Commonwealth of Australia Crest

 

Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2021

I, Jane Hume, Minister for Superannuation, Financial Services and the Digital Economy, make the following rules.

Dated 12 November 2021   

Jane Hume

Minister for Superannuation, Financial Services and the Digital Economy

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

1  Name...................................................2

2  Commencement............................................2

3  Authority................................................2

4  Schedules................................................2

Schedule 1—Amendments relating to P2P data access 3

Schedule 2—Amendments relating to the energy sector 8

Schedule 3—Miscellaneous amendments 32

 

 

 

1  Name 

  This instrument is the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2021.

2  Commencement

 (1) Each provision of this instrument specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.

 

Commencement information

Column 1

Column 2

Column 3

Provisions

Commencement

Date/Details

The whole of this instrument

The day after this instrument is registered

 

Note: This table relates only to the provisions of this instrument as originally made. It will not be amended to deal with any later amendments of this instrument.

 (2) Any information in column 3 of the table is not part of this instrument. Information may be inserted in this column, or information in it may be edited, in any published version of this instrument.

3  Authority

  This instrument is made under section 56BA of the Competition and Consumer Act 2010.

4  Schedules

  Each instrument that is specified in a Schedule to this instrument is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this instrument has effect according to its terms.

 

Schedule 1—Amendments relating to P2P data access

Competition and Consumer (Consumer Data Right) Rules 2020

1  Rule 1.7

Insert the following definitions in the appropriate alphabetical positions:

primary data holder, in relation to SR data and a particular designated sector, means the data holder specified in the sector Schedule as the primary data holder for the SR data.

secondary data holder, in relation to SR data and a particular designated sector, means the data holder specified in the sector Schedule as the secondary data holder for the SR data.

SR data (for shared responsibility data), in relation to a CDR consumer and a particular designated sector, has the meaning set out in the relevant sector Schedule.

Note: Where CDR data for which there is a CDR consumer in a designated sector is held by one data holder, but it would be more practical for consumer data requests for the data to be directed to, and actioned by, a different data holder with which the CDR consumer has a relationship, such CDR data may be specified as SR data in the sector Schedule.  Parts 3 and 4 then apply with the modifications set out in Division 1.5.

SR data request (for shared responsibility data request) means a consumer data request for CDR data that is, or that includes, SR data of the CDR consumer.

 

2  Rule 1.18, note

Substitute:

Note: The CDR data deletion process is to be followed whenever these rules require a person to delete CDR data.

3  After rule 1.18

Insert:

Division 1.5—Application of rules in relation to SR data

Note: The effect of this Division is that, from the point of view of a CDR consumer or an accredited person, the primary data holder for SR data is treated as if it were the relevant data holder:  consumer data requests for the SR data are made to it; authorisations for disclosure are made to it; it is the entity that discloses or refuses to disclose the requested data; any complaints are made to it; it keeps the records that the CDR consumer can request under rule 9.5

1.19  Eligible CDR consumers in relation to secondary data holders

  If a CDR consumer is eligible to make or initiate a consumer data request to a primary data holder for SR data, the CDR consumer is not also eligible to make or initiate a consumer data request for that data to the secondary data holder.

Note: As a result of this rule, a secondary data holder that only holds SR data is not required to provide request services under rule 1.13; however, it will be required to provide a service under subrule 1.20(2).

1.20 Consumer data request service—primary data holders and secondary data holders

Primary data holders

 (1) Rule 1.13 (consumer data request service) applies in relation to a data holder for CDR data as if it were also a data holder for any SR data for which it is the primary data holder.

Secondary data holders

 (2) A secondary data holder in relation to SR data must provide an online service that:

 (a) can be used by the primary data holder to request from the secondary data holder any SR data needed to respond to an SR data request; and

 (b) enables the requested data to be disclosed to the primary data holder in machinereadable form; and

 (c) conforms with the data standards.

Note: This subrule is a civil penalty provision (see rule 9.8).

1.21  Consumer dashboard—SR data request

  Rule 1.15 (provision of dashboard) applies in relation to an SR data request as if the primary data holder were the data holder for the requested SR data.

1.22  SR data request by a CDR consumer

Note: This rule relates to Division 3.2.

 (1) This rule applies where a CDR consumer proposes to make an SR data request.

 (2) The request must be made to the primary data holder, using the primary data holder’s direct request service.

Dealing with the request

 (3) The primary data holder must, using the service mentioned in subrule 1.20(2) in accordance with the data standards, request the secondary data holder to disclose any SR data that the primary data holder needs in order to respond to the SR data request.

Note: This rule is a civil penalty provision (see rule 9.8).

 (4) If the secondary data holder chooses to disclose the SR data requested to the primary data holder, it must do so in accordance with any relevant data standards.

Note: This rule is a civil penalty provision (see rule 9.8).

 (5) If the secondary data holder chooses not to disclose the SR data requested to the primary data holder, it must notify the primary data holder of its refusal.

Note: This rule is a civil penalty provision (see rule 9.8).

Responding to the request

 (6) Rule 3.4 (disclosing consumer data in response to a consumer data request) and rule 3.5 (refusal to disclose) apply as if the primary data holder were the data holder for any SR data covered by the SR data request.

