This instrument is the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020.

(1) Each provision of this instrument specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.

Commencement information
Column 1	Column 2	Column 3
Provisions	Commencement	Date/Details
1. The whole of this instrument	The day after this instrument is registered

Note: This table relates only to the provisions of this instrument as originally made. It will not be amended to deal with any later amendments of this instrument.

(2) Any information in column 3 of the table is not part of this instrument. Information may be inserted in this column, or information in it may be edited, in any published version of this instrument.

3 Authority

This instrument is made under section 56BA of the Competition and Consumer Act 2010.

4 Schedules

Each instrument that is specified in a Schedule to this instrument is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this instrument has effect according to its terms.

Schedule 1—Amendments

Competition and Consumer (Consumer Data Right) Rules 2020

1 Rule 1.4

Omit:

A CDR consumer who, in accordance with a Schedule to these rules, is eligible to do so may request an accredited person to request a data holder to disclose CDR data that relates to the consumer. The request made by the accredited person is called a consumer data request.

A consumer data request that is made on behalf of a CDR consumer by an accredited person must be made in accordance with relevant data standards, using a specialised service provided by the data holder. The data is disclosed, in machine‑readable form, to the accredited person.

Under the data minimisation principle, the accredited person may only collect and use CDR data in order to provide goods or services in accordance with a request from a CDR consumer.

substitute:

A CDR consumer who, in accordance with a Schedule to these rules, is eligible to do so may request an accredited person to request a CDR participant to disclose CDR data that relates to the consumer. The request made by the accredited person is called a consumer data request.

A consumer data request that is made to a data holder on behalf of a CDR consumer by an accredited person must be made in accordance with relevant data standards, using a specialised service provided by the data holder. The data is disclosed, in machine‑readable form, to the accredited person.

Under the data minimisation principle, the accredited person may only collect and use CDR data in order to provide goods or services in accordance with a request from a CDR consumer, and may only use it for that purpose, or for a limited number of other purposes which require an additional consent from the CDR consumer.

2 Subrule 1.6(4)

Omit “are made by accredited persons on behalf of such eligible CDR consumers”, substitute “involve accredited persons”.

3 Subrule 1.7(1)

Insert:

account privileges, in relation to:

(a) an account with a data holder; and

(b) a particular designated sector;

has the meaning set out in a Schedule to these rules that relates to that sector.

AP disclosure consent has the meaning given by rule 1.10A.

authorisation to disclose CDR data means:

(a) an authorisation given by a CDR consumer under Part 4 to a data holder; or

(b) such an authorisation as amended in accordance with these rules.

category, of consents, has the meaning given by rule 1.10A.

4 Subrule 1.7(1) (paragraph (b) of the definition of CDR complaint data)

Repeal the paragraph, substitute:

(b) the number of such complaints for each complaint type into which the CDR participant categorises complaints in accordance with its complaints handling process;

5 Subrule 1.7(1) (paragraph (g) of the definition of CDR complaint data)

Repeal the paragraph, substitute:

(g) in relation to a CDR participant that is a data holder―the number of CDR product data complaints received.

6 Subrule 1.7(1)

Insert:

CDR logo means a logo or symbol, including one whose use requires a licence or authorisation from a person other than the Commonwealth, approved by the Commission for the purposes of this definition.

CDR product data complaint means an expression of dissatisfaction made to a data holder about its required product data or its voluntary product data for which a response or resolution could reasonably be expected.

collection consent has the meaning given by rule 1.10A.

consent means:

(a) a collection consent, a use consent or a disclosure consent; or

(b) such a consent as amended in accordance with these rules.

7 Subrule 1.7(1) (definition of consumer data request)

Repeal the definition, substitute:

consumer data request:

(a) by a CDR consumer—has the meaning given by rule 3.3; and

(b) by an accredited person on behalf of a CDR consumer—has the meaning given by rule 4.4 or rule 4.7A.

Note: The different types of consumer data request are summarised in the following table:

A consumer data request made under:	is made by:	to:	for disclosure of CDR data to:
rule 3.3	a CDR consumer	a data holder	the CDR consumer
rule 4.4	an accredited person on behalf of a CDR consumer	a data holder	the accredited person
rule 4.7A	an accredited person on behalf of a CDR consumer	an accredited data recipient	the accredited person

8 Subrule 1.7(1) (definition of current)

Omit “to collect and use particular CDR data”.

9 Subrule 1.7(1) (after the definition of current)

Insert:

Note: For paragraph (a), there are the following 3 kinds of consent:

 collection consents;

 use consents;

 disclosure consents.

10 Subrule 1.7(1)

Insert:

de-identification consent has the meaning given by rule 1.10A.

direct marketing consent has the meaning given by rule 1.10A.

disclosure consent has the meaning given by rule 1.10A.

general research, in relation to an accredited data recipient, means research by the accredited data recipient:

(a) using CDR data that has been de‑identified in accordance with the CDR data de-identification process; and

(b) that does not relate to the provision of goods or services to any particular CDR consumer.

nominated representative has the meaning given by subparagraph 1.13(1)(c)(i) or subparagraph 1.13(1)(d)(i), as appropriate.

partnership account, with a data holder, means an account with a data holder that is held by or on behalf of a partnership or the partners in a partnership.

secondary user: a person is a secondary user for an account with a data holder in a particular designated sector if:

(a) the person has account privileges in relation to the account; and

(b) the account holder has given the data holder an instruction to treat the person as a secondary user for the purposes of these rules.

secondary user instruction means an instruction given for the purposes of paragraph (b) of the definition of secondary user.

use consent has the meaning given by rule 1.10A.

11 Subrule 1.7(5)

Omit “collecting consumer data”, substitute “collecting CDR data”.

12 Paragraph 1.8(b)

Repeal the paragraph, substitute:

(b) when providing the requested goods or services, or using collected CDR data for any other purpose consented to by the CDR consumer, it does not use the collected CDR data, or CDR data derived from it, beyond what is reasonably needed in order to provide the requested goods or services or fulfil the other purpose.

13 Subrule 1.9(2) (definition of serious criminal offence)

Omit “have been”.

14 After rule 1.10

Insert:

1.10A Types of consents

(1) For these rules:

(a) a collection consent is a consent given by a CDR consumer under these rules for an accredited person to collect particular CDR data from a CDR participant for that CDR data; and

(b) a use consent is a consent given by a CDR consumer under these rules for an accredited data recipient of particular CDR data to use that CDR data in a particular way; and

(c) a disclosure consent is a consent given by a CDR consumer under these rules for an accredited data recipient of particular CDR data to disclose that CDR data:

(i) to an accredited person in response to a consumer data request (an AP disclosure consent); or

(ii) to an accredited person for the purposes of direct marketing; and

(d) a direct marketing consent is a consent given by a CDR consumer under these rules for an accredited data recipient of particular CDR data to use or disclose the CDR data for the purposes of direct marketing; and

(e) a de-identification consent is a consent given by a CDR consumer under these rules for an accredited data recipient of particular CDR data to de‑identify some or all of the collected CDR data and do either or both of the following:

(i) use the de-identified data for general research;

(ii) disclose (including by selling) the de‑identified data.

(2) For these rules, each of the following is a category of consents:

(a) collection consents;

(b) use consents relating to the goods or services requested by the CDR consumer;

(d) de‑identification consents;

(e) AP disclosure consents.

15 Rule 1.11

Omit “withdrawing consents and authorisations”, substitute “amending or withdrawing consents, and for withdrawing authorisations,”.

16 At the end of subrule 1.13(1)

Add:

; and (c) for each eligible CDR consumer that is not an individual—a service that can be used to:

(i) nominate one or more individuals (nominated representatives) who are able to give, amend and manage authorisations to disclose CDR data for the purposes of these rules on behalf of the CDR consumer; and

(ii) revoke such a nomination; and

(d) for each partnership that relates to a partnership account with the data holder—a service that can be used to:

(i) nominate one or more individuals (nominated representatives) who are able to give, amend and manage authorisations to disclose CDR data that relate to the partnership accounts of that partnership for the purposes of these rules on behalf of the CDR consumers who are its partners; and

(ii) revoke such a nomination; and

(e) in relation to each account in relation to which a person has account privileges―a service that can be used by the account holder to:

(i) make a secondary user instruction; and

(ii) revoke the instruction.

17 After subrule 1.13(1) (note 3)

Repeal the note, substitute:

Note 3: In the circumstances of paragraphs (1)(c) and (d), a person or partnership that does not have a nominated representative will not able to give or amend authorisations, or use the dashboard to manage authorisations (see subrule 1.15(2A)), and accordingly, the data holder will be neither required nor permitted to disclose the requested CDR data under these rules.

Note 4: The services of paragraphs (c), (d) and (e) may, but need not, be online.

Note 5: This subrule is a civil penalty provision (see rule 9.8).

18 Subrule 1.14(1)

Repeal the subrule (not including the note), substitute:

(1) An accredited person must provide an online service that:

(a) can be used by each eligible CDR consumer on whose behalf the accredited person makes a consumer data request, to manage:

(i) such requests; and

(ii) associated consents; and

(b) contains the details of each consent specified in subrule (3); and

(i) allows a CDR consumer, at any time, to:

(A) withdraw current consents; and

(B) elect that redundant data be deleted in accordance with these rules and withdraw such an election; and

(ii) is simple and straightforward to use; and

(iii) is prominently displayed.

19 After subrule 1.14(2)

Insert:

(2A) The consumer dashboard may, on and after 1 July 2021, also include a functionality that allows a CDR consumer to amend a current consent.

20 Subrule 1.14(3)

Repeal the subrule (including the notes), substitute:

(3) For paragraph (1)(b), the information is the following for each consent:

(a) details of the CDR data to which the consent relates;

(b) for a use consent―details of the specific use or uses for which the CDR consumer has given their consent;

(d) whether the consent applies:

(i) on a single occasion; or

(ii) over a period of time;

(e) if a collection consent or disclosure consent applies over a period of time:

(i) what that period is; and

(ii) how often data has been, and is expected to be, collected or disclosed over that period;

(f) if the consent is current—when it is scheduled to expire;

(g) if the consent is not current—when it expired;

(h) information relating to CDR data that was collected or disclosed pursuant to the consent (see rule 7.4 and rule 7.9);

(i) details of each amendment (if any) that has been made to the consent.

Note 1: For paragraph (f), consents expire at the latest 12 months after they are given or, in some circumstances, amended: see paragraph 4.14(1)(d).

Note 2: For the specific uses that are possible, see the data minimisation principle (rule 1.8).

Note 3: The consumer dashboard could contain other information too, for example, the written notices referred to in rule 7.15 (which deals with correction requests under privacy safeguard 13, section 56EP of the Act).

21 Rule 1.15

Repeal the rule, substitute:

1.15 Consumer dashboard—data holder

(1) If a data holder receives a consumer data request from an accredited person on behalf of a CDR consumer, the data holder must ensure that the CDR consumer has an online service that:

(a) can be used by the CDR consumer to manage authorisations to disclose CDR data in response to the request; and

(b) contains the details of each authorisation to disclose CDR data specified in subrule (3); and

(ba) contains any information in the data standards that is specified as information for the purposes of this rule; and

(bb) contains any information on the Register of Accredited Persons that is specified as information for the purposes of this rule; and

(i) allows for withdrawal, at any time, of authorisations to disclose CDR data; and

(ii) is simple and straightforward to use; and

(iii) is no more complicated to use than the process for giving the authorisation to disclose CDR data; and

(iv) is prominently displayed; and

(v) as part of the withdrawal process, displays a message relating to the consequences of the withdrawal in accordance with the data standards; and

(d) contains any other details, and has any other functionality, required by a Schedule to these rules in relation to a particular designated sector.

