2A)(h)
Insert:
(hb) disclosures of CDR data to trusted advisers, and trusted advisers to whom CDR data was disclosed;
(hc) any steps taken for the purposes of subrule 1.10C(3) to confirm that a trusted adviser is a member of a class of trusted advisers;
(hd) disclosures of CDR insights, including a copy of each CDR insight disclosed, to whom it was disclosed and when;
125 After paragraph 9.3(2A)(k)
Insert:
(i) any CDR outsourcing arrangement to which the CDR representative, or a direct or indirect OSP of the CDR representative, is a party; and
(ii) the use and management by each direct or indirect OSP of CDR data collected by it or provided to it under the relevant CDR outsourcing arrangement; and
(A) the CDR representative principal; and
(B) the CDR representative;
have taken to ensure that each direct or indirect OSP of the CDR representative complies with the requirements of the relevant CDR outsourcing arrangement, including how their direct OSPs ensure compliance by indirect OSPs;
126 Paragraph 9.3(2A)(l)
Omit “paragraph 4.11(3)(e)”, substitute “paragraph 4.20E(3)(i)”.
127 Subparagraph 9.3(2A)(l)(iii)
Omit “paragraph 4.15(b)”, substitute “paragraph 4.20L(b)”.
128 Subrule 9.3(2A) (note)
Omit “paragraph (k)”, substitute “paragraph (m)”.
129 Subparagraph 9.4(2)(f)(i)
Omit “distinguishing”, substitute “distinguishing:”.
130 After subparagraph 9.4(2)(f)(viii)
Insert:
(viiia) the number of consents in relation to which a business consumer statement was given during the reporting period, together with;
(A) the number of such consents whose duration, under rule 4.11 or 4.12C, was more than 12 months;
(B) the number of times the accredited data recipient disclosed CDR data in accordance with a business consumer disclosure consent;
131 Subparagraph 9.4(2A)(b)(i)
Repeal the subparagraph, substitute:
(i) described in the notification of the CDR representative under subrule 5.14(4); or
132 Paragraph 9.4(2A)(e)
Repeal the paragraph, substitute:
(i) the number of consumer data requests made by the accredited data recipient on behalf of the CDR representative during the reporting period;
(iii) the number of consumer data requests that the CDR representative received from an accredited person on behalf of a CDR consumer during the reporting period;
(iv) the number of times the CDR representative disclosed consumer data to an accredited person in response to such a consumer data request during the reporting period;
(v) the proportion of CDR consumers who, at the date of the report, had exercised the election to delete, by reference to each brand of the CDR representative;
(vi) the total number of CDR consumers the CDR representative provided goods or services to using CDR data during the reporting period;
(vii) the number of consents the CDR representative received from CDR consumers during the reporting period to disclose CDR data to trusted advisers;
(viii) for each class of trusted advisers—the number of trusted advisers to whom CDR data was disclosed by the CDR representative during the reporting period;
(ix) the number of insight disclosure consents the CDR representative received from CDR consumers during the reporting period.
133 At the end of rule 9.4
Add:
(a) subparagraph (2)(f)(viiia);
(b) subparagraphs (2A)(e)(iii), (iv), (vii), (viii) and (ix).
134 Subrule 9.5(1)
Omit “(d) and (f)”, substitute “(c), (d), (f) and (fa)”.
135 Paragraphs 9.5(2)(a) and (b)
Repeal the paragraphs, substitute:
(b) paragraphs 9.3(2A)(d), (e), (f), (g), (ga), (h), (ha), (hb), (hc), (i) and (o);
136 Subrule 9.7(2)
Omit “CDR participant”, substitute “accredited data recipient”.