 (7) Subrule 3.4(3) does not apply in relation to SR data that the secondary data holder has refused to disclose to the primary data holder.

1.23  SR data request by an accredited person

Note: This rule relates to Subdivisions 4.2.2, 4.2.3 and 4.3.2 and Division 4.4.

 (1) This rule applies where an accredited person proposes to make an SR data request on behalf of a CDR consumer.

Making the request

 (2) The request must be made to the primary data holder, using the primary data holder’s accredited person request service.

Dealing with the request

 (3) Rule 4.5 (asking CDR consumer for authorisation to disclose CDR data) applies as if the primary data holder were the data holder for any SR data covered by the SR data request.

 (4) If the CDR consumer authorises disclosure of requested data, the primary data holder must, using the service mentioned in subrule 1.20(2) and in accordance with the data standards, request the secondary data holder to disclose any SR data that the primary data holder needs in order to respond to the SR data request.

Note: This rule is a civil penalty provision (see rule 9.8).

 (5) If the secondary data holder chooses to disclose the SR data requested to the primary data holder, it must do so in accordance with any relevant data standards.

Note: This rule is a civil penalty provision (see rule 9.8).

 (6) If the secondary data holder chooses not to disclose the SR data requested to the primary data holder, it must notify the primary data holder of its refusal.

Note: This rule is a civil penalty provision (see rule 9.8).

Responding to the request

 (7) Subject to subrule (8), rule 4.6 (disclosing consumer data in response to a consumer data request) applies as if the primary data holder were the data holder for any SR data covered by the SR data request.

 (8) Subrule 4.6(4) does not apply in relation to SR data that the secondary data holder has refused to disclose to the primary data holder.

 (9) Rule 4.7 (refusal to disclose) applies as if the primary data holder were the data holder for any SR data covered by the SR data request.

Notification of withdrawal of consent

 (10) Rule 4.13 (withdrawal of consent) applies as if the primary data holder were the data holder for any SR data covered by the SR data request.

Dealing with authorisations

 (11) Division 4.4 (authorisations to disclose CDR data) applies as if:

 (a) a reference to the data holder were a reference to the primary data holder; and

 (b) the following subrule were added after subrule 4.25(2) (withdrawal of authorisation by CDR consumer):

 “(2) For paragraph (2)(a), giving effect to withdrawal includes cancelling any current requests to the secondary data holder by the primary data holder under subrule 1.23(4).”.

1.24  SR data disclosed to primary data holder not to be used for other purposes

 (1) A primary data holder must not use the service mentioned in subrule 1.20(2) other than to request SR data that it needs to respond to an SR data request.

 (2) Where a secondary data holder provides SR data to a primary data holder in response to such a request:

 (a) the primary data holder must not use or disclose the SR data for a purpose other than responding to the SR data request; and

 (b) once the primary data holder has responded to the SR data request, it must delete any of the SR data that it holds in accordance with the CDR data deletion process.

Note : See rule 1.18 for the definition of “CDR data deletion process”. 

1.25  Dealing with unsolicited SR data

  If a primary data holder:

 (a) collects SR data from a secondary data holder:

 (i) purportedly under these rules; but

 (ii) not as the result of seeking to collect that SR data under these rules; and

 (b) is not required to retain that SR data by or under an Australian law or a court/tribunal order;

  the primary data holder must destroy the SR data as soon as practicable.

Note: This rule is a civil penalty provision (see rule 9.8).

1.26  Dispute resolution—primary data holders and secondary data holders

  Where a primary data holder requests relevant information from a secondary data holder in relation to a consumer complaint or dispute with the primary data holder that relates to an SR data request, the secondary data holder must provide the information to the extent that it is reasonable to do so.

4  Paragraph 8.11(1)(a)

Add at the end:

  ; and

 (iii) making and responding to requests by the primary data holder for SR data under rules 1.22 and 1.23;

5  After paragraph 9.3(1)(c)

Insert:

 (ca) where the data holder is a primary data holder—any requests for SR data made under subrule 1.23(4) and responses received under subrule 1.23(5) or (6);

 (cb) where the data holder is a secondary data holder:

 (i) any requests for SR data received under subrule 1.22(3) or 1.23(4) and responses given under subrule 1.22(4) or (5) or 1.23(5) or (6); and

 (ii) where the data holder has refused to disclose requested SR data—the reasons relied upon to refuse to disclose the SR data, including any rule or data standard;

6  After subrule 9.4(1)

Insert:

Reports that must be prepared—secondary data holder

 (1A) A secondary data holder must prepare a report for each reporting period that:

 (a) is in the form approved by the Commission for the purposes of this rule; and

 (b) sets out the number (if any) of requests for SR data under subrule 1.22(3) or 1.23(4) received by the data holder from the primary data holder during the reporting period; and

 (c) sets out:

 (i) the number of times the data holder has refused to disclose SR data; and

 (ii) the reasons for the refusals to disclose that data, including any rule or data standard relied upon; and

 (iii) the number of times the data holder has relied on each of those reasons for refusal.

  Civil penalty:

 (a) for an individual―$50,000; and

 (b) for a body corporate―$250,000.