Note 1: This subrule is a civil penalty provision (see rule 9.8).

Note 2: For paragraph (d), for the banking sector, see clause 4.14 of Schedule 3.

(2) Such a service is the data holder’s consumer dashboard for that consumer.

Note: For the banking sector, if an accredited person makes a consumer data request that relates to a joint account on behalf of a secondary user or one joint account holder, the other joint account holders may also need to be provided with consumer dashboards: see clause 4.14 of Schedule 3.

(2A) For subrule (1), the online service must allow only nominated representatives to manage authorisations in the following circumstances:

(a) where the CDR consumer is not an individual;

(b) where the CDR data relates to a partnership account.

(3) For paragraph (1)(b) and paragraph (5)(a), the information is the following:

(a) details of the CDR data that has been authorised to be disclosed;

(b) when the CDR consumer gave the authorisation;

(d) if the authorisation is current—when it is scheduled to expire;

(e) if the authorisation is not current—when it expired;

(f) information relating to CDR data that was disclosed pursuant to the authorisation (see rule 7.9);

(g) for a disclosure of CDR data that relates to the authorisation but that was pursuant to a request under subsection 56EN(4) of the Act—that fact.

Note 1: For paragraph (d), authorisations to disclose CDR data expire at the latest 12 months after they are given: see paragraph 4.26(1)(e).

Note 2: The consumer dashboard could contain other information too, for example, the written notice referred to in rules 7.10 (which deals with quality of CDR data under privacy safeguard 11, section 56EN of the Act) and 7.15 (which deals with correction requests under privacy safeguard 13, section 56EP of the Act).

(4) A data holder does not contravene subrule (1) in relation to subparagraphs (1)(c)(ii) and (iii) so long as it takes reasonable steps to ensure that the functionality complies with those subparagraphs.

Secondary users

(5) If the CDR consumer is a secondary user for an account, the data holder must also provide the account holder with an online service that:

(a) for each authorisation to disclose CDR data given by the secondary user—contains the details specified in subrule (3); and

(b) has a functionality that:

(i) allows for the account holder to, at any time, give the indication referred to in subparagraph 4.6A(a)(ii) in relation to a particular accredited person; and

(ii) allows for the withdrawal of the secondary user instruction; and

(iii) is simple and straightforward to use; and

(iv) is no more complicated to use than the processes for giving the authorisations or instructions; and

(v) is prominently displayed; and

(vi) as part of the withdrawal process, displays a message relating to the consequences of the withdrawal in accordance with the data standards.

Note 1: This subrule is a civil penalty provision (see rule 9.8).

Note 2: If the account holder makes an indication in accordance with subparagraph (5)(b)(i), the data holder will no longer be able to disclose CDR data relating to that account to that accredited person: see subrules 4.6(2) and (4) and subrule 4.6A(1).

(6) A data holder does not contravene subrule (5) in relation to subparagraphs (5)(b)(iii) and (iv) so long as it takes reasonable steps to ensure that the functionality complies with those subparagraphs.

(7) If the data holder provides a consumer dashboard for the account holder, the service mentioned in subrule (5) must be included in the consumer dashboard.

Note: This subrule is a civil penalty provision (see rule 9.8).

22 Subdivision 1.4.4 (heading)

Omit “and accredited data recipients”.

23 Paragraph 1.18(c)

Repeal the paragraph (not including the note), substitute:

(c) where another person holds the CDR data on its behalf and will perform those steps—direct that person to notify it when those steps have been performed.

24 Rule 2.3

After “offered by”, insert “or on behalf of”.

25 After subrule 2.4(2)

Insert:

(2A) If the data holder discloses any requested voluntary product data to the requester, it must do so:

(a) through its product data request service; and

(b) in accordance with the data standards.

Note: This subrule is a civil penalty provision (see rule 9.8).

26 Subrule 2.4(3)

After “subject to”, insert “subrule (4) and”.

27 Sub-subparagraph 2.4(3)(b)(ii)(B)

Omit “product disclosure statement”, substitute “disclosure document”.

28 At the end of rule 2.4

Add:

(4) If:

(a) a data holder (the first data holder) receives a request for CDR data that relates to a product (the relevant product); and

(b) the first data holder offers the relevant product on behalf of another data holder (the second data holder), such that the second data holder is the data holder that enters into contracts with consumers to provide the relevant product;

the first data holder is not required to disclose the requested required product data under subrule (3).

(5) If:

(a) the second data holder receives such a request; and

(b) the data holders have agreed in writing that, in such a case, the first data holder will disclose the requested required product data;

then:

(i) it permitted the CDR data to be disclosed through the first data holder’s product data request service; and

(ii) in the case that the first data holder disclosed CDR data in response to the request―the reference to the data holder’s website in sub‑subparagraph (3)(b)(ii)(A) was to the first data holder’s website; and

(d) rule 2.6 applies as if it applied in relation to each of the first data holder and the second data holder.

(6) In this rule, disclosure document includes:

(a) a Product Disclosure Statement within the meaning of the Corporations Act 2001; or

(b) a key facts sheet within the meaning of the National Consumer Credit Protection Act 2009; or

(c) a similar document that is required by law to be disclosed to a customer prior to entering into a contract with that customer.

29 Division 4.1 of Part 4

Repeal the Division, substitute:

Division 4.1—Preliminary

4.1 Simplified outline of this Part

This Part deals with consumer data requests that are made to CDR participants by accredited persons on behalf of CDR consumers. Such requests, if made to a data holder, are made using the data holder’s accredited person request service.

In order for such a request to be made, the CDR consumer must have first asked the accredited person to provide goods or services to the CDR consumer or to another person, where provision of those goods or services requires the use of the CDR consumer’s CDR data.

Before making a consumer data request on behalf of a CDR consumer, the consumer must first have consented to the accredited person collecting and using specified CDR data to provide the requested goods or services.

Subject to certain limitations, the requested data can be any CDR data that relates to the CDR consumer.

Collection and use of CDR data under this Part is limited by the data minimisation principle, under which the accredited person:

(a) must not collect more data than is reasonably needed in order to provide the requested goods or services; and

(b) may use the collected data only as reasonably needed in order to provide the requested goods or services or as otherwise consented to by the consumer.

A request may be for the CDR consumer’s required consumer data, their voluntary consumer data, or both. Schedule 3 to these rules:

• provides for what is required consumer data and voluntary consumer data for the banking sector; and

• sets out the circumstances in which CDR consumers are eligible in relation to a request for their banking sector CDR data.

Consumer data requests made to data holders

Subject to exceptions outlined in this Part, if a request is made to a data holder, the data holder:

• must seek the CDR consumer’s authorisation to disclose required consumer data; and

• must seek the CDR consumer’s authorisation to disclose any voluntary consumer data that it intends to disclose.

The data holder then must disclose, to the accredited person, the required consumer data it is authorised to disclose, and may (but is not required to) disclose the voluntary consumer data it is authorised to disclose. The data is disclosed in machine‑readable form and in accordance with the data standards.

Consumer data requests made to accredited data recipients

If a request is made to an accredited data recipient, the accredited data recipient:

• may (but is not required to) seek the CDR consumer’s consent to disclose the requested CDR data; and

• once that consent is obtained, may (but is not required to) disclose that CDR data to the accredited person.

For the banking sector, special rules apply in relation to requests made to data holders where there are joint account holders. These are set out in Part 4 of Schedule 3.

A fee cannot be charged for the disclosure by a data holder of required consumer data, but could be charged for the disclosure by a data holder of voluntary consumer data, or by an accredited data recipient for disclosure of any CDR data.

30 Division 4.2 (heading)

After “persons”, insert “to CDR participants”.

31 After the heading to Division 4.2

Insert:

Subdivision 4.2.1—Preliminary

4.2 Consumer data requests made by accredited persons to CDR participants—flowchart

The following is a flowchart for how an accredited person makes a consumer data request to a CDR participant under this Division.

Subdivision 4.2.2—Requests to seek to collect CDR data from CDR participants

32 Rules 4.3 and 4.4

Repeal the rules, substitute:

4.3 Request for accredited person to seek to collect CDR data

(1) This rule applies if:

(a) a CDR consumer requests an accredited person to provide goods or services to the CDR consumer or to another person; and

(b) the accredited person needs to collect the CDR consumer’s CDR data from a CDR participant under these rules and use it in order to provide those goods or services.

(2) The accredited person may, in accordance with Division 4.3, ask the CDR consumer to give:

(a) a collection consent for the accredited person to collect their CDR data from the CDR participant; and

(b) a use consent for the accredited person to use that CDR data;

in order to provide those goods or services.

Note 1: In order to provide goods or services in accordance with the CDR consumer’s request, it might be necessary for the accredited person to request CDR data from more than 1 CDR participant.

Note 2: The accredited person is able to collect and use CDR data only in accordance with the data minimisation principle: see rule 1.8.

(3) In giving the consents, the CDR consumer gives the accredited person a valid request to seek to collect that CDR data from the CDR participant.

Note: If the accredited person seeks to collect CDR data under this Part without a valid request, it will contravene privacy safeguard 3 (a civil penalty provision under the Act): see section 56EF of the Act.

(4) The request ceases to be valid if the collection consent is withdrawn.

Note: So long as the use consent is not also withdrawn, the accredited person could continue to use CDR data it had already collected in order to provide the requested goods or services. However, the notification requirement of rule 4.18A would apply.

(5) If an accredited person asks for a CDR consumer’s consents for the purpose of making a consumer data request under this Part, the accredited person must do so in accordance with Division 4.3.

Note: This subrule is a civil penalty provision (see rule 9.8).

Subdivision 4.2.3—Consumer data requests by accredited persons to data holders

4.4 Consumer data request by accredited person to data holder

(1) If:

(a) a CDR consumer has given an accredited person a request under rule 4.3 to seek to collect CDR data from a data holder; and

(b) the request is valid;

the accredited person may request the data holder to disclose, to the accredited person, some or all of the CDR data that:

(d) it is able to collect and use in compliance with the data minimisation principle.

Note: See rule 1.8 for the definition of the “data minimisation principle”.

(2) Such a request is a consumer data request by an accredited person to a data holder on behalf of a CDR consumer.

Note 1: An accredited person might need to make consumer data requests to several CDR participants in order to provide the goods or services requested by the CDR consumer, and might need to make regular consumer data requests over a period of time in order to provide those goods or services.

Note 2: These rules will progressively permit consumer data requests to be made in relation to CDR data held by a broader range of data holders within the banking sector, and in relation to a broader range of CDR data, according to the timetable set out in Part 6 of Schedule 3.

(3) An accredited person must, if it makes a consumer data request under this Subdivision, make the request:

(a) using the data holder’s accredited person request service; and

(b) in accordance with the data standards.