137 Rule 9.8
Repeal the rule, substitute:
For section 56BL of the Act, the provisions of these rules listed in the following table are civil penalty provisions (within the meaning of the Regulatory Powers Act):
Item | Civil penalty provision |
1 | subrule 1.10A(4) |
2 | subrule 1.10A(12) |
3 | subrule 1.10A(14) |
4 | subrule 1.12(1) |
5 | subrule 1.13(1) |
6 | subrule 1.14(1) |
7 | subrule 1.15(1) |
8 | subrule 1.15(5) |
9 | subrule 1.15(7) |
10 | subrule 1.16(2) |
11 | subrule 1.16(4) |
12 | subrule 1.16A(2) |
13 | subrule 1.16A(4) |
14 | subrule 1.20(2) |
15 | subrule 1.22(3) |
16 | subrule 1.22(4) |
17 | subrule 1.22(5) |
18 | subrule 1.23(4) |
19 | subrule 1.23(5) |
20 | subrule 1.23(6) |
21 | rule 1.25 |
22 | subrule 2.4(2A) |
23 | subrule 2.4(3) |
24 | rule 2.6 |
25 | subrule 3.4(3) |
26 | subrule 4.3(5) |
27 | subrule 4.4(3) |
28 | subrule 4.5(2) |
29 | subrule 4.5(3) |
30 | subrule 4.6(3) |
31 | subrule 4.6(4) |
32 | subrule 4.7B(3) |
33 | subrule 4.13(2) |
34 | subrule 4.18(1) |
35 | subrule 4.18(2) |
36 | subrule 4.18AA(2) |
37 | subrule 4.18A(2) |
38 | subrule 4.18B(2) |
39 | subrule 4.18B(3) |
40 | subrule 4.18C(2) |
41 | subrule 4.19(1) |
42 | subrule 4.20(2) |
43 | subrule 4.20J(2) |
44 | subrule 4.20J(5) |
45 | subrule 4.20P(2) |
46 | subrule 4.20R(2) |
47 | subrule 4.20R(3) |
48 | subrule 4.20S(2) |
49 | subrule 4.20T(2) |
50 | subrule 4.22A(1) |
51 | subrule 4.25(2) |
52 | rule 4.26A |
53 | rule 4.27 |
54 | subrule 4.28(2) |
55 | subrule 4A.6(1) |
56 | subrule 4A.7(3) |
57 | subrule 4A.8(2) |
58 | subrule 4A.8(3) |
59 | subrule 4A.13(1) |
60 | subrule 4A.14(2) |
61 | subrule 4A.14(3) |
62 | subrule 5.1B(2) |
63 | subrule 5.1B(3) |
64 | subrule 5.1B(4) |
65 | subrule 5.1B(5) |
66 | subrule 5.12(1) |
67 | rule 5.13 |
68 | subrule 5.14(1) |
69 | subrule 5.23(2) |
70 | subrule 5.23(3) |
71 | subrule 5.23(4) |
72 | subrule 5.31(2) |
73 | rule 6.1 |
74 | rule 6.2 |
75 | subrule 7.2(4) |
76 | subrule 7.2(6) |
77 | subrule 7.2(7) |
78 | subrule 7.2(8) |
79 | subrule 7.2(9) |
80 | subrule 7.3(2) |
81 | subrule 7.3A(1) |
82 | subrule 7.3B(1) |
83 | subrule 7.6(1) |
84 | subrule 7.8A(1) |
85 | subrule 7.8A(2) |
86 | subrule 7.8B(1) |
87 | subrule 7.8B(2) |
88 | subrule 7.10A(1) |
89 | subrule 7.14(1) |
90 | subrule 7.14(2) |
91 | subrule 7.16(1) |
92 | subrule 9.6(4) |
93 | subrule 9.7(3). |
Note: Subrules 2.5(2), 3.5(2), 4.7(3), 5.25(3), 5.25(5), 5.34(4), 9.3(1), 9.3(2), 9.3(2A), 9.3(5), 9.4(1) ), 9.4(1A), 9.4(2) 9.4(2A), 9.4(3), 9.5(4), 9.5(5) and 9.5(6) are also civil penalty provisions within the meaning of the Regulatory Powers Act.
138 Subclause 2.1(1) of Schedule 1 (note to the definition of assurance report)
Repeal the note, substitute:
ASAE 3150 could in 2023 be downloaded from the Auditing and Assurance Standards Board’s website (https://www.auasb.gov.au/admin/file/content102/c3/Jan15_ASAE_3150_Assurance_Engagements_on_Controls.pdf).
139 Subclause 2.1(4) of Schedule 1
Omit “For”, substitute “In”.
140 At the end of paragraph 2.2(2)(a) of Schedule 1
Add “and”.
141 Clause 1.1 of Schedule 2
Omit “purpose”, substitute “purposes”.
142 Clause 2.1 of Schedule 2
Omit “purpose”, substitute “purposes”.
143 Clause 1.3 of Schedule 3 (table item 1, column 2, sub‑subparagraph (b)(iv)(B))
Repeal the sub‑subparagraph, substitute:
(B) the person’s ABN;
144 After clause 1.4 of Schedule 3
Insert:
(1) For these rules, in relation to the banking sector, a product is a trial product if the product:
(a) is a phase 1 product, a phase 2 product or a phase 3 product; and
(b) is offered:
(i) with the description “pilot” or “trial”; and
(ii) with a statement of a period for which it will operate as a pilot or trial that ends no more than 6 months after the initial offering (the trial period); and
(iii) on the basis that the number of customers supplied with the product for the purposes of the trial will be limited to no more than 1,000; and
(iv) with a statement that the product may be terminated before the end of the trial period and that, if it is, the CDR data in relation to the product may not be available.
