Skip to main
Help and resources
Register
for My Account
Sign in
to My Account
Search
Australian Government
Federal Register of Legislation
Site navigation
Constitution
Acts
Legislative instruments
Notifiable instruments
Gazettes
Administrative Arrangements
Prerogative instruments
Norfolk Island
Home
Legislative instruments
In force
Text
Details
Authorises
Downloads
All versions
Interactions
Competition and Consumer (Consumer Data Right) Rules 2020
In force
Administered by
Department of the Treasury
This item is authorised by the following title:
Competition and Consumer Act 2010
Latest version
Click for more info
Order print copy
Save this title to My Account
Set up an alert
F2023C00735 (C08)
22 July 2023
-
11 November 2024
Legislation text
View document
Select value
Legislative instrument
Filter active
Table of contents
Enter text to search the table of contents
Collapse
Part 1—Preliminary
Division 1.1—Preliminary
1.1 Name
1.3 Authority
Division 1.2—Simplified outline and overview of these rules
1.4 Simplified outline of these rules
1.5 What these rules are about
1.6 Overview of these rules
Division 1.3—Interpretation
1.7 Definitions
1.8 Data minimisation principle
1.9 Fit and proper person criteria
1.10 Meaning of direct OSP, indirect OSP and related terms
1.10AA Meaning of CDR representative and related terms
1.10A Types of consents
1.10B Meaning of eligible
1.10C Trusted advisers
1.10D Meaning of sponsorship arrangement, sponsor and affiliate
Division 1.4—General provisions relating to data holders and to accredited persons
Subdivision 1.4.1—Preliminary
1.11 Simplified outline of Division
Subdivision 1.4.2—Services for making requests under these rules
1.12 Product data request service
1.13 Consumer data request service
Subdivision 1.4.3—Services for managing consumer data requests made by accredited persons
1.14 Consumer dashboard—accredited person
1.15 Consumer dashboard—data holder
Subdivision 1.4.4—Other obligations of accredited persons
1.16 Obligations relating to outsourcing arrangements
1.16A Obligations relating to CDR representative arrangements
Subdivision 1.4.5—Deletion and de identification of CDR data
1.17 CDR data de identification process
1.17A Identification of otherwise redundant data that is not to be deleted
1.18 CDR data deletion process
Division 1.5—Application of rules in relation to SR data
1.19 Eligible CDR consumers in relation to secondary data holders
1.20 Consumer data request service—primary data holders and secondary data holders
1.21 Consumer dashboard—SR data request
1.22 SR data request by a CDR consumer
1.23 SR data request by an accredited person
1.24 SR data disclosed to primary data holder not to be used for other purposes
1.25 Dealing with unsolicited SR data
1.26 Dispute resolution—primary data holders and secondary data holders
Collapse
Part 2—Product data requests
2.1 Simplified outline of this Part
2.2 Making product data requests—flowchart
2.3 Product data requests
2.4 Disclosing product data in response to product data request
2.5 Refusal to disclose required product data in response to product data request
2.6 Use of data disclosed pursuant to product data request
Collapse
Part 3—Consumer data requests made by eligible CDR consumers
Collapse
Division 3.1—Preliminary
3.1 Simplified outline of this Part
3.2 How an eligible CDR consumer makes a consumer data request—flowchart
Collapse
Division 3.2—Consumer data requests made by CDR consumers
3.3 Consumer data requests made by CDR consumers
3.4 Disclosing consumer data in response to a valid consumer data request
3.5 Refusal to disclose required consumer data in response to consumer data request
Collapse
Part 4—Consumer data requests made by accredited persons
Collapse
Division 4.1—Preliminary
4.1 Simplified outline of this Part
Collapse
Division 4.2—Consumer data requests made by accredited persons to CDR participants
Collapse
Subdivision 4.2.1—Preliminary
4.2 Consumer data requests made by accredited persons to CDR participants—flowchart
Collapse
Subdivision 4.2.2—Requests to seek to collect CDR data from CDR participants
4.3 Request for accredited person to seek to collect CDR data
4.3A Request for CDR representative principal to seek to collect CDR data on behalf of CDR representative
4.3B Consumer data requests by accredited persons to CDR representatives
Collapse
Subdivision 4.2.3—Consumer data requests by accredited persons to data holders
4.4 Consumer data request by accredited person to data holder
4.5 Data holder must ask eligible CDR consumer to authorise disclosure
4.6 Disclosing consumer data in response to a consumer data request
4.6A Disclosure of CDR data relating to account not permitted if not approved by account holder
4.7 Refusal to disclose required consumer data in response to consumer data request
Collapse
Subdivision 4.2.4—Consumer data requests by accredited persons to accredited data recipients