Note 1: A data holder cannot charge an accredited person a fee for making a consumer data request in relation to required consumer data.

Note 2: This subrule is a civil penalty provision (see rule 9.8).

33 Paragraph 4.5(1)(a)

Omit “this Part”, substitute “rule 4.4”.

34 Subrule 4.5(2) (notes 2 and 3)

Repeal the notes, substitute:

Note 2: This subrule is a civil penalty provision (see rule 9.8).

35 Subrule 4.5(3) (notes 2, 3 and 4)

Repeal the notes, substitute:

Note 2: This subrule is a civil penalty provision (see rule 9.8).

36 Paragraph 4.6(1)(a)

Omit “this Part”, substitute “rule 4.4”.

37 Subrule 4.6(2)

After “may”, insert “, subject to rule 4.6A,”.

38 Subrule 4.6(2) (note)

Omit “Note”, substitute “Note 1”.

39 At the end of subrule 4.6(2)

Insert:

Note 2: For the banking sector, for requests that relate to joint accounts, additional requirements need to be met in order for the data holder to be authorised to disclose requested CDR data that relates to the joint account: see Part 4 of Schedule 3 to these rules.

40 Subrule 4.6(4)

After “subject to”, insert “rule 4.6A and”.

41 Subrule 4.6(4) (note 2)

Repeal the note, substitute:

42 After rule 4.6

Insert:

4.6A Disclosure of CDR data relating to account not permitted if not approved by account holder

Despite subrules 4.6(2) and (4), the data holder must not disclose requested CDR data that relates to a particular account to the person who made the request if:

(a) both of the following are satisfied:

(i) the request was made on behalf of a secondary user of the account;

(ii) the account holder has indicated, through their consumer dashboard, that they no longer approve CDR data relating to that account being disclosed to that accredited person in response to consumer data requests made by that secondary user; or

(b) a Schedule to the rules provides that the requested CDR data must not be disclosed.

Note 1: For subparagraph (a)(ii), the account holder is able to indicate this using the functionality referred to in subparagraph 1.15(5)(b)(i).

Note 2: For paragraph (b), for the banking sector, see clause 4.13 of Schedule 3 to these rules.

43 At the end of Division 4.2

Add:

Subdivision 4.2.4—Consumer data requests by accredited persons to accredited data recipients

4.7A Consumer data request by accredited person to accredited data recipient

(1) If:

(a) a CDR consumer has given an accredited person a request under rule 4.3 to seek to collect CDR data from an accredited data recipient; and

(b) the request is valid;

the accredited person may request the accredited data recipient to disclose, to the accredited person, some or all of the CDR data that:

(d) it is able to collect and use in compliance with the data minimisation principle.

Note: See rule 1.8 for the definition of the “data minimisation principle”.

(2) Such a request is a consumer data request by an accredited person to an accredited data recipient on behalf of a CDR consumer.

Note: An accredited person might need to make consumer data requests to several CDR participants in order to provide the goods or services requested by the CDR consumer, and might need to make regular consumer data requests over a period of time in order to provide those goods or services.

4.7B Accredited data recipient may ask eligible CDR consumer for AP disclosure consent

(1) This rule applies if:

(a) an accredited data recipient receives, or reasonably anticipates receiving, a consumer data request under rule 4.7A; and

(b) there is no current AP disclosure consent for the accredited data recipient to disclose the requested data to the person who made the request; and

(c) the accredited data recipient reasonably believes that the request was or will be made by an accredited person on behalf of an eligible CDR consumer.

Note: See subrule 1.7(1) for the meaning of “eligible”. For the banking sector, see clause 2.1 of Schedule 3 for when a CDR consumer is eligible.

(2) The accredited data recipient may, in accordance with Division 4.3, ask the CDR consumer for such an AP disclosure consent.

Note: If the CDR consumer consents to the disclosure, the accredited data recipient is authorised (but not required) to disclose the requested CDR data to the accredited person: see paragraph 7.5(1)(f) and rules 7.6, 7.7 and 7.8.

(3) If an accredited data recipient asks for an AP disclosure consent for the purposes of subrule (2), it must do so in accordance with Division 4.3.

Note: This subrule is a civil penalty provision (see rule 9.8).

44 Division 4.3

Repeal the Division, substitute:

Division 4.3—Giving and amending consents

Subdivision 4.3.1—Preliminary

4.8 Purpose of Division

This Division deals with giving and amending collection consents, use consents and disclosure consents, as well as related matters.

4.9 Object

The object of this Division is to ensure that a consent is:

(a) voluntary; and

(b) express; and

(d) specific as to purpose; and

(e) time limited; and

(f) easily withdrawn.

Subdivision 4.3.2—Giving consents

Note: Under rule 4.3, if an accredited person asks a CDR consumer for their consent to collect and use their CDR data, it must do so in accordance with this Division, and in particular, rules 4.10, 4.11 and 4.12. A failure to do so could contravene one or more civil penalty provisions: see section 56EF of the Act and rule 4.3.

4.10 Requirements relating to accredited person’s processes for seeking consent

(1) An accredited person’s processes for asking a CDR consumer to give and amend a consent:

(a) must:

(i) accord with any consumer experience data standards; and

(ia) subject to subrule (2), accord with any other data standards; and

(ii) having regard to any consumer experience guidelines developed by the Data Standards Body, be as easy to understand as practicable, including by use of concise language and, where appropriate, visual aids; and

(b) must not:

(i) include or refer to the accredited person’s CDR policy or other documents so as to reduce comprehensibility; or

(ii) bundle consents with other directions, permissions, consents or agreements.

(2) Subparagraph (1)(a)(ia) does not apply to:

(a) a collection consent for collection of CDR data from an accredited data recipient; or

(b) a disclosure consent.

4.11 Asking CDR consumer to give consent

Asking CDR consumer to give consent

(1A) An accredited person must not ask a CDR consumer to give a disclosure consent in relation to CDR data unless the consumer has already given the collection and use consents required to collect the CDR data to be disclosed.

Note: This does not prevent the accredited person from asking for a disclosure consent in relation to CDR data that has yet to be collected.

(1) When asking a CDR consumer to give a consent, an accredited person must:

(a) allow the CDR consumer to choose the types of CDR data to which the consent will apply by enabling the CDR consumer to actively select or otherwise clearly indicate:

(i) in the case of a collection consent or a disclosure consent―the particular types of CDR data to which the consent will apply; and

(ii) in the case of a use consent―the specific uses of collected data to which they are consenting; and

(b) allow the CDR consumer to choose the period of the collection consent, use consent, or disclosure consent (as appropriate) by enabling the CDR consumer to actively select or otherwise clearly indicate whether the consent would apply:

(i) on a single occasion; or

(ii) over a specified period of time; and

(ba) in the case of a disclosure consent―allow the CDR consumer to select the person to whom the CDR data may be disclosed;

(c) ask for the CDR consumer’s express consent to the choices referred to in paragraphs (a), (b) and (ba) for each relevant category of consents; and

(d) if the accredited person intends to charge a fee for disclosure of CDR data, or pass on to the CDR consumer a fee charged by a data holder for disclosure of CDR data:

(i) clearly distinguish between the CDR data for which a fee will, and will not, be charged or passed on; and

(ii) allow the CDR consumer to actively select or otherwise clearly indicate whether they consent to the collection or disclosure, as appropriate, of the CDR data for which a fee will be charged or passed on; and

(e) allow the CDR consumer to make an election in relation to deletion of redundant data in accordance with rule 4.16.

Example: For a collection consent, an accredited person could present the CDR consumer with a set of un‑filled boxes corresponding to different types of data, and permit the CDR consumer to select the boxes that correspond to the data they consent to the accredited person collecting.

Note 1: An accredited person could not infer consent, or seek to rely on an implied consent.

Note 2: For paragraph (b), the specified period may not be more than 12 months: see subrule 4.12(1). After the end of the period, redundant data would need to be dealt with in accordance with subsection 56EO(2) of the Act (privacy safeguard 12) and rules 7.12 and 7.13.

Note 3: For paragraph (d), a data holder could charge a fee for disclosure of voluntary consumer data, while an accredited data recipient could charge a fee for the disclosure of any CDR data.

(2) The accredited person must not present pre‑selected options to the CDR consumer for the purposes of subrule (1).

Information presented to CDR consumer when asking for consent

(3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information:

(a) its name;

(b) its accreditation number;

(c) in the case of a collection consent or a use consent―how the collection or use (as applicable) indicated in accordance with subrule (1) complies with the data minimisation principle, including how:

(i) in the case of a collection consent―that collection is reasonably needed, and relates to no longer a time period than is reasonably needed; and

(ii) in the case of a use consent―that use would not go beyond what is reasonably needed;

in order to provide the requested goods or services to the CDR consumer or make the other uses consented to;

(d) if the accredited person intends passing a fee on, or charging a fee, to the CDR consumer as described in paragraph (1)(d)―the following information:

(i) the amount of the fee;

(ii) the consequences if the CDR consumer does not consent to the collection, or to the disclosure, of that data;

(e) if the accredited person is seeking a de‑identification consent—the additional information specified in rule 4.15;

(f) if the CDR data may be disclosed to, or collected by, an outsourced service provider (including one that is based overseas) of the accredited person:

(i) a statement of that fact; and

(ii) a link to the accredited person’s CDR policy; and

(iii) a statement that the consumer can obtain further information about such disclosures from the policy if desired;

(g) the following information about withdrawal of consents:

(i) a statement that, at any time, the consent can be withdrawn;

(ii) instructions for how the consent can be withdrawn;

(iii) a statement indicating the consequences (if any) to the CDR consumer if they withdraw the consent;

(h) the following information about redundant data:

(i) a statement, in accordance with rule 4.17, regarding the accredited person’s intended treatment of redundant data;

(ii) a statement outlining the CDR consumer’s right to elect that their redundant data be deleted;

(iii) instructions for how the election can be made.

Note: For paragraph (c), if the accredited person is seeking the CDR consumer’s consent to de‑identification as referred to in paragraph (e), the accredited person would need to indicate how that would comply with the data minimisation principle.

4.12 Restrictions on seeking consent

(1) An accredited person must not specify a period of time for the purposes of paragraph 4.11(1)(b) that is more than 12 months.

(2) An accredited person must not ask for a collection consent or a use consent unless it would comply with the data minimisation principle in respect of that collection or those uses.

Note: See rule 1.8 for the definition of “data minimisation principle”.

(3) An accredited person must not ask for a consent:

(a) that is not in a category of consents; or

(b) subject to subrule (4), for using the CDR data, including by aggregating the data, for the purpose of:

(i) identifying; or

(ii) compiling insights in relation to; or

(iii) building a profile in relation to;

any identifiable person who is not the CDR consumer who made the consumer data request.

(4) Paragraph (3)(b) does not apply in relation to a person whose identity is readily apparent from the CDR data, if the accredited person is seeking consent to:

(a) derive, from that CDR data, CDR data about that person’s interactions with the CDR consumer; and

(b) use that derived CDR data in order to provide the requested goods or services.

Subdivision 4.3.2A—Amending consents

4.12A Amendment of consent

An amendment of a consent takes effect when the CDR consumer amends the consent.

Note: It is not possible for the CDR consumer to specify a different day or time.

