An extensive set of privacy rules that will accompany the introduction of the Consumer Data Right (CDR), including Open Banking, will be legally binding statutory provisions.

The Office of the Australian Information Commissioner has released draft privacy safeguards for consultation. They cover consent rules, disclosure and reporting obligations, limits on data collection, obligations to destroy certain data, and OAIC enforcement powers.Some of the privacy safeguards will apply in parallel with the Australian Privacy Principles, while others will override APPs.

The Consumer Data Right is designed to give people greater choice over how their personal data is used and disclosed. It allows consumers to access particular data and transfer it to an accredited person.

The Information Commissioner will have power to investigate possible breaches of the privacy safeguards and use a range of enforcement powers, including penalties.

The OAIC says the CDR system is built on consent, and an accredited person may only collect and use CDR data with the consent of the consumer.

A consumer can withdraw consent at any time.

An accredited person must not collect more data than is reasonably needed in order to provide the requested goods or services.

Each accredited person and each data holder must provide a “consumer dashboard” for CDR consumers, which is an online service consumers can use to manage data requests, authorisations and associated consents for the accredited person to collect and use CDR data.

CDR entities must have a policy describing how they manage CDR data. The policy must be available free of charge. They must handle CDR data in a clear and transparent way.

Accredited data recipients must provide consumers with the option if dealing anonymously or “pseudonymously” with the entity. Consumers must have the option of not identifying themselves.

In the banking sector, an accredited data recipient will not be able to deal with a consumer ion an anonymous basis because there may be obligations to verify identity prior to providing goods and services.

Accredited persons are prohibited from attempting to collect data under CDR unless it is in response to a “valid request” from the consumer. The CDR regime is driven by the consumer.

Accredited persons are required to destroy unsolicited data that the entity is not required to retain.

Accredited persons must notify the relevant consumer when they collect CDR data. This must be done through the consumer dashboard.

CDR data cannot be used for direct marketing.

Source: Banking Day