4.7A Consumer data request by accredited person to accredited data recipient
4.7B Accredited data recipient may ask eligible CDR consumer for AP disclosure consent
Collapse
Division 4.3—Giving and amending consents—accredited persons
Collapse
Subdivision 4.3.1—Preliminary
4.8 Purpose of Division
4.9 Object
Collapse
Subdivision 4.3.2—Giving consents
4.10 Requirements relating to accredited person’s processes for seeking consent
4.11 Asking CDR consumer to give consent
4.12 Restrictions on seeking consent
Collapse
Subdivision 4.3.2A—Amending consents
4.12A Amendment of consent
4.12B Inviting CDR consumer to amend consent
4.12C Process for amending consents
Collapse
Subdivision 4.3.2B—Withdrawing consents
4.13 Withdrawal of consents
Collapse
Subdivision 4.3.2C—Duration of consent
4.14 Duration of consent
Collapse
Subdivision 4.3.3—Information relating to de identification of CDR data
4.15 Additional information relating to de identification of CDR data
Collapse
Subdivision 4.3.4—Election to delete redundant data
4.16 Election to delete redundant data
4.17 Information relating to redundant data
Collapse
Subdivision 4.3.5—Notification requirements
4.18 CDR receipts
4.18AA Notification of data holder or accredited data recipient if collection consent expires
4.18A Notification of CDR consumer if collection consent expires
4.18B Notification if collection consent or AP disclosure consent expires
4.18C Notification of data holder or accredited data recipient if collection consent is amended
4.19 Updating consumer dashboard
4.20 Ongoing notification requirement—collection consents and use consents
4.20A Application of Subdivision to sponsor and affiliate
Collapse
Division 4.3A—Giving and amending consents—CDR representatives
Collapse
Subdivision 4.3A.1—Preliminary
4.20B Purpose of Division
4.20C Object
Collapse
Subdivision 4.3A.2—Giving consents
4.20D Requirements relating to CDR representative’s processes for seeking consent
4.20E Asking CDR consumer to give consent
4.20F Restrictions on seeking consent
Collapse
Subdivision 4.3A.3—Amending consents
4.20G Amendment of consent
4.20H Inviting CDR consumer to amend consent
4.20I Process for amending consent
Collapse
Subdivision 4.3A.4—Withdrawing consents
4.20J Withdrawal of consents
Collapse
Subdivision 4.3A.5—Duration of consent
4.20K Duration of consent
Collapse
Subdivision 4.3A.6—Information relating to de identification of CDR data
4.20L Additional information relating to de identification of CDR data
Collapse
Subdivision 4.3A.7—Election to delete redundant data
4.20M Election to delete redundant data
4.20N Information relating to redundant data
Collapse
Subdivision 4.3A.8—Notification requirements
4.20O CDR receipts
4.20P Notification of data holder or accredited data recipient if collection consent expires
4.20Q Notification of consumer if collection consent expires
4.20R Notification if collection consent or AP disclosure consent expires
4.20S Notification if collection consent is amended
4.20T Updating consumer dashboard
4.20U Ongoing notification requirement—collection consents and use consents
Collapse
Division 4.4—Authorisations to disclose CDR data
4.21 Purpose of Division
4.22 Requirements relating to data holder’s processes for seeking authorisation
4.22A Inviting CDR consumer to amend a current authorisation
4.23 Asking CDR consumer to give authorisation to disclose CDR data or inviting CDR consumer to amend a current authorisation
4.24 Restrictions when asking CDR consumer to authorise disclosure of CDR data
4.25 Withdrawal of authorisation to disclose CDR data
4.26 Duration of authorisation to disclose CDR data
4.26A Notifications of expired authorisations
4.27 Updating consumer dashboard
4.28 Notification requirements for consumer data requests on behalf of secondary users
Collapse
Part 4A—Joint accounts
Collapse
Division 4A.1—Preliminary
4A.1 Purpose of Part
4A.2 Simplified outline of this Part
4A.3 Interpretation
Collapse
Division 4A.2—Disclosure options
4A.4 Simplified outline of this Division
4A.5 Disclosure options for joint accounts
4A.6 Obligation to provide disclosure option management service
4A.7 Changing to a more restrictive disclosure option
4A.8 Obtaining agreement on change to a less restrictive disclosure option
Collapse
Division 4A.3—Consumer data requests that relate to joint accounts
Collapse
Subdivision 4A.3.1—Preliminary
4A.9 Application of Division
Collapse
Subdivision 4A.3.2—How consumer data requests to data holders under Part 4 that relate to joint accounts are handled
4A.10 How data holder is to deal with a consumer data request
4A.11 Asking relevant account holders for approval to disclose joint account data
4A.12 Continuation and removal of approvals
4A.13 Consumer dashboard for joint account holders
4A.14 Notification requirements for consumer data requests on joint accounts
4A.15 Avoidance of harm
Collapse
Part 5—Rules relating to accreditation etc.