4.12B Inviting CDR consumer to amend consent

(1) An accredited person may invite a CDR consumer to amend a consent given in accordance with this Division only in accordance with this rule.

(2) The accredited person may give the invitation:

(a) if its consumer dashboard offers the consent amendment functionality referred to in subrule 1.14(2A)―via its consumer dashboard; or

(b) in writing directly to the CDR consumer.

(3) The accredited person may invite a CDR consumer to amend a current consent if:

(a) the amendment would better enable the accredited person to provide the goods or services referred to in paragraph 4.3(1)(a); or

(b) the amendment would:

(i) be consequential to an agreement between the accredited person and the CDR consumer to modify those goods or services; and

(ii) enable the accredited person to provide the modified goods or services.

(4) The accredited person must not, for an invitation to amend the period referred to in paragraph 4.11(1)(b):

(a) give the invitation any earlier than a reasonable period before the current consent is expected to expire; or

(b) give more than a reasonable number of such invitations within this period.

(5) The accredited person must not give such an invitation before 1 July 2021.

4.12C Process for amending consents

(1) Subject to this rule, if an accredited person allows CDR consumers to amend consents, it must allow them to do so in the same manner that it asks for CDR consumers to give consents.

(2) Despite subrule 4.11(2), in the case of an amendment to a consent, an accredited person may present, as pre‑selected options, the following details of the current consent:

(a) the selections or indications referred to in paragraphs 4.11(1)(a), (b) and (ba);

(b) the election (if any) referred to in paragraph 4.11(1)(e).

(3) In the case of an amendment to a consent, in addition to the information referred to in subrule 4.11(3), the accredited person must give the CDR consumer:

(a) a statement that indicates the consequences of amending a consent; and

(b) a statement that the accredited person will be able to continue to use any CDR data that has already been disclosed to it to the extent allowed by the amended consent.

Subdivision 4.3.2B—Withdrawing consents

4.13 Withdrawal of consents, and notifications

(1) The CDR consumer who gave a consent may withdraw the consent at any time:

(a) by using the accredited person’s consumer dashboard; or

(b) by using a simple alternative method of communication to be made available by the accredited person for that purpose.

(2) The accredited person must:

(a) if the withdrawal was in accordance with paragraph (1)(b)―give effect to the withdrawal as soon as practicable, and in any case within 2 business days after receiving the communication; and

(b) if a collection consent was withdrawn, in any case―notify the data holder of the withdrawal in accordance with the data standards.

Note 1: When a data holder is notified of the withdrawal of a collection consent, an authorisation to disclose the CDR data expires: see paragraph 4.26(1)(d).

Note 2: This subrule is a civil penalty provision (see rule 9.8).

(3) Withdrawal of a consent does not affect an election under rule 4.16 that the CDR consumer’s collected CDR data be deleted once it becomes redundant.

Subdivision 4.3.2C—Duration of consent

4.14 Duration of consent

(1) A consent expires at the earliest of the following:

(a) if the consent was withdrawn in accordance with paragraph 4.13(1)(b)―the earlier of the following:

(i) when the accredited person gave effect to the withdrawal;

(ii) 2 business days after the accredited person received the communication;

(b) if the consent was withdrawn in accordance with paragraph 4.13(1)(a)―when the consent was withdrawn;

(d) the end of the period of 12 months after:

(i) the consent was given; or

(ii) if the period of the consent has been amended in accordance with this Subdivision―the consent was last amended;

(e) at the end of the period the CDR consumer consented to in accordance with rule 4.11;

(f) if the consent expires as a result of the operation of another provision of these rules that references this paragraph.

Note: Clause 7.2 of Schedule 3 is an example of a provision referencing paragraph (f). This relates to when an accredited data recipient of CDR data becomes instead a data holder of that CDR data.

(1A) If:

(a) an accredited person is notified, under paragraph 4.25(2)(b), of the withdrawal of an authorisation to disclose CDR data; and

(b) the collection consent has not expired in accordance with subrule (1);

the collection consent to collect that CDR data expires when the accredited person receives that notification.

Note: This would not result in the use consent relating to any CDR data that had already been collected expiring. However, see the notification requirement of rule 4.18A.

(1B) If:

(a) an accredited person has a collection consent to collect particular CDR data from a particular accredited data recipient; and

(b) the accredited data recipient has an AP disclosure consent to disclose that CDR data to that accredited person;

then if one of those consents expires, the other expires when the accredited person or accredited data recipient is notified of the first‑mentioned expiry.

(1C) If an accredited person becomes a data holder, rather than an accredited data recipient, of particular CDR data as a result of subsection 56AJ(4) of the Act, all of that accredited person’s consents given under these rules that relate to that CDR data expire.

(2) If an accredited person’s accreditation is revoked or surrendered in accordance with rule 5.17, all of the accredited person’s consents expire when the revocation or surrender takes effect.

Subdivision 4.3.3—Information relating to de‑identification of CDR data

4.15 Additional information relating to de‑identification of CDR data

For paragraph 4.11(3)(e), the additional information relating to de‑identification is the following:

(a) what the CDR data de‑identification process is;

(b) if it would disclose (by sale or otherwise) the de‑identified data to one or more other persons;

(i) that fact; and

(ii) the classes of persons to which it would disclose that data;

(iii) why it would so disclose that data;

(c) if the accredited person would use the de‑identified data for general research―that fact, together with a link to a description in the accredited person’s CDR policy of:

(i) the research to be conducted; and

(ii) any additional benefit to be provided to the CDR consumer for consenting to the use;

(e) that the CDR consumer would not be able to elect, in accordance with rule 4.16, to have the de‑identified data deleted once it becomes redundant data.

Subdivision 4.3.4—Election to delete redundant data

4.16 Election to delete redundant data

(1) The CDR consumer who gave a consent relating to particular CDR data may elect that the collected data, and any data derived from it, be deleted when it becomes redundant data:

(a) when giving the consent; or

(b) at any other time before the consent expires.

Note: See rule 7.12 for the effect of an election.

(2) The CDR consumer may make the election:

(a) by communicating it to the accredited person in writing; or

(b) by using the accredited person’s consumer dashboard.

(3) This rule does not apply if, when seeking the consent, the accredited person informs the CDR consumer that they have a general policy of deleting CDR data when it becomes redundant data.

Note: See paragraph 4.17(1)(a).

(4) This rule does not require the deletion of derived CDR data that was de‑identified in accordance with the CDR data de‑identification process before the collected data from which it was derived became redundant.

4.17 Information relating to redundant data

(1) For subparagraph 4.11(3)(h)(i), the accredited person must state whether they have a general policy, when collected CDR data becomes redundant data, of:

(a) deleting the redundant data; or

(b) de‑identifying the redundant data; or

(2) An accredited person that gives the statement referred to in paragraph (1)(b) or (c) must also state:

(a) that, if it de‑identifies the redundant data:

(i) it would apply the CDR data de‑identification process; and

(ii) it would be able to use or, if applicable, disclose (by sale or otherwise) the de‑identified redundant data without seeking further consent from the CDR consumer; and

(b) what de‑identification of CDR data in accordance with the CDR data de‑identification process means; and

Note: For the CDR data de‑identification process, see rule 1.17.

Subdivision 4.3.5—Notification requirements

4.18 CDR receipts

(1) The accredited person must give the CDR consumer a notice that complies with this rule (a CDR receipt) as soon as practicable after:

(a) the CDR consumer gives the accredited person a collection consent, a use consent or a disclosure consent; or

(aa) the CDR consumer amends such a consent in accordance with this Part; or

(b) the CDR consumer withdraws such a consent in accordance with rule 4.13

Note: This subrule is a civil penalty provision (see rule 9.8).

(2) A CDR receipt given for the purposes of paragraph (1)(a) must set out:

(a) the details that relate to the consent that are listed in paragraphs 1.14(3)(a) to (f); and

(b) in the case of a collection consent―the name of each CDR participant the CDR consumer has consented to the collection of CDR data from; and

(ba) in the case of a disclosure consent―the name of the person the CDR consumer has consented to the disclosure of CDR data to; and

(2A) A CDR receipt given for the purposes of paragraph (1)(aa) must set out details of each amendment that has been made to the consent.

(3) A CDR receipt given for the purposes of paragraph (1)(b) must set out when the consent expired.

(4) A CDR receipt must be given in writing otherwise than through the CDR consumer’s consumer dashboard.

(5) A copy of the CDR receipt may be included in the CDR consumer’s consumer dashboard.

4.18A Notification if collection consent expires

(1) This rule applies if, in relation to particular goods or services an accredited person is providing as referred to in subrule 4.3(1):

(a) the collection consent expires; but

(b) the use consent is current.

(2) The accredited person must notify the CDR consumer as soon as practicable that, at any time, they:

(a) may withdraw the use consent; and

(b) may make the election to delete redundant data in respect of that CDR data under rule 4.16.

Note: This subrule is a civil penalty provision (see rule 9.8).

(3) The notification must be given in writing otherwise than through the CDR consumer’s consumer dashboard.

(4) The notification may also be included in the CDR consumer’s consumer dashboard.

4.18B Notification if collection consent or AP disclosure consent expires

(1) This rule applies if:

(a) an accredited person has a collection consent relating to particular CDR data and a particular accredited data recipient; and

(b) the accredited data recipient has an AP disclosure consent relating to that CDR data and that accredited person.

(2) If the collection consent expires in accordance with these rules, the accredited person must notify the accredited data recipient as soon as practicable of the expiry.

Note: This subrule is a civil penalty provision (see rule 9.8).

(3) If the AP disclosure consent expires in accordance with these rules, the accredited data recipient must notify the accredited person as soon as practicable of the expiry.

Note: This subrule is a civil penalty provision (see rule 9.8).

4.18C Notification if collection consent is amended

(1) This rule applies if:

(a) an accredited person has a collection consent relating to particular CDR data and a particular CDR participant; and

(b) the CDR consumer amends the consent.

(2) The accredited person must notify:

(a) if the CDR participant is a data holder―the data holder, in accordance with the data standards, that the consent has been amended; and

(b) if the CDR participant is an accredited data recipient―the accredited data recipient as soon as practicable that the consent has been amended.

Note: This subrule is a civil penalty provision (see rule 9.8).

4.19 Updating consumer dashboard

An accredited person must update a CDR consumer’s consumer dashboard as soon as practicable after the information required to be contained on the dashboard changes.

Note: This rule is a civil penalty provision (see rule 9.8).

4.20 Ongoing notification requirement—collection consents and use consents

(1) This rule applies in relation to a collection consent or a use consent if:

(a) the consent is current; and

(b) 90 days have elapsed since the latest of the following:

(i) the CDR consumer gave the consent;

(ia) the CDR consumer last amended the consent;

(ii) the CDR consumer last used their consumer dashboard;

(iii) the accredited person last sent the CDR consumer a notification in accordance with this rule.

(2) The accredited person must notify the CDR consumer in accordance with this rule that the consent is still current.

Note: This subrule is a civil penalty provision (see rule 9.8).

(3) The notification must be given in writing otherwise than through the CDR consumer’s consumer dashboard.

(4) A copy of the notification may be included in the CDR consumer’s consumer dashboard.