(2) However, such a product ceases to be a trial product at the earlier of the following times:
(a) the end of the trial period, if the product continues to be supplied or offered after the end of the trial period;
(b) the time (if any) that the product is first supplied to more than 1,000 customers.
145 Subclause 2.1(1) of Schedule 3
Repeal the subclause, substitute:
(1) For subrule 1.10B(1), the additional criterion for a CDR consumer to be eligible, in relation to a particular data holder in the banking sector at a particular time, is that the account is set up in such a way that it can be accessed online.
Note: Subrule 1.10B(1) provides criteria for account holders and secondary users of the account to be eligible.
146 Subclause 2.1(2) of Schedule 3 (note)
Omit “account holders”, substitute “users”.
147 Clause 3.1A of Schedule 3
Repeal the clause, substitute:
(1) Subject to subclause (2), this Part applies in relation to:
(a) phase 1 products; and
(b) phase 2 products; and
(c) phase 3 products.
Note: See Part 6 of this Schedule for the staged application of these rules to the banking sector. CDR data relating to different phase products will become available at different times, in accordance with that Part.
Trial products
(2) This Part does not apply in relation to a product while it is a trial product.
Note: If a trial product ceases to be a trial product in accordance with subclause 1.5(2) of this Schedule, the data holder must comply with its obligations under this Part in relation to the product. The obligations cover any CDR data generated while the product was a trial product.
148 Subclause 3.2(3) of Schedule 3
Omit “For”, substitute “In”.
149 Part 5 of Schedule 3 (heading)
Omit “Internal dispute”, substitute “Dispute”.
150 Part 5 of Schedule 3 (note to heading)
Repeal the note, substitute:
151 Subclause 5.1(2) of Schedule 3 (note to the definition of Regulatory Guide 271)
Omit “2021”, substitute “2023”.
152 After clause 5.1 of Schedule 3
Insert:
5.2 Meeting external dispute resolution requirements―banking sector
For the banking sector, an accredited person or data holder meets the external dispute resolution requirements if it is a member of the recognised external dispute resolution scheme operated by the Australian Financial Complaints Authority Limited for the banking sector.
153 Clause 6.2 of Schedule 3 (table item 5)
Repeal the item, substitute:
accredited non‑ADI, in relation to the CDR data mentioned in paragraph (a) of column 2 | An accredited person that: (a) has been a data holder of CDR data, as a result of subsection 56AJ(3) of the Act, for at least 12 months; and (b) is not an ADI.
|
154 Subclause 6.4(2) of Schedule 3
Omit “clause 3.1A”, substitute “subclause 3.1A(1)”.
155 Clause 6.6 of Schedule 3 (after the heading)
Insert:
The effect of the replacement table is to delay the start of Part 4 obligations for non-major ADIs from 1 July 2022 to 1 October 2022.
156 At the end of subclause 6.6(1) of Schedule 3
Add:
157 At the end of clause 6.6 of Schedule 3
Add:
(2) For this clause, the start date is the day the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020 commenced.
158 Subclause 7.2(1) of Schedule 3
Repeal the subclause, substitute:
(1) For paragraph 56AJ(4)(c) of the Act, this clause sets out conditions for an accredited person that has collected CDR data in accordance with a consumer data request for the purposes of Division 4.3 of these rules to be a data holder (rather than an accredited data recipient) of that CDR data and any CDR data that it directly or indirectly derived from that CDR data (together, the relevant CDR data).
159 Subparagraph 7.2(2)(c)(iii) of Schedule 3
Repeal the subparagraph, substitute:
(iii) has explained to the CDR consumer:
(A) that, as a result, the privacy safeguards, to the extent that they apply to an accredited data recipient of CDR data, would no longer apply to the person in relation to the relevant CDR data; and
(B) that the privacy safeguards applicable to a data holder will instead apply to the person in relation to the relevant CDR data; and
(C) the manner in which the person proposes to treat the relevant CDR data; and
(D) why the person is entitled to provide the CDR consumer with this option; and
160 Clause 1.3 of Schedule 4 (table item 1, column 2, sub‑subparagraph (b)(iv)(B))
Repeal the sub‑subparagraph, substitute:
(B) the person’s ABN; and
161 Clause 1.3 of Schedule 4 (table item 2, column 2, subparagraph (b)(iv))
Omit “and frequency”, substitute “and frequency”.
