The Office of the Australian Information Commissioner (OAIC) has released for consultation draft Privacy Safeguard Guidelines for the Consumer Data Right (CDR).
The CDR will start in February 2020 in the banking sector (“open banking”), subject to consumers consenting to the transfer of their data.
The privacy safeguards apply to entities who are authorised or required under the CDR regime to collect, use or disclose CDR data for which there is at least one consumer. This includes accredited persons, accredited data recipients, data holders and designated gateways.
The Privacy Safeguard guidelines outline:
- the mandatory requirements in the privacy safeguards and related Consumer Data Rules;
- the Information Commissioner’s interpretation of the privacy safeguards and Consumer Data Rules;
- examples that explain how the privacy safeguards and Consumer Data Rules may apply to particular circumstances. Any examples given are not intended to be prescriptive or exhaustive of how an entity may comply with the mandatory requirements in the privacy safeguards; the particular circumstances of an entity will also be relevant;
- good privacy practice to supplement minimum compliance with the mandatory requirements in the privacy safeguards and Consumer Data Rules.
Under s 56EQ(1)(a) of the Competition and Consumer Act 2010 (Cth), the Australian Information Commissioner has the power to make ‘guidelines for the avoidance of acts or practices that may breach the privacy safeguards’.
The Privacy Safeguard Guidelines outline how the Information Commissioner will interpret and apply the privacy safeguards when exercising functions and powers relating to the privacy safeguards.