45 Division 4.4

Repeal the Division, substitute:

Division 4.4—Authorisations to disclose CDR data

Note: Under rule 4.5, if a data holder is considering disclosing voluntary consumer data in response to a consumer data request, or if required consumer data was requested, the data holder must seek an authorisation from the CDR consumer to disclose the CDR data in accordance with (among other things) this Division, and in particular, rules 4.23, 4.24 and 4.25. A failure to do so could contravene one or more civil penalty provisions: see rule 4.5.

4.21 Purpose of Division

This Division deals with authorisations to disclose CDR data for the purposes of rule 4.5, and amendments to authorisations.

4.22 Requirements relating to data holder’s processes for seeking authorisation

A data holder’s processes for asking a CDR consumer to give or amend an authorisation must:

(a) accord with the data standards; and

(b) having regard to any consumer experience guidelines developed by the Data Standards Body, be as easy to understand as practicable, including by use of concise language and, where appropriate, visual aids.

4.22A Inviting CDR consumer to amend a current authorisation

(1) If a data holder has received a notice under rule 4.18C, the data holder must, in accordance with this Division, invite the CDR consumer to amend the authorisation to disclose CDR data accordingly.

Note: This subrule is a civil penalty provision (see rule 9.8).

(2) An amendment of an authorisation to disclose CDR data other than in accordance with subrule (1) is of no effect.

4.23 Asking CDR consumer to give authorisation to disclose CDR data or inviting CDR consumer to amend a current authorisation

(1) When asking a CDR consumer to authorise the disclosure of CDR data, or amend a current authorisation, a data holder must give the CDR consumer the following information about the authorisation or amendment:

(a) subject to subrule (2), the name of the accredited person that made the request;

(b) the period of time to which the CDR data that was the subject of the request relates;

(d) whether the authorisation is being sought for:

(i) disclosure of CDR data on a single occasion; or

(ii) disclosure of CDR data over a period of time of not more than 12 months;

(e) if authorisation is being sought for disclosure over a period of time―what that period is;

(f) a statement that, at any time, the authorisation can be withdrawn;

(g) instructions for how the authorisation can be withdrawn.

(2) The data holder must also give the CDR consumer any information that the Register of Accredited Persons holds in relation to the accredited person that is specified as information for the purposes of this rule.

4.24 Restrictions when asking CDR consumer to authorise disclosure of CDR data

When asking a CDR consumer to authorise the disclosure of CDR data or to amend a current authorisation, the data holder must not do any of the following:

(a) add any requirements to the authorisation process beyond those specified in the data standards and these rules;

(b) provide or request additional information during the authorisation process beyond that specified in the data standards and these rules;

(d) include or refer to other documents.

4.25 Withdrawal of authorisation to disclose CDR data and notification

(1) The CDR consumer who gave, to a data holder, an authorisation to disclose particular CDR data to an accredited person may withdraw the authorisation at any time:

(a) by using the data holder’s consumer dashboard; or

(b) by using a simple alternative method of communication to be made available by the data holder for that purpose.

(2) The data holder must:

(a) if the withdrawal was in accordance with paragraph (1)(b)―give effect to the withdrawal as soon as practicable, and in any case within 2 business days after receiving the communication; and

(b) in any case―notify the accredited person of the withdrawal in accordance with the data standards.

Note 1: Upon notification a consent for the accredited person to collect the CDR data expires: see paragraph 4.14(1)(b).

Note 2: This subrule is a civil penalty provision (see rule 9.8).

4.26 Duration of authorisation to disclose CDR data

(1) An authorisation to disclose particular CDR data to an accredited person expires at the earliest of the following:

(a) if the authorisation was withdrawn in accordance with paragraph 4.25(1)(b)―the earlier of the following:

(i) when the data holder gave effect to the withdrawal;

(ii) 2 business days after the data holder received the communication;

(b) if the authorisation was withdrawn in accordance with paragraph 4.25(1)(a)―when the authorisation was withdrawn;

(d) if the data holder was notified, under paragraph 4.13(2)(b), of the withdrawal of a consent to collect that CDR data―when the data holder received that notification;

(e) the end of the period of 12 months after the authorisation was given;

(f) if the authorisation was for disclosure of CDR data on a single occasion—after the CDR data has been disclosed;

(g) if the authorisation was for disclosure of CDR data over a specified period—the end of:

(i) that period; or

(ii) if the period of the authorisation has been amended in accordance with this Division―that period as last amended;

(h) if the authorisation expires as a result of the operation of a provision of these rules that references this paragraph.

Note: Clause 7.2 of Schedule 3 is an example of a provision satisfying paragraph (h). This relates to when an accredited data recipient of CDR data becomes instead a data holder of that CDR data.

(2) If an accredited person’s accreditation is revoked or surrendered in accordance with rule 5.17, all authorisations for a data holder to disclose CDR data to that accredited person expire when the data holder is notified of the revocation or surrender.

4.27 Updating consumer dashboard

A data holder must update a CDR consumer’s consumer dashboard as soon as practicable after the information required to be contained on the dashboard changes.

Note: This rule is a civil penalty provision (see rule 9.8).

4.28 Notification requirements for consumer data requests on behalf of secondary users

(1) This rule applies if:

(a) an accredited person makes a consumer data request under this Part on behalf of a secondary user for a particular account; and

(b) the secondary user amends or withdraws an authorisation, or an authorisation given by the secondary user expires.

(2) The data holder must, as soon as practicable, notify the account holder of that fact through its ordinary means of contacting the account holder.

Note: This subclause is a civil penalty provision (see rule 9.8).

46 Subrule 5.10(1)

Repeal the subrule, substitute:

(1) The Data Recipient Accreditor may, in writing:

(a) impose any other condition on an accreditation; and

(b) vary or remove any conditions imposed under this rule or rule 5.9.

(1A) The Data Recipient Accreditor may exercise a power under subrule (1):

(a) at the time of accreditation under subsection 56CA(1) of the Act; or

(b) at any time after accreditation.

47 Subrule 5.10(2)

Omit “imposing or varying a condition”, substitute “exercising a power”.

48 At the end of subrule 5.12(1)

Add:

; and (f) ensure that it is licensed or otherwise authorised to use any CDR logo, including as required by the data standards.

49 At the end of Part 5

Add:

5.33 Temporary restriction on use of the Register in relation to data holder

(1) The Accreditation Registrar may take steps to prevent the Register of Accredited Persons and associated database from being used to make consumer data requests to a data holder, for a period of up to 10 days, if the Accreditation Registrar reasonably believes it is necessary to do so in order to ensure the security, integrity and stability of the Register or associated database.

(2) The steps taken by the Accreditation Registrar may include amending the information in the associated database relating to a data holder that is used to facilitate the making and processing of requests.

(3) Before, or as soon as practicable after, taking steps under subrule (1), the Accreditation Registrar must:

(a) inform the data holder of the steps to be taken, or that have been taken; and

(b) give the data holder a reasonable opportunity to be heard in relation to the matter.

(4) Despite anything else in these rules, a data holder is not required to disclose CDR data in response to a request, where responding to the request would require the data holder to use the Register of Accredited Persons or associated database in a way that is not available to the data holder at that time by reason of steps taken under this rule.

5.34 Temporary direction to refrain from processing consumer data requests

(1) The Accreditation Registrar may, by written notice:

(a) direct an accredited person not to make consumer data requests; or

(b) direct a data holder not to respond to consumer data requests;

for a period of up to 10 days, if the Accreditation Registrar reasonably believes it is necessary to do so in order to ensure the security, integrity and stability of the Register or associated database.

(2) The notice must specify:

(a) whether the direction applies to all consumer data requests or to requests made to a particular data holder or by a particular accredited person; and

(b) the period of application.

(3) Before, or as soon as practicable after, giving a direction, the Accreditation Registrar must give the accredited person or data holder a reasonable opportunity to be heard in relation to the matter.

(4) Despite anything else in these rules:

(a) an accredited person must not make a consumer data request contrary to a direction it has received under this rule; and

(b) a data holder must not disclose CDR data in response to a consumer data request contrary to a direction it has received under this rule.

Civil penalty:

(a) for an individual―$50,000; and

(b) for a body corporate―$250,000.

50 After paragraph 7.2(4)(c)

Insert:

(ca) if the accredited person wishes to undertake general research using the CDR data:

(i) a description of the research to be conducted; and

(iii) a description of any additional benefit to be provided to the CDR consumer for consenting to the use; and

51 Subparagraph 7.2(4)(e)(i) and paragraphs 7.2(5)(a) and 7.2(5)(b)

Omit “accredited person”, substitute “accredited data recipient”.

52 Rule 7.4

Omit “consent from a CDR consumer to collect CDR data”, substitute “collection consent”.

53 Paragraph 7.4(c)

Repeal the paragraph, substitute:

54 Paragraphs 7.5(1)(a), (b) and (c)

Repeal the paragraphs, substitute:

(a) using the CDR consumer’s CDR data to provide goods or services requested by the CDR consumer (the existing goods or services):

(i) in compliance with the data minimisation principle; and

(ii) in accordance with a current use consent from the CDR consumer, other than a direct marketing consent;

(aa) in accordance with a current use consent, de‑identifying the CDR consumer’s CDR data in accordance with the CDR data de‑identification process and:

(i) using the de‑identified data for general research; or

(ii) disclosing (including by selling) the de‑identified data;

(b) directly or indirectly deriving CDR data from the collected CDR data in order to use the data in accordance with paragraph (a) or (aa);

(ca) subject to rule 7.5A, disclosing the CDR consumer’s CDR data in accordance with a current disclosure consent;

55 At the end of subrule 7.5(1)

Add:

; (g) disclosing CDR data to an accredited person if the CDR consumer has:

(i) given the accredited person:

(A) a collection consent to collect the CDR data from the accredited data recipient; and

(B) a use consent; and

(ii) given the accredited data recipient an AP disclosure consent to disclose the CDR data to the accredited person.

56 At the end of paragraph 7.5(3)(a)

Add:

; or (iv) information about other goods or services provided by another accredited person, if the accredited data recipient:

(A) reasonably believes that the CDR consumer might benefit from those other goods or services; and

(B) sends such information to the CDR consumer on no more than a reasonable number of occasions;

57 After paragraph 7.5(3)(a)

Insert:

(aa) in accordance with a direct marketing consent from the CDR consumer—disclosing CDR data to an accredited person to enable the accredited person to provide the goods or services referred to in subparagraph (a)(iv), if the CDR consumer has:

(i) given the accredited person:

(A) a collection consent to collect the CDR data from the accredited data recipient; and

(B) a use consent; and

(ii) given the accredited data recipient a disclosure consent to disclose the CDR data to the accredited person;

58 Paragraph 7.5(3)(b)

After “paragraph (a)”, insert “or paragraph (aa)”.

59 Paragraph 7.5(3)(c)

After “(a)”, insert “, (aa)”.

60 Subrule 7.5(4)

Repeal the subrule (including the subrule heading).

61 After rule 7.5

Insert:

7.5A Limitation to disclosures of CDR data under a disclosure consent

Despite paragraph 7.5(1)(ca), disclosure of CDR data to an accredited person under an AP disclosure consent is not a permitted use or disclosure until the earlier of the following:

(a) 1 July 2021;

(b) the day the Data Standards Chair makes the data standard about the matter referred to in subparagraph 8.11(1)(c)(iii).

