There is a lot of reading to do if you want to receive and use Consumer Data Right (CDR) data for Open Banking or Open Energy.
Regardless of whether you are an ADI or non-ADI, unrestricted Accredited Data Recipient (ADR), sponsor, affiliate, representative agent or an outsourced service provider (OSP) you must demonstrate compliance with information security requirements in Privacy Safeguard 12 (Schedule 2 Part 1 and Part 2).
Some examples of readings are:
- The Treasury Laws Amendment - Consumer Data Right Act 2019 (110 pages)
- The Competition and Consumer - Consumer Data Right Rules 2020 (160 pages)
- The OAIC Consumer Data Right (CDR) Privacy Safeguard Guidelines (234 pages)
- The ACCC Supplementary Accreditation Guidelines - Information Security (26 pages)
That is over 500 pages of regulatory content (never mind the additional supporting information) at:
Content on the websites could be consolidated by the various agencies to reduce duplication and make it easier for an ADR applicant to understand their obligations.
There are lots of complementary, duplicated, and unfortunately some contradictory information in the various CDR documents. This article will only focus on the recently updated OAIC Consumer Data Right (CDR) Privacy Safeguard Guidelines (v3.0 June 2021). It focuses on information that is useful for an ADR applicant to comply with the information security requirements (Privacy Safeguard 12 and Schedule 2 of the Rules), whilst also repositioning the guidelines as an easier to digest FAQ.
As you can imagine, due to the vast volume of information, it is critical for anyone seeking to become an Accredited Data Recipient to engage with the right subject matter experts.
The key points highlighted below are based on the common questions that applicants have raised with me over the past year of CDR being live (based on the current version of the CDR Rules, v2). This is, however, no substitute for talking through your own use case, data flows, system architecture and information security controls with an experienced CDR assurance provider.
References below to sections in the OAIC Consumer Data Right (CDR) Privacy Safeguard Guidelines are denoted by a "letter.number" e.g., A.01 or "letter. letter" e.g., 10.11. Many of the references are copied verbatim from the guidelines.
1. What CDR data can an ADR collect and use?
B.105 The data minimisation principle (CDR Rule 1.8) limits the scope and amount of CDR data an accredited person may collect and use.
4.5 Privacy Safeguard 4 requires accredited persons to destroy (or de-identify) CDR data they have collected but not requested unless an exception applies.
2. When do the information security requirements apply?
Want to continue reading?
If you need further information on cyber security and privacy risk, please contact your local RSM office.