162 Clause 1.3 of Schedule 4 (table item 8, column 2)
Omit “that” (second occurring).
163 Subclause 2.1(2) of Schedule 4
Omit “For”, substitute “In”.
164 Paragraph 2.2(2)(b) of Schedule 4
Omit “Chapter 10”, substitute “Chapter 7”.
165 Subclause 3.1(1) of Schedule 4 (note 1)
Omit “2021”, substitute “2023”.
166 Subclause 3.1(1) of Schedule 4 (note 3)
Repeal the note, substitute:
Note 3: This clause does not include all CDR data covered by section 9 of the energy sector designation instrument, as that section also covers CDR data for which there are CDR consumers (see paragraphs 9(2)(b) and 9(3)(b) of that instrument).
167 Subclauses 3.2(1), (2), (4) and (5) of Schedule 4
Omit “For”, substitute “In”.
168 Subclause 4.1(2) of Schedule 4
Omit “For”, substitute “In”.
169 Part 5 of Schedule 4 (note to heading)
Repeal the note, substitute:
Note: See the definitions of “meet the internal dispute resolution requirements” and “meet the external dispute resolution requirements” in subrule 1.7(1). See also paragraphs 5.12(b) and (c) of these rules, and rules 6.1 and 6.2.
170 Subclause 5.1(4) of Schedule 4 (note)
Omit “2021”, substitute “2023”.
171 Clause 5.2 of Schedule 4
Omit the clause, substitute:
5.2 Meeting external dispute resolution requirements—energy sector
Note: Schemes operated by the Australian Financial Complaints Authority Limited and the energy and water ombudsman of each State and Territory are recognised as external dispute resolution schemes for section 56DA of the Act.
How accredited persons and retailers meet the external dispute resolution requirements
(1) For the energy sector, persons of the following kinds meet the external dispute resolution requirements in the circumstances indicated:
(a) an accredited person that is not a retailer—if it is an AFCA member;
(b) a retailer that is not an accredited person—if it is an EWO member;
(c) an accredited person that is also a retailer, but not a limited retailer—if it is both an AFCA member and an EWO member;
(d) an accredited person that is also a limited retailer—if it is an EWO member.
Meaning of AFCA member
(2) In this clause, a retailer or an accredited person is an AFCA member if it is a member of the recognised external dispute resolution scheme operated by the Australian Financial Complaints Authority Limited for the energy sector.
Meaning of EWO member
(3) In this clause, a retailer or accredited person is an EWO member if, in each relevant jurisdiction:
(a) if the jurisdiction has an energy and water ombudsman recognised in accordance with section 56DA of the Act—the retailer is a member of the external dispute resolution scheme operated by that ombudsman in relation to CDR consumer complaints; and
(b) otherwise—the retailer has taken the necessary steps to participate in the dispute resolution process provided by the jurisdiction that is appropriate for CDR consumer complaints.
Meaning of limited retailer
(4) A retailer is a limited retailer if:
(a) it uses any energy sector CDR data that it collects only in order to provide goods or services within the energy sector; and
(b) it does not use non-energy sector CDR data that it collects in order to provide goods or services outside the energy sector.
172 Clause 8.1 of Schedule 4 (paragraph (a) of definition of large customer)
Before “relevant customer”, insert “customer that is not a”.
173 Paragraphs 8.2(f) and (g) of Schedule 4
Repeal the paragraphs, substitute:
The Energy Australia Group
(f) EnergyAustralia Pty Ltd ‑ ABN 99 086 014 968.
174 Subclauses 8.3(1) and (2) of Schedule 4
Omit “For”, substitute “In”.
175 Paragraph 8.7(1)(a) of Schedule 4
Repeal the paragraph.
176 Subclause 9.2(1) of Schedule 4
Omit “Part 4”, substitute “Division 4.3”.
177 Subparagraph 9.2(2)(d)(iii) of Schedule 4
Repeal the subparagraph, substitute:
(iii) has explained to the CDR consumer:
(A) that, as a result, the privacy safeguards, to the extent that they apply to an accredited data recipient of CDR data, would no longer apply to the person in relation to the relevant CDR data; and
(B) that the privacy safeguards applicable to a data holder will instead apply to the person in relation to the relevant CDR data; and
(C) the manner in which the person proposes to treat the relevant CDR data; and
(D) why the person is entitled to provide the CDR consumer with this option; and
178 The whole of the instrument
Omit “CDR principal”, substitute “CDR representative principal”.