62 Rule 7.9

Before “For”, insert “(1)”.

63 Paragraph 7.9(1)(c)

After “recipient”, insert “, identified in accordance with any entry on the Register of Accredited Persons specified as being for that purpose”.

64 At the end of rule 7.9

Add:

(2) For subsection 56EM(2) of the Act, an accredited data recipient that discloses CDR data to an accredited person must, as soon as practicable, update each consumer dashboard that relates to the request to indicate:

(a) what CDR data was disclosed; and

(b) when the CDR data was disclosed; and

(c) the accredited person, identified in accordance with any entry on the Register of Accredited Persons specified as being for that purpose.

65 Subrule 7.10(1)

Omit “data holder” (wherever occurring), substitute “CDR participant”.

66 Subrule 7.10(1) (note 2)

Omit “data holder’s”, substitute “CDR participant’s”.

67 Subrule 7.10(1) (note 2)

Before “rule 1.15”, insert “rule 1.14 and”.

68 At the end of paragraph 8.11(1)(c)

Add:

and (iii) consumer experience data standards for disclosure of CDR data to accredited persons;

69 Subrules 9.3(1) and (2)

Repeal the subrules, substitute:

Records to be kept and maintained—data holder

(1) A data holder must keep and maintain records that record and explain the following:

(a) authorisations given by CDR consumers to disclose CDR data;

(b) amendments to or withdrawals of authorisations to disclose CDR data;

(d) disclosures of CDR data made in response to consumer data requests;

(da) any written agreement of a kind referred to in subrule 2.4(5) the data holder has entered into;

(e) instances where the data holder has refused to disclose requested CDR data and the rule or data standard relied upon to refuse to disclose the CDR data;

(f) CDR complaint data;

(g) the processes by which the data holder asks CDR consumers for their authorisation to disclose CDR data and for an amendment to their authorisation, including a video of each process.

Civil penalty:

(a) for an individual―$50,000; and

(b) for a body corporate―$250,000.

Records to be kept and maintained—accredited data recipient

(2) An accredited data recipient must keep and maintain records that record and explain the following:

(a) all consents, including, if applicable, the uses of the CDR data that the CDR consumer has consented to under any use consents;

(b) amendments to or withdrawals of consents by CDR consumers;

(d) CDR complaint data;

(e) collections of CDR data under these rules;

(ea) disclosures of CDR data to accredited persons under these rules, and the accredited persons to which any CDR data was disclosed;

(f) elections to delete and withdrawals of those elections;

(g) the use of CDR data by the accredited data recipient;

(h) the processes by which the accredited data recipient asks CDR consumers for their consent and for an amendment to their consent, including a video of each process;

(i) if applicable:

(i) arrangements that may result in CDR data being collected by or disclosed to outsourced service providers, including copies of agreements with outsourced service providers; and

(ii) the use and management of CDR data by those providers;

(j) if CDR data was de-identified in accordance with a consent referred to in paragraph 4.11(3)(e):

(i) how the data was de‑identified; and

(ii) how the accredited data recipient used the de‑identified data; and

(iii) if the accredited data recipient disclosed (by sale or otherwise) the de‑identified data to another person as referred to in paragraph 4.15(b):

(A) to whom the data was so disclosed; and

(B) why the data was so disclosed;

(iv) if the use is for general research―records of any additional benefit to be provided to the CDR consumer for consenting to the use;

(k) records that are required to be made for the purposes of the CDR data de‑identification process when applied as part of privacy safeguard 12;

(l) records of any matters that are required to be retained under Schedule 2 to these rules;

(m) any terms and conditions on which the accredited data recipient offers goods or services where the accredited data recipient collects or uses, or discloses to an accredited person, CDR data in order to provide the good or service.

Note: For paragraph (k), see section 56EO of the Act and rule 7.12.

Civil penalty:

(a) for an individual―$50,000; and

(b) for a body corporate―$250,000.

70 Paragraph 9.4(1)(d)

Repeal the paragraph (including the note), substitute:

(d) sets out, for each of the types of requests referred to in subparagraphs (c)(i), (ii) and (iii):

(i) the number of times the data holder has refused to disclose CDR data; and

(ii) the rule or data standard relied upon to refuse to disclose that data; and

(iii) the number of times the data holder has relied on each of those rules or data standards as a ground of refusal.

Note: For the meaning of product data request see rule 2.3. For the meaning of consumer data request see rule 3.3 (requests made by CDR consumers) and rules 4.4 and 4.7A (requests by accredited persons).

71 Paragraph 9.4(2)(f) and (g)

Repeal the paragraphs, substitute:

(f) sets out the following:

(i) the number of consumer data requests made by the accredited data recipient during the reporting period;

(ii) the proportion of CDR consumers who, at the date of the report, had exercised the election to delete, by reference to each brand of the accredited person;

(iii) the number of consumer data requests the accredited data recipient received from an accredited person on behalf of a CDR consumer during the reporting period;

(iv) the number of times the accredited data recipient disclosed consumer data to an accredited person in response to such a consumer data request during the reporting period;

(v) the total number of CDR consumers the accredited data recipient provided goods or services to using CDR data during the reporting period.

72 Subrule 9.5(1)

After “(a)”, insert “(b),”.

73 Subrule 9.5(2)

Omit “(a) and (c)”, substitute “(a), (b), (c), (d), (e), (ea), (eb), (f) and (m)”.

74 Subrule 9.7(3)

After “comply”, insert “with”.

75 Amendments of listed provisions―repeals

Repeal the following provisions:

(a) paragraph 9.8(nn);

(b) paragraph 9.8(oo);

(d) paragraph 9.8(qq);

(e) paragraph 9.8(rr).

76 Amendments of listed provisions

Further amendments
Item	Provision	Add
2	After paragraph 9.8(d)	(da) subrule 1.15(5); (db) subrule 1.15(7);
3	After paragraph 9.8(e)	(ea) subrule 2.4(2A);
4	After paragraph 9.8(n)	(na) subrule 4.7B(3);
5	After paragraph 9.8(p)	(pa) subrule 4.18A(2); (pb) subrule 4.18B(2); (pc) subrule 4.18B(3); (pd) subrule 4.18C(2);
6	After paragraph 9.8(r)	(ra) subrule 4.22A(1);
7	After paragraph 9.8(t)	(ta) subrule 4.28(2);
8	After paragraph 9.8(mm)	(nn) subclause 4.6(1) of Schedule 3; (oo) subclause 4.7(2) of Schedule 3; (pp) subclause 4.10(2) of Schedule 3; (qq) subclause 4.14(1) of Schedule 3; (rr) subclause 4.16(1)of Schedule 3; (ss) subclause 4.16(2) of Schedule 3.

77 Rule 9.8 (note)

After “5.25(5),”, insert “5.34(4),”.

78 Subclause 2.1(1) of Schedule 1

Insert:

approved means approved for the purposes of this clause in guidelines issued by the Data Recipient Accreditor.

79 Subclause 2.1(1) of Schedule 1 (definition of assurance report)

Repeal the definition, substitute:

assurance report means a report that:

(a) is made in accordance with:

(i) ASAE 3150; or

(ii) an approved standard, report or framework; and

Note: See the CDR Accreditation Guidelines, which could in 2020 be downloaded from the Commission’s website (https://wwwaccc.gov.au).

ASAE 3150 could in 2020 be downloaded from the Auditing and Assurance Standards Board’s website (https://www.auasb.gov.au/admin/file/content102/c3/Jan15_ASAE_3150_Assurance_Engagements_on_Controls.pdf).

(b) does not include the information that must be provided in an attestation statement.

80 Subclause 2.1(1) of Schedule 1

Repeal the following definitions:

(a) definition of initial reporting period;

(b) definition of reporting period.

81 Paragraphs 2.1(2)(a) and (3)(a) of Schedule 1

Omit “initial”, substitute “first”.

82 At the end of clause 2.1 of Schedule 1

Add:

Reporting periods

(4) For this clause, subject to subclause (5), a reporting period for an accredited person is either a financial year or a calendar year, as determined for the accredited person by the Data Recipient Accreditor.

(5) However the first reporting period for an accredited person is taken to be the period that:

(a) if the accreditation decision takes effect within 3 months before the end of a reporting period—starts on the day the accreditation takes effect and ends on the last day of the following reporting period; and

(b) otherwise—starts on the day the accreditation decision takes effect and ends on the last day of that reporting period.

Example 1: For paragraph (a) if an accreditation decision takes effect on 30 May 2022, the first reporting period starts on 30 May 2022 and ends on 30 June 2023.

Example 2: For paragraph (b) if an accreditation decision takes effect on 1 January 2023, the first reporting period starts on 1 January 2023 and ends on 30 June 2023.

83 Clause 1.2 of Schedule 3 (definition of joint account)

Repeal the definition, substitute:

joint account:

(a) means a joint account with a data holder for which there are 2 or more joint account holders, each of which is an individual who, so far as the data holder is aware, is acting in their own capacity and not on behalf of another person; but

(b) does not include a partnership account with a data holder.

84 Clause 1.2 of Schedule 3 (definition of joint account management service)

Omit “subclause 4.2(3)”, substitute “subclause 4.6(2)”.

85 Clause 1.2 of Schedule 3 (definition of voluntarily participating ADI)

Repeal the definition.

86 Subclause 2.1(2) of Schedule 3

Repeal the subclause, substitute:

(2) For the banking sector, in relation to a particular data holder at a particular time, a CDR consumer is eligible if, at that time, the CDR consumer:

(a) is either:

(i) an individual who is 18 years of age or older; or

(ii) a person who is not an individual; and

(b) is an account holder or a secondary user for an account with the data holder that:

(i) is open; and

(ii) is set up in such a way that it can be accessed online by the CDR consumer.

(3) For the banking sector, in relation to a particular data holder at a particular time, a CDR consumer is also eligible if, at that time:

(a) the CDR consumer is a partner in a partnership for which there is a partnership account with the data holder; and

(b) the partnership account:

(i) is open; and

(ii) is set up in such a way that it can be accessed online.

87 At the end of Part 2 of Schedule 3

Add:

2.2 Meaning of account privileges—banking sector

(1) This clause is made for the purposes of the definition of account privileges in subrule 1.7(1) of these rules.

(2) For the banking sector, a person has account privileges in relation to an account with a data holder if:

(a) the account is for a phase 1, a phase 2 or a phase 3 product; and

(b) the person is able to make transactions on the account.

88 Subparagraph 3.2(1)(b)(ii) of Schedule 3

Repeal the subparagraph, substitute:

(ii) account data in relation to an account of any of the following types (whether or not the account can be accessed online, and, subject to subclauses (4) and (5), whether or not open):

(A) an account held by a CDR consumer in their name alone;

(B) a joint account;

89 Subclause 3.2(1) of Schedule 3 (note 1)

Omit “subparagraph (b)(ii)”, substitute “sub‑subparagraph (b)(ii)(B)”.

90 Subclause 3.2(1) of Schedule 3 (note 3)

After “closed”, insert “accounts (subject to subclauses (4) and (5))”.

