ACCC and OAIC joint compliance and enforcement policy for Consumer Data Right

The Office of the Australian Information Commissioner (OAIC) and the Australian Competition and Consumer Commission (ACCC) have published a joint Compliance and Enforcement Policy for the Consumer Data Right.

The policy is intended to help consumers and CDR participants understand the approach that the OAIC and ACCC will take to encourage compliance with CDR Rules, legislation (including Privacy Safeguards and Consumer Data Standards), and how they will respond to breaches of the regulatory framework.

The policy sets out their compliance monitoring tools as well as their enforcement action principles and options.

The compliance monitoring tools include:

  • Stakeholder intelligence / complaints:
    • Receiving information from stakeholders (including CDR consumers, businesses, consumer groups and other government agencies).
    • Receiving intelligence and reports from approved external dispute resolution bodies to address preliminary or sector specific concerns. For the banking sector, the approved external resolution body is AFCA.
  • Business reporting
    • Receiving mandatory periodic reports from data holders and accredited data recipients which provide a range of information, including a summary of CDR complaint data.
    • They will use these reports to track compliance and identify any issues or concerning trends.
  • Audits and Assessments
    • Undertaking audits and assessments of data holders and/or accredited data recipients to ensure they are complying with the relevant legislation (including the Privacy Safeguards, Rules and Data Standards).
    • Taking required action to resolve identified compliance problems, inefficiencies or potential risks of harm to consumers.
    • They will use these powers to ensure that CDR data is managed in accordance with the legislation, for example consumer consents are properly obtained, and that data holders and accredited data recipients have appropriate security protections and measures in place.
  • Information requests and compulsory notices
    • Issuing data holders or accredited data recipients information requests to help inform our compliance and enforcement activity.
    • Using statutory information gathering powers to compel the provision of information, documents or evidence where conduct may constitute a contravention of the CCA.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.

David Jacobson

Author: David Jacobson
Principal, Bright Corporate Law
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.

Print Friendly, PDF & Email

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.