Consumer Data Right and the Australian Privacy Principles

Consumer Data Right (CDR) was introduced in 2019 by the Australian Government, with the intention of giving consumers (individuals, companies, business enterprises) the ability to ‘opt in’ and share their data between service providers of their choosing. It's now active in banking, so consumers may choose to share their banking data with a prospective bank to get a better offer, or with an app to access a new service.

CDR enables the secure transfer of consumer information from one provider to another, giving the consumer the ability to better:

  • Compare products and services;
  • Access better value and improved services; and
  • Assist financial and cashflow management.

In November 2022 CDR is due to go live for Open Energy, with Open Telecommunications designated to be implemented in 2023, and Open Finance data-sets expected to be implemented in 2024 and beyond.   Consumer Data Right and the Australian Privacy Principles

A ‘consumer’ under CDR is defined within the CDR Privacy Safeguard Guidelines,  which typically requires a person to be identifiable or reasonably identifiable from the CDR data, or other information held by the participant. RSM has previously outlined some FAQs on the CDR Privacy Safeguard Guidelines (as at V3.0 June 2021). 
The Australian Government has both designed and manages the process for the secure transfer of data for all consumers who decide to opt-in. This data transfer is completed between the providers (accredited person/data recipients, and data holders) however, all providers are required to undergo a strict process to become accredited to provide services using CDR data. This accreditation process is managed by the Australian Competition and Consumer Commission (ACCC), and ensures the provider has appropriate policies, procedures, and controls in place to securely manage, process, store, and transmit the consumer’s data. To opt into CDR and utilisation of the system, a consumer ultimately has control over:

  • The consent process;
  •  What information is shared with the providers;
  •  Who data is shared with; and
  •  How long data is shared for.

RSM has proudly been a leader in helping providers meet the complex security accreditation requirements for CDR. 

So how does CDR relate, and perhaps overlap, with the existing Australian Privacy Principles (APPs)?

CDR outlines several Privacy Safeguard Guidelines that set out the privacy rights and obligations for providers and consumers in the system. The CDR Privacy Safeguard Guidelines, and the APPs both have the ultimate objective of protecting a consumer’s information throughout its lifecycle. How each applies, and when, differs slightly based upon the involvement in the CDR process, and system.  consumer data right

If an organisation is an accredited person/accredited data recipient (a ‘receiver’ in the Consumer Data Right System who uses the consumer’s information upon the consumer’s consent after receiving it from the data holders), the CDR Privacy Safeguard Guidelines will apply in replacement of the Australian Privacy Principles (APPs).

If you are a data holder (the ‘givers’ in the Consumer Data Right system. The providers who currently hold the consumer data), the APPs will generally apply to CDR data that is also personal information, with the exception of APP 10 (quality of personal information) and APP 13 (correction of personal information). APP 10 and APP 13 are replaced by the CDR Privacy Safeguard Guideline 11 (quality of CDR data) and Privacy Safeguard Guideline 13 (correction of CDR data) once the data holder is required or authorised to disclose the CDR data (consumer’s data) to a data recipient under the CDR Rules. Data holders must also comply with both APP 1 and Privacy Safeguard Guideline 1, which relate to the open and transparent management of personal information and CDR data. 

Sound a little complex? It is.

That is why RSM is here to assist if you have any questions.
We have supported 50% of the non-ADI accredited data recipients through the CDR accreditation process and welcome the opportunity to help others. 

For more information, contact Darren Booth, National Head of Cyber Security and Privacy Risk Services.


Darren Booth
National Head of Cyber Security and Privacy Risk Services