91 Subclauses 3.2(3) and (4) of Schedule 3

Repeal the subclauses, substitute:

(3) For this clause:

(a) CDR data is neither required consumer data nor voluntary consumer data at a particular time if the data is:

(i) account data in relation to an account that is not any of the following:

(A) an account held in the name of a single person;

(B) a joint account;

(ii) account data in relation to a joint account or partnership account for which any of the individuals who are account holders is less than 18 years of age at that time; or

(iv) transaction data in relation to a transaction on any such account; or

(v) product specific data in relation to a product relating to any such account; and

(b) for a consumer data request made by or on behalf of a particular person, customer data in relation to any account holder or secondary user other than that person is neither required consumer data nor voluntary consumer data.

Exception to required consumer data―open accounts

(4) Despite subclause (1), for an account that is open at a particular time, the following CDR data is not required consumer data at that time:

(a) transaction data in relation to a transaction that occurred more than 7 years before that time;

(b) account data that relates to an authorisation on an account for a direct debit deduction that occurred more than 13 months before that time.

Note: As a result, such CDR data would be voluntary consumer data.

Exception to required consumer data―closed accounts

(5) Despite subclause (1), for an account that is closed at a particular time, the following CDR data is not required consumer data at that time:

(a) account data that relates to an authorisation on an account for direct debit deductions;

(b) where the account was closed no more than 24 months before that time―transaction data in relation to a transaction that occurred more than 12 months before the account was closed;

(i) account data that relates to the account; and

(ii) transaction data that relates to any transaction on the account; and

(iii) product specific data in relation to a product relating to any such account.

Note: As a result, such CDR data would be voluntary consumer data.

92 Part 4 of Schedule 3

Repeal the Part, substitute:

Part 4—Joint accounts

Division 4.1—Preliminary

4.1 Purpose of Part

Special rules apply in relation to consumer data requests under Part 4 of these rules under which there is a request for disclosure of CDR data that relates to one or more joint accounts within the banking sector. This Part sets out those rules.

4.2 Application of Part

Note: This Part does not apply to all joint accounts with data holders. This clause sets out the joint accounts to which this Part applies.

This Part applies to a joint account with a data holder if all joint account holders are eligible in relation to the data holder.

Note: See subrule 1.7(1) for the meaning of “eligible”. For the banking sector, see clause 2.1 of this Schedule for when a CDR consumer is eligible.

4.3 Simplified outline of this Part

This Part does not apply to all joint accounts in the banking sector. Division 4.1 of this Part sets out, among other things, the joint accounts to which this Part applies.

CDR data that relates to a joint account to which this Part applies can be disclosed under these rules only if, among other things, an available disclosure option applies to the account. Division 4.2 of this Part sets out:

• what the available disclosure options are; and

• an obligation for data holders to provide a service (a joint account management service) for all joint accounts to which this Part applies through which joint account holders can indicate the disclosure option they would like to apply to the account; and

• when one joint account holder selects a disclosure option to apply to a joint account―a process by which the other joint account holders can select a disclosure option to apply; and

• some associated notification requirements.

All joint account holders must indicate that they would like the same disclosure option to apply to the joint account in order for the disclosure option to apply.

When an accredited person makes a consumer data request under Part 4 of these rules on behalf of a CDR consumer, and the request includes CDR data relating to one or more joint accounts of which the CDR consumer is a joint account holder, Division 4.3 deals with how the request is processed.

Division 4.3 also deals with how requests are processed when the accredited person makes a consumer data request on behalf of a secondary user of the joint account.

Division 4.2—Disclosure options, joint account management service and notification requirements

4.4 Simplified outline of this Division

This Division sets out the disclosure options that can apply to a joint account. These disclosure options are relevant when an accredited person makes a consumer data request on behalf of one joint account holder or a secondary user under Part 4 of these rules.

One is a pre‑approval option. If all joint account holders indicate that they would like a pre‑approval option to apply to a joint account, CDR data relating to the joint account can be disclosed in response to the request without the approval of the other account holder, but the other account holders can revoke the pre‑approval in relation to a particular consumer data request at any time.

Another is a co‑approval option. If all joint account holders indicate that they would like a co‑approval option to apply to a joint account, CDR data relating to the joint account can be disclosed under these rules only with the approval of the all the account holders.

Data holders must offer pre‑approval options on joint accounts, and may offer co‑approval options.

Neither disclosure option applies to a joint account if:

• the joint account holders indicate that they would like different disclosure options to apply to the account; or

• any of the joint account holders do not indicate a disclosure option they would like to apply.

For each joint account to which this Part applies, a data holder must offer a joint account management service that can be used by joint account holders to select and manage these disclosure options.

4.5 Disclosure options that can apply to joint accounts

(1) For this Part, a pre‑approval option applies to a joint account at a particular time if, at that time:

(a) all joint account holders have indicated that they would like that disclosure option to apply to the account; and

(b) none has indicated that they no longer want that disclosure option to apply.

(2) For this Part, a co‑approval option applies to a joint account at a particular time if, at that time:

(a) that disclosure option is offered on the account; and

(b) all joint account holders have indicated that they would like that disclosure option to apply to the account; and

(3) For this Part, a disclosure option applies to a joint account if a pre‑approval option or a co‑approval option applies to the joint account.

4.6 Obligation to provide joint account management service

Obligation to provide joint account management service

(1) For each joint account to which this Part applies, the data holder must provide a service to each joint account holder that:

(a) allows the joint account holder to indicate whether they would like:

(i) the pre‑approval option to apply; or

(ii) if offered by the data holder―the co‑approval option to apply; and

(b) allows the joint account holder to indicate whether they would like a different disclosure option, or no disclosure option, to apply; and

Note 1: This subclause is a civil penalty provision (see rule 9.8).

Note 2: All joint account holders must indicate that they would like the same disclosure option to apply in order for the disclosure option to apply to the joint account: see subclauses 4.5(1) and (2) of this Schedule.

(2) Such a service is a joint account management service.

Requirements for joint account management service

(3) The service must be provided online and, if there is a data holder’s consumer dashboard for a joint account holder, may be included in the dashboard.

(4) The service may, but need not, also be provided other than online.

(5) The service must give effect to a disclosure option applying or no longer applying as soon as practicable.

(6) The service must not, when allowing joint account holders to indicate which disclosure option they would like to apply, do any of the following:

(a) add any requirements to the process beyond those specified in the data standards and these rules;

(b) offer additional or alternative services as part of the process;

(d) offer any pre‑selected options.

(7) The service must, when allowing a joint account holder to indicate which disclosure option they would like to apply, notify them:

(a) of the following information about each disclosure option offered using the service:

(i) what the effect of the disclosure option applying is;

(ii) that they can indicate at any time that they would no longer like the disclosure option to apply;

(iii) how they can indicate this;

(iv) what the effect of indicating this is;

(v) how the disclosure option operates if there is a secondary user for the joint account; and

(b) if more than one disclosure option is available―of the difference between the available disclosure options; and

(c) that, if joint account holders do not indicate that they would like the same disclosure option to apply to the joint account, disclosure of joint account data relating to the account will ordinarily not be authorised under these rules; and

(d) that when CDR data relating to the joint account is disclosed under these rules, the data holder will ordinarily provide each joint account holder and, if applicable, each secondary user, with a consumer dashboard through which they will be able to see information about the disclosure.

(8) The service must be in accordance with the data standards.

4.7 Asking other joint account holders to indicate disclosure option for joint account

Application of clause

(1) This clause applies in relation to a particular joint account to which this Part applies if a joint account holder (account holder A) indicates, using the joint account management service, that they would like:

(a) if no disclosure option applies to the account―a particular disclosure option to apply; or

(b) if a disclosure option applies to the account―a different, or no, disclosure option to apply.

Obligation to invite other account holders to indicate disclosure option

(2) The data holder must, through its ordinary methods for contacting the other joint account holders:

(a) explain to each of them what the consumer data right is; and

(b) inform them that account holder A has indicated that they would like the disclosure option referred to in subclause (1), or no disclosure option, to apply to the account, as applicable; and

(d) explain to them that no disclosure option will apply to the account unless all account holders have indicated that they would like the same disclosure option to apply; and

(e) if account holder A selected a particular disclosure option―invite them to indicate that they would like the same disclosure option as indicated by account holder A to apply to the account; and

(f) if account holder A gave an indication pursuant to clause 4.10 of this Schedule—identify the accredited person.

Note: This subclause is a civil penalty provision (see rule 9.8).

Division 4.3—Consumer data requests that relate to joint accounts

Subdivision 4.3.1—Preliminary

4.8 Application of Division

(1) This Division applies in relation to a consumer data request to a data holder under Part 4 of these rules that is for disclosure of any of the following CDR data in relation to a particular joint account to which this Part applies:

(a) account data in relation to the joint account;

(b) transaction data in relation to the joint account;

(c) product specific data in relation to a product that a joint account holder uses and that relates to the joint account.

(2) This Division applies whether or not the request is also for disclosure of other CDR data.

(3) If a particular consumer data request to a data holder under Part 4 of these rules relates to more than one joint account to which this Part applies, this Division applies separately in relation to each such joint account.

4.9 Interpretation

For this Division:

(a) the requester is the person on whose behalf the consumer data request referred to in clause 4.8 was made; and

(b) the relevant account holders are:

(i) if the requester is a secondary user―all joint account holders; and

(ii) if the requester is a joint account holder―the other joint account holders; and

(c) joint account data is the CDR data that is referred to in subrule 4.8(1) of this Schedule that was the subject of the request.

Subdivision 4.3.2—How consumer data requests to data holders under Part 4 of these rules that relate to joint accounts are handled

4.10 Asking requesting account holder to indicate disclosure option for joint account

(1) This clause applies if:

(a) the requester is a joint account holder; and

(b) a data holder asks the requester to authorise disclosure in accordance with Division 4.4 of these rules; and

(2) The data holder must also ask the requester to indicate:

(a) through the joint account management service; and

(b) in accordance with the data standards;

the disclosure option they would like to apply to the account.

Note 1: This subclause is a civil penalty provision (see rule 9.8).

Note 2: The disclosure option will not apply to the account unless the relevant account holders indicate that they would like the same disclosure option to apply.

Note 3: If the requester indicates a disclosure option that they would like to apply to the joint account, the data holder would then need to ask the relevant account holders to indicate which disclosure option they would like to apply to the joint account in accordance with clause 4.7 of this Schedule.

Note 4: See paragraph 4.16(1)(b) of this Schedule for a similar requirement in the case that the requester is a secondary user of the joint account.

4.11 Asking relevant account holders for approval to disclose joint account data

(1) This clause applies if:

(a) the requester has authorised, under Division 4.4 of these rules, the disclosure of the joint account data; and

(b) a co‑approval option applies to the joint account.

(2) The data holder must, through its ordinary methods for contacting the relevant account holders:

(a) indicate that an accredited person has requested disclosure of CDR data that relates to the joint account on behalf of the requester; and

(b) outline the matters referred to in subclause (1); and

(c) indicate the matters referred to in paragraphs 4.23(a), (b), (c), (d) and (e) of these rules so far as they relate to the request; and

(d) ask the relevant account holders whether they approve the joint account data being disclosed; and

(e) indicate the time by which the data holder needs the relevant account holders to give this approval; and

(f) inform them that any one of them may, at any time, remove the approval; and

(g) provide them with instructions for how to remove the approval; and

(h) indicate what the effect of removing the approval would be.