 

Schedule 2—Amendments relating to the energy sector

Competition and Consumer (Consumer Data Right) Rules 2020

 

1  Rule 1.4, last 2 boxed paragraphs

Substitute:

When consumers are eligible to make requests

A consumer data request can only be made in relation to certain classes of product and consumer CDR data.  These are specified in Schedules to these rules that relate to different designated sectors. The relevant Schedule will also set out:

   the circumstances in which a CDR consumer will be eligible to make or initiate a consumer data request for CDR data in that sector; and

  the CDR data that must be disclosed by the data holder in response to a valid request and the CDR data that may be, but is not required to be, disclosed by the data holder.

Schedule 3 relates to the banking sector. Initially, these rules will apply only in relation to certain products that are offered by certain data holders within the banking sector. These rules will then apply to a progressively broader range of data holders and products.

Schedule 4 relates to the energy sector. In this sector, the product data that can be requested is data that is required by law to be passed to either the AER or the Victorian agency; product data requests are therefore made to those agencies as data holders.  In addition, some of the relevant consumer data is in practice collected and held by AEMO, which does not have a direct relationship with consumers.  Responsibility for dealing with a consumer data request for this data made by or on behalf of a customer of a retailer is therefore shared between AEMO and the retailer.

These rules also deal with a range of ancillary and related matters.

2  Subrules 1.6(2), (3) and (4)

Substitute:

 (2) Part 2 of these rules deals with product data requests, and should be read in conjunction with the relevant sector Schedule.

 (3) Part 3 of these rules deals with consumer data requests that are made by CDR consumers, and should be read in conjunction with the relevant sector Schedule. Only CDR consumers who are eligible to do so may make such requests. The eligibility criteria for each sector are set out in the relevant sector Schedule.

 (4) Part 4 of these rules deals with consumer data requests that involve accredited persons, and should be read in conjunction with the relevant sector Schedule.

3  Subrule 1.6(12)

Omit  all words from and including “It is intended” to the end.

4  Rule 1.6

Add at the end:

 (13) Schedule 4 to these rules contains details that are relevant to the energy sector. Schedule 4:

 (a) sets out the specific CDR data in respect of which requests under these rules may be made; and

 (b) sets out the circumstances in which CDR consumers are eligible in relation to requests for energy sector CDR data that relates to themselves; and

 (c) sets out some modifications of the general rules that apply in the energy sector because certain types of data are collected or held by agencies specified in its designation instrument rather than the retailers with which the CDR consumers have accounts; and

 (d) deals with the progressive application of these rules to the energy sector.

  It is intended that these rules will be amended at a later time to deal with additional sectors of the economy.

5  Rule 1.7, note 1 after the heading

Insert in the appropriate alphabetical position:

 Australian Energy Regulator;

6  Rule 1.7

Insert the following definition in the appropriate alphabetical position:

sector Schedule means a Schedule to these rules that deals with a particular designated sector.

7  Rule 1.7, definition of law relevant to the management of CDR data, paragraph (f)

Substitute:

 (f) in relation to a particular designated sector—any law that is specified for the purposes of this paragraph in a sector Schedule.

8  Rule 1.7, definition of law relevant to the management of CDR data, note

Substitute:

Note: In relation to paragraph (f):

9  Rule 1.7, definition of meet the internal dispute resolution requirements

Substitute:

meet the internal dispute resolution requirements, in relation to a particular designated sector, has the meaning set out in the relevant sector Schedule.

Note: For the meaning of the term:

10  Rule 1.7, definition of required consumer data

Substitute:

required consumer data, in relation to a particular designated sector, has the meaning set out in the relevant sector Schedule.

Note: For the meaning of the term:

11  Rule 1.7, definition of required product data

Substitute:

required product data, in relation to a particular designated sector, has the meaning set out in the relevant sector Schedule.

Note: For the meaning of the term:

12  Rule 1.7, definition of voluntary  consumer data

Substitute:

voluntary consumer data, in relation to a particular designated sector, has the meaning set out in the relevant sector Schedule.

Note: For the meaning of the term:

13  Rule 1.7, definition of voluntary product data

Substitute:

voluntary product data, in relation to a particular designated sector, has the meaning set out in the relevant sector Schedule.

Note: For the meaning of the term:

14  Subrule 1.7(3), note

Substitute:

Note: These rules will progressively apply to a broader range of data holders:

15  Subrule 1.12(1)

At the end, add:

Note 3:  For the energy sector, this rule is modified by clause 4.2 of Schedule 4.

 

16  Subparagraph 1.13(1)(e)(ii)

Omit “revoke”, substitute “withdraw”.

17  Subrule 1.15(1)

After “the data holder must” insert “, in the circumstances specified in a sector Schedule,”.

18  Subrule 1.15(1)

At the end, add:

Note 2: The circumstances are specified in the following provisions of the sector Schedules:

19  Rule 2.1, second boxed paragraph

Substitute:

A product data request may be for required product data, voluntary product data, or both. The content of these terms is different in different designated sectors:  Schedule 3 provides the content for the banking sector;  Schedule 4 provides the content for the energy sector.

20  Subrule 2.3(1)

Substitute:

 (1) A person may:

 (a) using the data holder’s product data request service; and

 (b) in accordance with the data standards;

  request a data holder to disclose some or all of the required product data or voluntary product data that it holds.