Collapse
Division 5.1—Preliminary
5.1 Simplified outline of this Part
Collapse
Division 5.2—Rules relating to accreditation process
Collapse
Subdivision 5.2.1A—Levels of accreditation
5.1A Levels of accreditation
5.1B Sponsored accreditation
Collapse
Subdivision 5.2.1—Applying to be accredited person
5.2 Applying to be an accredited person
Collapse
Subdivision 5.2.2—Consideration of application to be accredited person
5.3 Data Recipient Accreditor may request further information
5.4 Data Recipient Accreditor may consult
5.5 Criteria for accreditation
5.6 Accreditation decision―accreditation number
5.7 Accreditation decision—notifying accreditation applicant
5.8 When accreditation takes effect
5.9 Default conditions on accreditation
5.10 Other conditions on accreditation
5.11 Notification to accredited person relating to conditions
Collapse
Subdivision 5.2.3—Obligations of accredited person
5.12 Obligations of accredited person
5.13 Accredited person must comply with conditions
5.14 Notification requirements
5.15 Provision of information to the Accreditation Registrar
Collapse
Subdivision 5.2.4—Transfer, suspension, surrender and revocation of accreditation
5.16 Transfer of accreditation
5.17 Revocation, suspension, or surrender of accreditation
5.18 Revocation of accreditation—process
5.19 Suspension of accreditation—duration
5.20 General process for suspension of accreditation or extension of suspension
5.21 Process for urgent suspensions or extensions
5.22 When surrender, revocation or suspension takes effect
5.23 Consequences of surrender, suspension or revocation of accreditation
Collapse
Division 5.3—Rules relating to Register of Accredited Persons
5.24 Maintaining the Register of Accredited Persons
5.25 Other information to be kept in association with Register of Accredited Persons
5.26 Amendment and correction of entries in Register of Accredited Persons and database
5.27 Publication or availability of specified information in the Register of Accredited Persons
5.28 Making information available to the Commission, the Information Commissioner and the Data Recipient Accreditor
5.29 Publication of specified information by the Commission
5.30 Other functions of Accreditation Registrar
5.31 Obligation to comply with Accreditation Registrar’s request
5.32 Automated decision making—Accreditation Registrar
5.33 Temporary restriction on use of the Register in relation to data holder
5.34 Temporary direction to refrain from processing consumer data requests
Collapse
Part 6—Rules relating to dispute resolution
6.1 Requirement for data holders―internal dispute resolution
6.2 Requirement for data holders―external dispute resolution
Collapse
Part 7—Rules relating to privacy safeguards
Collapse
Division 7.1—Preliminary
7.1 Simplified outline of this Part
Collapse
Division 7.2—Rules relating to privacy safeguards
Collapse
Subdivision 7.2.1—Rules relating to consideration of CDR data privacy
7.2 Rule relating to privacy safeguard 1—open and transparent management of CDR data
7.3 Rule relating to privacy safeguard 2—anonymity and pseudonymity
7.3A Rule relating to privacy safeguard 4—destruction of unsolicited data—CDR representative
7.3B Rule relating to privacy safeguard 4—destruction of unsolicited data—outsourced service providers
Collapse
Subdivision 7.2.2—Rules relating to collecting CDR data
7.4 Rule relating to privacy safeguard 5—notifying of the collection of CDR data
Collapse
Subdivision 7.2.3—Rules relating to dealing with CDR data
7.5 Meaning of permitted use or disclosure and relates to direct marketing
7.5A Limitation to disclosures of CDR data under a disclosure consent
7.6 Use or disclosure of CDR data by accredited data recipients and related persons
7.7 Rule relating to privacy safeguard 6—use or disclosure of CDR data by accredited data recipients