Note: For removal of an approval, see clause 4.14 of this Schedule.

4.12 Continuation and removal of approvals

(1) Any relevant account holder may remove an approval given under this Division at any time (regardless of whether the approval was given expressly under a co‑approval option or whether a pre‑approval option applies).

(2) If each relevant account holder approves of the disclosure in accordance with this Division, the approval is taken to apply while the authorisation referred to in paragraph 4.11(1)(a) of this Schedule is current, unless removed sooner in accordance with this Division.

4.13 Joint account data the data holder is authorised to disclose

(1) For paragraph 4.6A(2) of these rules, the data holder must not disclose joint account data to the accredited person unless:

(a) the requester has authorised the data holder to disclose that CDR data under Division 4.4 of these rules; and

(b) subclause (2), (3) or (4) applies.

Pre‑approval option

(2) This subclause applies if:

(a) a pre‑approval option applies to the joint account; and

(b) no relevant account holder has removed the approval using its consumer dashboard.

Co‑approval option

(3) This subclause applies if:

(a) a co‑approval option applies to the joint account; and

(b) for each relevant account holder, either:

(i) the relevant account holder approved the disclosure in accordance with clause 4.11 of this Schedule within the time frame referred to in paragraph 4.11(2)(e) of this Schedule and has not removed the approval using their consumer dashboard; or

(ii) the data holder considers it necessary to avoid seeking the approval of the relevant account holder in order to prevent physical or financial harm or abuse.

Note: Data holders are required to offer the disclosure option referred to in subclause (2). Data holders may, but are not required to, offer the disclosure option referred to in subclause (3). See subclause 4.6(1) of this Schedule.

No disclosure option applies but circumstances of physical or financial harm or abuse might exist

(4) This subclause applies if:

(a) no disclosure option applies to the joint account; and

(b) the data holder considers it necessary to avoid inviting at least one of the relevant account holders to choose a disclosure option in order to prevent physical or financial harm or abuse.

4.14 Consumer dashboard for relevant account holders

Obligation for data holder to provide relevant account holders with consumer dashboard

(1) If a disclosure option applies or has applied to the joint account, the data holder must ensure that each relevant account holder has an online service that:

(a) if a disclosure option applies to the account―can be used by the relevant account holders to manage approvals to disclose CDR data in response to consumer data requests under Part 4 of these rules for CDR in relation to the joint account; and

(b) contains the details referred to in paragraph 1.15(1)(b) of these rules that relate to requests for CDR data under Part 4 of these rules in relation to the joint account; and

(c) if a disclosure option applies to the account―has the functionality referred to in paragraph 1.15(1)(c) of these rules, as if:

(i) references in that paragraph to authorisations were instead references to approvals; and

(ii) references in that paragraph to withdrawals were instead references to removals.

Note: This subclause is a civil penalty provision (see rule 9.8).

(2) Such a service is the data holder’s consumer dashboard for the relevant account holder.

(3) A data holder does not contravene subrule (1) in relation to subparagraphs 1.15(1)(c)(ii) and (iii) of these rules as referenced by paragraph (1)(c) so long as it takes reasonable steps to ensure that the functionality complies with those subparagraphs.

Exception in the case of physical or financial harm or abuse

(4) Despite this clause and clause 4.15 of this Schedule, the data holder may decline:

(a) to provide a relevant account holder with a consumer dashboard; or

(b) if a relevant account holder already has a consumer dashboard―to reflect details of the request relating to the joint account in their dashboard;

if it considers it necessary to do either in order to prevent physical or financial harm or abuse.

4.15 Consumer dashboard for the requester

For paragraph 1.15(1)(d) of these rules, if a relevant account holder’s consumer dashboard contains details of approvals under clause 4.14 of this Schedule, the dashboards of the other joint account holders must contain those details.

4.16 Notification requirements for consumer data requests on joint accounts

(1) If the requester gives, amends or withdraws an authorisation, or if an authorisation expires, the data holder must:

(a) as soon as practicable, notify each relevant account holder through its ordinary means of contacting them; and

(b) if:

(i) the requester is a secondary user of the joint account; and

(ii) no disclosure option applies to the joint account;

ask the relevant account holders to indicate which disclosure option they would like to apply to the account:

(iii) through the joint account management service; and

(iv) in accordance with the data standards; and

(i) the nature of the amendment; and

(ii) how they can remove an approval to prevent further CDR data relating to the joint account being disclosed under these rules.

Note: This subclause is a civil penalty provision (see rule 9.8).

(2) If a relevant account holder:

(a) using their consumer dashboard, gives or removes an approval; or

(b) does not provide an approval within the time frame referred to in paragraph 4.11(2)(e) of this Schedule;

the data holder must notify the requester and any other relevant account holder through its ordinary means of contacting them.

Note: This subclause is a civil penalty provision (see rule 9.8).

(3) However, a notification to a particular account holder under this clause is not required if the data holder considers it necessary to avoid notifying that account holder in order to prevent physical or financial harm or abuse.

93 Clause 6.1 of Schedule 3

Repeal the following definitions:

(a) definition of brand request;

(b) definition of non‑brand request;

94 Clause 6.2 of Schedule 3 (heading)

Omit “voluntarily participating ADI,”.

95 Clause 6.2 of Schedule 3 (table heading)

Omit “voluntarily participating ADI,”.

96 Clause 6.2 of Schedule 3 (table item 3)

Repeal the table item.

97 Clause 6.2 of Schedule 3 (table item 4, paragraph (b) of column 2)

Repeal the paragraph.

98 Clause 6.3 of Schedule 3

Repeal the clause.

99 Paragraph 6.4(1)(a) of Schedule 3

Repeal the paragraph, substitute:

(a) a product data request or a consumer data request is made to a data holder of a kind referred to in column 1 of the commencement table; and

100 Paragraph 6.4(1)(c) of Schedule 3

Omit “columns 3 to 9”, substitute “the other columns”.

101 Clause 6.5 of Schedule 3

Repeal the clause, substitute:

6.5 Authorisation to disclose CDR data before required to do so

(1) This clause applies if:

(a) a request for disclosure of CDR data has been made in accordance with Part 2, Part 3 or Part 4 of these rules (the relevant data request Part); and

(b) the requested CDR data is any of the following:

(i) required product data;

(ii) voluntary product data;

(iii) required consumer data;

(iv) voluntary consumer data; and

(2) For these rules, the data holder may disclose any or all of the pre‑application CDR data in response to the request in accordance with the relevant data request Part.

(3) In this clause, pre-application CDR data means CDR data that, but for the operation of this Part, the data holder would be required or authorised by the relevant data request Part to disclose in response to the request.

102 Clause 6.6 of Schedule 3

Repeal the clause, substitute:

6.6 Commencement table

(1) For this Part, the commencement table is:

Data holder	Data sharing obligations	Start date to 31 Jan 2021	1 Feb 2021 to 28 Feb 2021	1 Mar 2021 to 30 Jun 2021	1 Jul 2021 to 31 Oct 2021	1 Nov 2021 to 31 Jan 2022	1 Feb 2022 onward
Initial data holders (NAB, CBA, ANZ, Westpac branded products)	Part 2	All product phases	All product phases	All product phases	All product phases	All product phases	All product phases
	Part 3	-	-	-	-	All product phases	All product phases
	Part 4	Phase 1 Phase 2	All product phases	All product phases	All product phases	All product phases	All product phases
Any other relevant ADI and initial data holders for non-primary brands	Part 2	Phase 1	Phase 1 Phase 2	Phase 1 Phase 2	All product phases	All product phases	All product phases
	Part 3	-	-	-	-	All product phases	All product phases
	Part 4	-	-	-	Phase 1 (see sc 6.4(3))	Phase 1 Phase 2	All product phases
Accredited ADI and accredited non-ADI (reciprocal data holder)	Part 2	All product phases	All product phases	All product phases	All product phases	All product phases	All product phases
	Part 3	-	-	-	-	All product phases	All product phases
	Part 4	-	-	Phase 1 (see sc 6.4(3))	All product phases	All product phases	All product phases

Note: Part 2 of these rules deals with product reference data. Part 3 of these rules deals with consumer data requests made by eligible CDR consumers. Part 4 of these rules deals with consumer data requests made by accredited persons.

(2) For this clause, the start date is the day the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020 commenced.

103 At the end of Part 6 of Schedule 3

Add:

6.7 Application of certain rules

(1) In this clause, the affected provisions are provisions of these rules that impose obligations on data holders in relation to:

(a) CDR consumers that are not individuals; or

(b) partnerships; or

(d) secondary users.

(2) The affected provisions apply in relation to initial data holders in respect of NAB, CBA, ANZ, Westpac branded products on and from 1 November 2021.

(3) Otherwise, the affected provisions apply in relation to data holders on and from 1 November 2022.

104 Paragraph 7.2(3)(a) of Schedule 3

Repeal the paragraph.

105 Transitional provisions

Consents

(1) An existing consent continues in effect and, to the extent that it is a collection consent, a use consent or a disclosure consent within a category of consents in accordance with rule 1.10A of the rules, is taken to be a valid consent of that kind.

Authorisations

(2) An existing authorisation continues in effect.

Elections relating to de-identification of data

(3) An existing de-identification election continues in effect.

Compliance with Part 4 of Schedule 3

(4) A particular data holder is taken to comply with the current Part 4 of Schedule 3 if the data holder:

(a) either:

(i) was required, before the amendment date, to comply with the former Part 4 of Schedule 3; or

(ii) is an accredited person; and

(b) between the amendment date and 31 October 2021, complies with the former Part 4 of Schedule 3 (as varied to the extent reasonably necessary so that it operates in accordance with these rules as amended by the amendment instrument) instead of the current Part 4 of Schedule 3.

Part 4 elections

(5) Where the joint account holders of a joint account made a joint election for the purposes of paragraph 4.2(1)(a) of the former Part 4 of Schedule 3, that election is taken, for the purposes of paragraph 4.5(1)(a) of the current Part 4 of Schedule 3, to be an indication that the joint account holders would like the pre-approval option to apply to the account.

(6) Subitem (5) applies in relation to an election that was made:

(a) before the amendment date; or

(b) in relation to a data holder relying on subitem (4)—while it was so relying.

(7) In this item:

amendment date means the day Schedule 1 to the amendment instrument commenced.

amendment instrument means the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020.

current Part 4 of Schedule 3 means Part 4 of Schedule 3 to the rules as in force on and from the amendment date.

existing authorisation means an authorisation that:

(a) was given under the rules before the amendment date; and

(b) immediately before the amendment date, was still current.

existing consent means a consent by a CDR consumer for an accredited person to collect and use the CDR consumer’s CDR data that:

(a) was made under the rules before the amendment date; and

(b) immediately before the amendment date, was still current.

existing de-identification election means an election to delete redundant data that:

(a) was given under rule 4.16 of the rules before the amendment date; and

(b) immediately before the amendment date, was still current.

former Part 4 of Schedule 3 means Part 4 of Schedule 3 to the rules as in force immediately before the amendment date.

rules means the Competition and Consumer (Consumer Data Right) Rules 2020.