Note: In the banking sector, these rules will progressively permit product data requests to be made to a broader range of data holders, and in relation to a broader range of CDR data, according to the timetable set out in Part 6 of Schedule 3.

 In the energy sector, the AER and the Victorian agency are designated data holders for all the relevant product data under the designation instrument.

21  Subrule 2.4(2), note

Substitute:

Note: See rule 1.7 for the meaning of “voluntary product data”.  See also:

22  Subrule 2.4(3), note 1

Substitute:

Note 1: See rule 1.7 for the meaning of “required product data”.  See also:

23  Subrule 3.3(1), note

Substitute:

Note: In the banking sector, these rules will progressively permit consumer data requests to be made to a broader range of data holders, and in relation to a broader range of CDR data, according to the timetable set out in Part 6 of Schedule 3.

24  Subrule 3.4(2), note

Substitute:

Note: See rule 1.7 for the meaning of “voluntary consumer data”.  See also:

25  Subrule 3.4(3), note 1

Substitute:

Note 1: See rule 1.7 for the meaning of “required consumer data”.  See also:

26  Subrule 4.5(2), note 1

Substitute:

Note 1: See rule 1.7 for the meaning of “voluntary consumer data”.  See also:

27  Subrule 4.5(3), note 1

Substitute:

Note 1:  See rule 1.7 for the meaning of “required consumer data”.  See also:

28  Subrule 4.6(2), note 1

Substitute:

Note 1: See rule 1.7 for the meaning of “voluntary consumer data”.  See also:

29  Subrule 4.6(4), note 1

Substitute:

Note 1:  See rule 1.7 for the meaning of “required consumer data”.  See also:

30  Subrule 5.4(1)

Add at the end:

  ; and

 (c) an authority specified for the purpose of this rule in a sector Schedule.

31  Paragraph 5.5(b)

Omit “Schedule to these rules”, substitute “sector Schedule”.

 

32  Subrule 5.12(1), note 1

Omit “Schedules to these rules”, substitute “sector Schedules”.

33  Subrule 5.12(1), note 4

Substitute:

Note 4: For paragraph (b), see rule 1.7 for the meaning of “meets the internal dispute resolution requirements”.  See also:

34  Table to subrule 5.17(1), item 5

Substitute:

5

the following are satisfied:

(a) the accredited person, at the time of the accreditation, satisfied a condition that is relevant to a designated sector and is specified for this item in the sector Schedule;

(b) the accredited person no longer satisfies the  condition;

 

may, in writing:

(a) suspend; or

(b) revoke;

the person’s accreditation, as appropriate.

 

35  Subrule 5.25(1)

Substitute:

 (1) The Accreditation Registrar must create and maintain, in association with the Register of Accredited Persons, a database that includes such information as the Accreditation Registrar considers is required in order for requests under these rules to be processed in accordance with these rules and the data standards, including:

 (a) a list of data holders; and

 (b) for each data holder, where relevant:

 (i) each brand name under which the data holder offers products in relation to which consumer data requests may be made under these rules; and

 (ii) a hyperlink to:

 (A) the relevant web site address of the data holder; and

 (B) the data holder’s CDR policy; and

 (C) if the data holder has a CDR policy for a brand name under which the data holder offers products in relation to which consumer data requests may be made under these rules―that policy; and

 (iii) the universal resource identifier for the data holder’s product data request service.

Note: For subparagraph (b)(i), for the banking sector, see Part 6 of Schedule 3 for the staged application of these rules.

36  Rule 6.1, note 1

Substitute:

Note 1: See rule 1.7 for the meaning of “meets the internal dispute resolution requirements”.  See also:

37  Rule 6.2, note 2

After “paragraph 5.12(1)(c).”, insert “See also clause 5.2 of Schedule 4.”.

38  Rule 7.15

At the end add:

Note 3: See also, in relation to the energy sector, clause 6.1 of Schedule 4.

39  After Schedule 3

Insert:

Schedule 4—Provisions relevant to the energy sector

Part 1—Preliminary

1.1  Simplified outline of this Schedule

This Schedule deals with how these rules apply in relation to the energy sector.

Some defined terms apply only in relation to the energy sector. These are defined in Part 1 of this Schedule.

Part 2 of this Schedule deals with eligible CDR consumers in relation to the energy sector.

Part 3 of this Schedule deals with CDR data that can or must be disclosed when product data requests and consumer data requests are made in relation to the energy sector.

Part 4 of this Schedule deals with the three agencies that have special functions in the energy sector. The AER and the Victorian agency hold product data and respond to product data requests. AEMO holds AEMO data.

AEMO data is specified as SR data for these rules, so that AEMO is the secondary data holder for this CDR data, and the relevant retailer is specified as the primary data holder.  Division 1.5 of these rules applies to an SR data request.

Part 5 of this Schedule deals with internal dispute resolution requirements in relation to the energy sector.

Part 6 of this Schedule deals with the correction of data in compliance with the privacy safeguards.

Part 7 of this Schedule deals with reporting and record keeping requirements of these rules that apply differently in relation to the energy sector.

Part 8 of this Schedule deals with the staged application of these rules to the energy sector. Over time, as set out in this Part, these rules will apply to a progressively broader range of data holders within the energy sector.