7.8 Rule relating to privacy safeguard 7—use or disclosure of CDR data for direct marketing by accredited data recipients
7.8A Rule relating to privacy safeguards 8 and 9—failure by CDR representative to comply with safeguards
7.8B Rule relating to privacy safeguards 8 and 9—failure by direct or indirect OSP to comply with safeguards
7.9 Rule relating to privacy safeguard 10—notifying of the disclosure of CDR data
Collapse
Subdivision 7.2.4—Rules relating to integrity and security of CDR data
7.10 Rule relating to privacy safeguard 11—quality of CDR data
7.10A Rule relating to privacy safeguard 11—quality of data—CDR representative
7.11 Rule relating to privacy safeguard 12—security of CDR data
7.12 Rule relating to privacy safeguard 12—de identification of redundant data
7.13 Rule relating to privacy safeguard 12—deletion of redundant data
Collapse
Subdivision 7.2.5—Rules relating to correction of CDR data
7.14 No fee for responding to or actioning correction request
7.15 Rule relating to privacy safeguard 13—steps to be taken when responding to correction request
7.16 Rule relating to privacy safeguard 13—correction of data—CDR representative
Collapse
Part 8—Rules relating to data standards
Collapse
Division 8.1—Preliminary
8.1 Simplified outline of this Part
Collapse
Division 8.2—Data Standards Advisory Committees
8.2 Establishment of Data Standards Advisory Committee
8.3 Functions of Data Standards Advisory Committee
8.4 Appointment to Data Standards Advisory Committee
8.5 Termination of appointment and resignation
8.6 Procedural directions
8.7 Observers
Collapse
Division 8.3—Reviewing, developing and amending data standards
8.8 Notification when developing or amending data standards
8.9 Consultation when developing or amending data standards
8.10 Matters to have regard to when making or amending data standards
Collapse
Division 8.4—Data standards that must be made
8.11 Data standards that must be made
Collapse
Part 9—Other matters
Collapse
Division 9.1—Preliminary
9.1 Simplified outline of this Part
Collapse
Division 9.2—Review of decisions
9.2 Review of decisions by the Administrative Appeals Tribunal
Collapse
Division 9.3—Reporting, record keeping and audit
Collapse
Subdivision 9.3.1—Reporting and record keeping
9.3 Records to be kept and maintained
9.4 Reporting requirements
9.5 Requests from CDR consumers for copies of records
Collapse
Subdivision 9.3.2—Audits
9.6 Audits by the Commission and the Information Commissioner
9.7 Audits by the Data Recipient Accreditor
Collapse
Division 9.4—Civil penalty provisions
9.8 Civil penalty provisions
Collapse
Schedule 1—Default conditions on accreditations
Collapse
Part 1—Preliminary
1.1 Purpose of Schedule
Collapse
Part 2—Default conditions on accreditations
2.1 Ongoing reporting obligation on accredited persons without streamlined accreditation
2.2 Conditions on sponsors and potential sponsors
Collapse
Schedule 2—Steps for privacy safeguard 12—security of CDR data held by accredited data recipients
Collapse
Part 1—Steps for privacy safeguard 12
1.1 Purpose of Part
1.2 Interpretation
1.3 Step 1—Define and implement security governance in relation to CDR data
1.4 Step 2—Define the boundaries of the CDR data environment
1.5 Step 3—Have and maintain an information security capability
1.6 Step 4—Implement a formal controls assessment program
1.7 Step 5—Manage and report security incidents
Collapse
Part 2—Minimum information security controls
2.1 Purpose of Part
2.2 Information security controls
Collapse
Schedule 3—Provisions relevant to the banking sector
Collapse
Part 1—Preliminary
1.1 Simplified outline of this Schedule
1.2 Interpretation
1.3 Meaning of customer data, account data, transaction data and product specific data
1.4 Meaning of phase 1 product, phase 2 product and phase 3 product
