The Office of the Australian Information Commissioner (OAIC) has released its CDR Privacy Safeguard Guidelines for protecting consumers’ privacy under the Consumer Data Right (CDR), which is due to be implemented in the banking sector from July 2020.
The OAIC is to regulate and enforce privacy aspects of the CDR and handle customer complaints. The guidelines are intended to complement the ACCC’s rules, which came into force on 6 February. Background.
The security and integrity of the CDR regime is maintained by 13 privacy safeguards, contained in the Competition and Consumer Act and supplemented by the Consumer Data Rules. These privacy safeguards set out the privacy rights and obligations for users of the scheme, including the requirement for informed consent to collect, disclose, hold or use CDR data.
The Privacy Safeguard Guidelines outline how the Information Commissioner will interpret and apply the privacy safeguards.
The Privacy Safeguard guidelines outline:
- the mandatory requirements in the privacy safeguards and related consumer data rules (CDR Rules) — generally indicated by ‘must’ or ‘is required to’;
- the Information Commissioner’s interpretation of the privacy safeguards and CDR Rules — generally indicated by ‘should’;
- examples that explain how the privacy safeguards and CDR Rules may apply to particular circumstances; and
- good privacy practice to supplement minimum compliance with the mandatory requirements in the privacy safeguards and CDR Rules — generally indicated by ‘could’.
The Privacy Safeguard guidelines are not legally binding.
The privacy safeguards cover the following:
Privacy Safeguard 1: Open and transparent management of CDR data
Privacy Safeguard 2: Anonymity and pseudonymity
Privacy Safeguard 3: Seeking to collect CDR data from CDR participants
Privacy Safeguard 4: Dealing with unsolicited CDR data from CDR participants
Privacy Safeguard 5: Notifying of the collection of CDR data
Privacy Safeguard 6: Use or disclosure of CDR data by accredited data recipients or designated gateways
Privacy Safeguard 7: Use or disclosure of CDR data for direct marketing by accredited data recipients or designated gateways
Privacy Safeguard 8: Overseas disclosure of CDR data by accredited data recipients
Privacy Safeguard 9: Adoption or disclosure of government related identifiers by accredited data recipients
Privacy Safeguard 10: Notifying of the disclosure of CDR data
Privacy Safeguard 11: Quality of CDR data
Privacy Safeguard 12: Security of CDR data and destruction of de-identification of redundant CDR data
Privacy Safeguard 13: Correction of CDR data
If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.
Author: David Jacobson
Principal, Bright Corporate Law
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.