Part 9 of this Schedule deals with other provisions of these rules that apply differently in relation to the energy sector.

1.2  Interpretation

  In this Schedule:

AEMO means the Australian Energy Market Operator Limited (ACN 072 010 327).

AEMO data means:

 (a) in relation to a retailer:

 (i) NMI standing data; or

 (ii) metering data; or

 (iii) DER register data;

  that relates to an arrangement with the retailer; and

 (b) in relation to a customer—information covered by paragraph (a) that relates to the arrangement relevant to the customer.

Note: This is data for which AEMO is the designated data holder under the energy sector designation instrument.

AER means the Australian Energy Regulator

account data has the meaning given by clause 1.3 of this Schedule.

arrangement has the meaning given by subsection 5(1) of the energy sector designation instrument;

billing data has the meaning given by clause 1.3 of this Schedule.

customer has the meaning given by subsection 5(1) of the energy sector designation instrument;

customer data has the meaning given by clause 1.3 of this Schedule.

DER (for distributed energy resources), in relation to an account, means any energy resources that are covered by the arrangement for the account and registered on the DER Register.

DER Register means the DER Register maintained under the National Electricity Rules.

DER register data has the meaning given by clause 1.3 of this Schedule.

energy sector means the sector of the Australian economy that is designated by the energy sector designation instrument.

energy sector data means CDR data covered by the energy sector designation instrument.

energy sector designation instrument means the Consumer Data Right (Energy Sector) Designation 2020.

metering data has the meaning given by clause 1.3 of this Schedule.

National Energy Retail Law has the meaning given by the energy sector designation instrument. 

National Electricity Rules has the meaning given by the energy sector designation instrument.

National Electricity Law means the National Electricity Law set out in the Schedule to the National Electricity (South Australia) Act 1996 (SA).

National Electricity Market has the meaning given by the National Electricity Law. 

NMI standing data has the meaning given by clause 1.3 of this Schedule.

plan means a form of arrangement that is offered to, or has been supplied to, customers by a retailer.

product specific data has the meaning given by clause 1.3 of this Schedule.

retailer has the meaning given by clause 1.4 of this Schedule.

tailored tariff data has the meaning given by clause 1.3 of this Schedule.

Victorian agency means the Department of State administered by the Minister of Victoria administering the National Electricity (Victoria) Act 2005 (Vic).

Note: The relevant Victorian agency must be declared a participating entity under section 56AS of the Act.

1.3  Meaning of terms for types of data

  For this Schedule, a term listed in column 1 of the table has the meaning given by column 2.

 

Meaning of customer data, account data, billing data, metering data, NMI standing data, DER register data, product specific data and tailored tariff data

 

Column 1

Column 2

1

customer data, in relation to a particular person

(a) means information that identifies or is about the person; and

(b) includes:

 (i) the person’s name; and

 (ii) the person’s contact details, including their:

 (A) telephone number; and

 (B) email address; and

 (C) physical address; and

 (iii) any information that:

 (A) the person provided at the time of acquiring a particular product; and

 (B) relates to their eligibility to acquire that product; and

 (iv) if the person operates a business—the following:

 (A) the person’s business name;

 (B) the person’s ABN (within the meaning of the A New Tax System (Australian Business Number) Act 1999); and

(c)  if the person is an individual―does not include the person’s date of birth.

 

2

account data, in relation to a particular account

(a) means information that identifies or is about the operation of the account; and

(b) includes:

 (i) the account number, other than to the extent that an account number is masked (whether as required by law or in accordance with any applicable standard or industry practice); and

 (ii) the date the account was created; and

 (iii) the unique identifiers that represent the connection points associated with the account; and

 (iv) any payment schedule associated with the account (including payment method and  frequency of payments); and

 (v) any concessions, rebates or grants applied to the account; and

(c)  does not include information about whether the account is associated with a hardship program.

 

3

billing data, in relation to a particular account

means:

(a) information about a bill that has been issued in relation to the arrangement to which the account relates, including:

 (i) the account number; and

 (ii) the billing period; and

 (iii) the date the bill was issued; and

 (iv) the total amount payable; and

 (v) the tariffs and charges applicable; and

 (vi) details of consumption or estimated consumption of energy; and

(b) information about a payment or other transaction made in relation to the arrangement, including:

 (i) the nature of the transaction; and

 (ii) the date and time of the transaction; and

 (iii) the amount paid; and

 (iv) the payment method; and

(c) the account balance at any time.

 

4

metering data, in relation to a particular account

    means metering data, other than metering data for a type 7 metering installation, within the meaning given by the National Electricity Rules, that relates to the account.

 

5

NMI standing data, in relation to a particular account

     means NMI standing data, within the meaning given by the National Electricity Rules, that relates to a connection point associated with the account.

 

6

DER register data, in relation to a particular account

(a) means DER register information, within the meaning given by the National Electricity Rules, for DER that relate to the account; and

(b) includes:

 (i) the unique identifier for each connection point associated with the metering data that relates to the DER; and

 (ii) the approved small generating unit capacity as agreed with a network service provider in the connection agreement; and

 (iii) the number of phases available for the installation of DER; and

 (iv) the number of phases the DER are connected to; and

 (v) information identifying small generating units designed with the ability to operate in islanded mode; and

(c) excludes any personal information of third parties, including contractors and individuals who install or repair DER.