1.5 Meaning of trial product
Collapse
Part 2—Eligible CDR consumers—banking sector
2.1 Additional criteria for eligibility—banking sector
2.2 Meaning of account privileges—banking sector
2.3 Consumer dashboard—application of rule 1.15
Collapse
Part 3—CDR data that may be accessed under these rules—banking sector
3.1A Application of Part
3.1 Meaning of required product data and voluntary product data—banking sector
3.2 Meaning of required consumer data and voluntary consumer data—banking sector
Collapse
Part 5—Dispute resolution―banking sector
5.1 Meeting internal dispute resolution requirements―banking sector
5.2 Meeting external dispute resolution requirements―banking sector
Collapse
Part 6—Staged application of these rules to the banking sector
Collapse
Division 6.1—Preliminary
6.1 Interpretation
6.2 Meaning of initial data holder, accredited ADI, any other relevant ADI and accredited non ADI
Collapse
Division 6.2—Staged application of rules
6.4 Staged application of rules―requirement to disclose CDR data
6.5 Authorisation to disclose CDR data before required to do so
6.6 Commencement table
6.7 Application of certain rules
Collapse
Part 7—Other rules, and modifications of these rules, for the banking sector
7.1 Laws relevant to the management of CDR data—banking sector
7.2 Conditions for accredited person to be data holder
7.3 Streamlined accreditation—banking sector
7.4 Exemptions to accreditation criteria—banking sector
7.5 Grounds for revocation, suspension and surrender of accreditation—banking sector
Collapse
Schedule 4—Provisions relevant to the energy sector
Collapse
Part 1—Preliminary
1.1 Simplified outline of this Schedule
1.2 Interpretation
1.3 Meaning of terms for types of data
1.4 Meaning of retailer
Collapse
Part 2—Eligible CDR consumers—energy sector
2.1 Additional criteria for eligibility—energy sector
2.2 Meaning of account privileges—energy sector
2.3 Consumer dashboard—application of rule 1.15
Collapse
Part 3—CDR data that may be accessed under these rules—energy sector
3.1 Meaning of required product data and voluntary product data—energy sector
3.2 Meaning of required consumer data and voluntary consumer data—energy sector
Collapse
Part 4—Roles of AEMO and the energy sector agencies
4.1 AER and the Victorian agency may act on each other’s behalf
4.2 Product data request service
4.3 Meaning of SR data and primary data holder—energy sector
4.4 SR data must be obtained from AEMO
4.5 Civil penalties do not apply
Collapse
Part 5—Dispute resolution―energy sector
5.1 Meeting internal dispute resolution requirements—energy sector
5.2 Meeting external dispute resolution requirements—energy sector
Collapse
Part 6—Privacy safeguards―energy sector
6.1 Responding to correction request (rule 7.15)
Collapse
Part 7—Reporting and record keeping―energy sector
7.1 Reporting requirements (rule 9.4)
Collapse
Part 8—Staged application of these rules to the energy sector
8.1 Interpretation
8.2 Meaning of initial retailer
8.3 Meaning of larger retailer
8.4 Product data requests under Part 2 of these rules
8.5 Consumer data requests under Part 3 of these rules
8.6 Consumer data requests under Part 4 of these rules
8.7 Authorisation to disclose CDR data before being required to do so
Collapse
Part 9—Other rules, and modifications of these rules, for the energy sector
9.1 Laws relevant to the management of CDR data—energy sector
9.2 Conditions for accredited person to be data holder
9.3 Consultation by Data Recipient Accreditor (rule 5.4)
9.4 AEMO not to appear on Registrar’s database (rule 5.25)
9.5 Grounds for revocation, suspension and surrender of accreditation—energy sector
Collapse
Endnotes
Endnote 1—About the endnotes
Endnote 2—Abbreviation key
Endnote 3—Legislation history
Endnote 4—Amendment history
Endnote 5—Editorial changes