7

product specific data, in relation to a particular plan

(a) means information that identifies or describes the characteristics of the plan; and

(b) includes the following data about the plan:

 (i) its type (whether standing, market or regulated); and

 (ii) its name; and

 (iii) fuel the plan applies to; and

 (iv) the retailer brand offering the plan; and

 (v) the distribution zone that the plan is offered in; and

 (vi) the tariff type; and

 (vii) information about the pricing associated with the plan, including unit rates, metering charges, daily supply charges and fees; and

 (viii) features and benefits, including discounts, incentives and bundles.

 

 

8

tailored tariff data, in relation to a particular account

    means product specific information in relation to the plan that that applies to, and as tailored to, the arrangement to which the account relates.

 

 

1.4  Meaning of retailer

  For this Schedule, a data holder of energy sector data is a retailer if:

 (a) it retails electricity to connection points in the National Electricity Market; and

 (b) it is either:

 (i) the holder of a retailer authorisation issued under the National Energy Retail Law (as it applies in a State or Territory) in respect of the sale of electricity; or

 (ii) a retailer within the meaning of the Electricity Industry Act 2000 (Vic).

Part 2—Eligible CDR consumers—energy sector

2.1  Additional criteria for eligibility—energy sector

 (1) For subrules 1.10B(1) and (2), the additional criteria for a CDR consumer to be eligible, in relation to a retailer at a particular time, are that:

 (a) the CDR consumer is a customer of the retailer in relation to an eligible arrangement; and

 (b) the account relates to the arrangement; and

 (c) for an account that has been in existence for 12 months or more—the consumption associated with the account has been less than 5 GWh in the previous 12 months; and

 (d) for an account that has been in existence for less than 12 months— the estimated annual consumption for the account is less than 5 GWh.

 (2) For this clause, an eligible arrangement is an arrangement that relates to one or more connection points or child connection points for which there is a financially responsible market participant in the National Electricity Market.

2.2  Meaning of account privileges—energy sector

 (1) This clause is made for the purposes of the definition of account privileges in subrule 1.7(1) of these rules.

 (2) For the energy sector, a person has account privileges in relation to an account with a retailer if the person is a customer authorised representative of the account holder for the purposes of:

 (a) rule 56A of the National Energy Retail Rules; or

 (b) Chapter 10 of the National Electricity Rules. 

 

2.3  Consumer dashboard—application of rule 1.15

 (1) For subrule 1.15(1), if a retailer receives a consumer data request from an accredited person on behalf of a CDR consumer who has online access to the relevant account, the retailer must provide the CDR consumer with the consumer dashboard.

 (2) For subrule 1.15(1), if a retailer receives a consumer data request from an accredited person on behalf of a CDR consumer who does not have a consumer dashboard, the retailer must:

 (a) offer the CDR consumer a consumer dashboard; and

 (b) provide it if the CDR consumer accepts.

Part 3—CDR data that may be accessed under these rules—energy sector

3.1  Meaning of required product data and voluntary product data—energy sector

 (1) For these rules, required product data, in relation to the energy sector, means CDR data for which there are no CDR consumers that:

 (a) is within a class of information specified in section 9 or section 10 of the energy sector designation instrument; and

 (b) is about the eligibility criteria, terms and conditions, price, availability or performance of a plan; and

 (c) is product specific data in relation to a plan; and

   (d) is held by the AER or the Victorian agency for the purpose of operating websites that provide such information to the public.

Note 1: In 2021, the relevant websites were:

Note 2: This data derives from retailers, who are required by the National Energy Retail Law and the Electricity Industry Act 2000 (Vic)  to provide it to the AER or the Victorian agency.  Those agencies therefore become data holders for it.

Note 3: This clause does not include all CDR data covered by Section 9 of the energy sector designation instrument, as that section also covers CDR data for which there are CDR consumers (see paragraphs 9(2)(b) and 9(3)(b)).

 (2) For these rules, voluntary product data, in relation to a data holder in the energy  sector, means CDR data for which there are no CDR consumers that:

 (a) is energy sector data; and

 (b) is product specific data in relation to a plan offered by or on behalf of the data holder; and

 (c) is not required product data.

3.2  Meaning of required consumer data and voluntary consumer data—energy sector

 (1) For this clause:

relevant account, in relation to a CDR consumer, means an account for which the CDR consumer is an account holder or secondary user and is:

 (a) an account held by the CDR consumer in their name alone; or

 (b) a joint account; or

 (c) a partnership account.

 (2) For these rules, subject to this clause, required consumer data, in relation to the energy sector, means CDR data for which there is at least one CDR consumer that:

 (a) is energy sector data; and

 (b) is, in relation to the CDR consumer:

 (i) customer data that is held in relation to a relevant account; or

 (ii) account data for a relevant account that is open; or

 (iii) billing data from a relevant account for a time:

 (A) at which that or another relevant account was open; and

 (B) that is not more than 2 years before the day of the request; or

 (iv) AEMO data in relation to a relevant account; or

 (v) tailored tariff data for a relevant account that is open; and

 (c) relates to a time at which an account holder for the relevant account was associated with the premises to which the request relates; and

 (d) is held by the data holder or holders in a digital form.

Note 1: For subparagraph (b)(v), for a consumer data request, tailored tariff data could include the following:

 any rates or charges under the plan that were negotiated individually with a CDR consumer;

 any features and benefits negotiated individually with a CDR consumer.

Note 2: So long as the CDR consumer is eligible to make a consumer data request in relation to a particular data holder, they will be able to make or cause to be made a consumer data request that relates to any account they have with the data holder, including closed accounts (subject to subclauses (4) and (5)).

Note 3: A person is not a data holder of CDR data that was held by or on behalf of them before the earliest holding day (see paragraph 56AJ(1)(b) of the Act). Accordingly, such data cannot be requested under these rules.

 (3) For these rules, subject to this clause, voluntary consumer data, in relation to the energy sector, means CDR data for which there are one or more CDR consumers that:

 (a) is energy sector data; and

 (b) relates to a time at which an account holder for the account was associated with the premises to which the request relates; and

 (c) is not required consumer data.

 (4) For this clause:

 (a) CDR data is neither required consumer data nor voluntary consumer data at a particular time if the data is:

 (i) account data, billing data or tailored tariff data in relation to an account that is not any of the following:

 (A) an account held in the name of a single person;

 (B) a joint account;

 (C) a partnership account; or

 (ii) account data, billing data or tailored tariff data in relation to a joint account or partnership account for which any of the individuals who are account holders is less than 18 years of age at that time; or

 (iii) AEMO data in relation to any such account; and

 (b) CDR data is neither required consumer data nor voluntary consumer data in relation to a consumer data request made by or on behalf of a particular person if the data is:

 (i) customer data in relation to any account holder or secondary user other than that person; or

 (ii) AEMO data in relation to premises other than premises covered by the relevant arrangement at the time to which the data relates.

 (5) For this clause, energy sector data is neither required consumer data nor voluntary consumer data in relation to a data holder that is not a retailer or AEMO.

Note: The effect of this provision is that an accredited person who becomes a data holder in relation to energy sector CDR data by the operation of subsection 56AJ(3) of the Act is not required to respond to a consumer data request for the data.

Exception to required consumer data―open accounts

 (6) Despite subclause (2), for an account that is open at a particular time, CDR data that relates to a transaction or event that occurred more than 2 years before that time is not required consumer data.

Note: As a result, such CDR data would be voluntary consumer data.

Exception to required consumer data―closed accounts

 (7) Despite subclause (2), for an account that is closed at a particular time, each of the following is not required consumer data:

 (a) CDR data held by AEMO, other than metering data;

 (b) CDR data held by a retailer, other than billing data; and

 (c) CDR data that is not excluded by paragraph (a) or (b), but relates to a transaction or event that occurred more than 2 years before that time.

Part 4—Roles of AEMO and the energy sector agencies

4.1  AER and the Victorian agency may act on each other’s behalf

 (1) Where these rules require or permit one of the energy sector agencies to do any thing in relation to receiving or responding to product data requests (including the provision of a product data request service), the other agency may, at the first agency’s request, do the thing on behalf of the first agency.

 (2) For this clause, the energy sector agencies are the AER and the Victorian agency.

4.2  Product data request service

 (1) Despite rule 1.12, a data holder of energy sector data, other than the AER and the Victorian agency, is not required to provide a product data request service.

 (2) However, if such a data holder chooses to provide an online service that can be used to make product data requests, the service must comply with rule 1.12.

4.3  Meaning of SR data and primary data holder—energy sector

  For these rules:

 (a) SR data, in relation to the energy sector, means AEMO data in relation to a CDR consumer; and

 (b) the primary data holder for the SR data is the relevant retailer.

Note: Paragraph (a) also makes AEMO the secondary data holder for the SR data.

4.4  SR data must be obtained from AEMO

  On receiving an SR data request under Part 3 or Part 4 of these rules, a retailer must request from AEMO, using the service mentioned in subrule 1.20(2), any SR data to be used in responding to the request 

Note: AEMO is the secondary data holder for the SR data.  This provision requires a retailer that happens to be the direct holder of any AEMO data that is subject to a consumer data request to ignore its data holding in responding to the request, and obtain the data from AEMO for that purpose.

4.5  Civil penalties do not apply

  A civil penalty imposed by these rules for a breach of a provision of these rules, including one imposed by rule 9.8 by declaring the relevant provision to be a civil penalty provision, does not apply in relation to AEMO, the AER or the Victorian agency in relation to energy sector data.

Part 5—Dispute resolution―energy sector

Note: See the definition of “meets the internal dispute resolution requirements” in subrule 1.7(1), paragraph 5.12(b) of these rules, and rule 6.1.

5.1  Meeting internal dispute resolution requirements—energy sector

Accredited persons

 (1) For the energy sector, an accredited person, other than an accredited person that is also a retailer, meets the internal dispute resolution requirements if its internal dispute resolution processes comply with provisions of Regulatory Guide 271 that deal with the following:

 (a) standards that its internal dispute resolution procedures or processes must meet regarding the following:

 (i) commitment and culture;

 (ii) the enabling of complaints;

 (iii) resourcing;

 (iv) responsiveness;

 (v) objectivity and fairness;

 (vi) policy and procedures;

 (vii) data collection, analysis and internal reporting;

 (viii) continuous improvement;

 (b) outsourcing internal dispute resolution processes;

 (c) acknowledgement of complaint;

 (d) what an internal dispute resolution response must contain;

 (e) maximum timeframes for an internal dispute resolution response;

 (f) internal dispute resolution response requirements for multi-tier internal dispute resolution processes;

 (g) the role of customer advocates;

 (h) establishing links between internal dispute resolution processes and external dispute resolution;

 (i) systemic issues.

Data holders

 (2) For the energy sector, a retailer (including a retailer that is also an accredited person) meets the internal dispute resolution requirements if its internal dispute resolution processes satisfy the applicable requirements for the retailer’s standard complaints and dispute resolution procedures under the National Energy Retail Law or the Energy Retail Code (Victoria).

 (3) Part 6 does not apply in relation to the AER, the Victorian agency or AEMO, in their capacity as data holders in the energy sector.

Definition

 (4) In this clause:

Regulatory Guide 271 means Regulatory Guide 271 published by the Australian Securities & Investments Commission, as in force from time to time and applied as if:

 (a) references to complaints were references to CDR consumer complaints; and

 (b) references to financial firms and financial service providers were references to CDR participants.

Note: Regulatory Guide 271 could in 2021 be accessed from the Australian Securities & Investments Commission’s website (https://asic.gov.au).

5.2  External dispute resolution requirements—energy sector

Note: The Australian Financial Complaints Authority and the energy and water ombudsman of each State and Territory are recognised as external dispute resolution schemes for section 56DA of the Act.

Accredited persons

 (1) For the purposes of paragraph 5.12(1)(c) of these rules, an accredited person, other than an accredited person to which subclause (3) applies, must be a member of the Australian Financial Complaints Authority in relation to CDR consumer complaints.

Data holders

 (2) For the purposes of rule 6.2 (Requirement for data holders—external dispute resolution), a retailer must, in each relevant jurisdiction:

 (a) if the jurisdiction has an energy and water ombudsman recognised in accordance with section 56DA of the Act—be a member of that ombudsman in relation to CDR consumer complaints; and

 (b) otherwise—take the necessary steps to participate in the dispute resolution process provided by the jurisdiction that is appropriate for CDR consumer complaints.

Certain accredited persons that are also retailers

 (3) For the purposes of paragraph 5.12(1)(c) of these rules, a retailer that:

 (a) is, or becomes, an accredited person; and

 (b) does not use any energy sector CDR data that it collects in order to provide services outside the energy sector;

  must, in each relevant jurisdiction:

 (c) if the jurisdiction has an energy and water ombudsman recognised in accordance with section 56DA of the Act—be a member of the that ombudsman in relation to CDR consumer complaints; and

 (d) otherwise—take the necessary steps to participate in the dispute resolution process provided by the jurisdiction that is appropriate for such CDR consumer complaints.

Part 6—Privacy safeguards―energy sector

6.1  Responding to correction request (rule 7.15)

 (1) This clause applies to a retailer that receives a request under subsection 56EP(1) or (2) of the Act that relates to AEMO data.

 (2) In relation to the AEMO data, rule 7.15 applies as if paragraphs (b) and (c) were replaced by the following:

 “ (b) as soon as practicable:

 (i) initiate the relevant correction procedures under the National Electricity Rules in relation to any NMI standing data or metering data for which correction is requested; and

 (ii) if the request relates to DER register data, provide the requester with information about how the requester can contact the distributor to have the data corrected.”.

Part 7—Reporting and record keeping―energy sector

7.1  Reporting requirements (rule 9.4)

  Rule 9.4 applies to AER and the Victorian agency as if subrule 9.4(1) were replaced by the following, referring to either as “the Agency”:

 “(1) The Agency must prepare a report for each reporting period that:

 (a) is in the form approved by the Commission for the purposes of this rule; and

 (b) sets out the number (if any) of product data requests received by the Agency during the reporting period; and

 (c) sets out:

 (i) the number of times the Agency refused to disclose CDR data; and

 (ii) the rule or data standard relied upon to refuse to disclose that data; and

 (iii) the number of times the Agency has relied on each of those rules or data standards as a ground of refusal.”.

Part 8—Staged application of these rules to the energy sector

8.1  Interpretation

  In this Part:

complex request means a consumer data request that:

 (a) is made on behalf of a large customer; or

 (b) is made on behalf of a secondary user; or

 (c) relates to a joint account or a partnership account.

initial retailer has the meaning given by clause 8.2.

large customer means a CDR consumer that is:

 (a) in relation to a retailer that is subject to the Electricity Industry Act 2000 (Vic)—a relevant customer for the purposes of that Act; or

 (b) otherwise—a large customer for the purposes of the National Energy Retail Law.

larger retailer has the meaning given by clause 8.3.

small retailer means a retailer that is not either an initial retailer or a larger retailer.

tranche 1 date means 15 November 2022.

tranche 1 (VA) date means a date specified by the Minister in a notifiable instrument made for the purposes of this definition.

tranche 2 date means 15 May 2023.

tranche 3 date means 1 November 2023.

tranche 4 date means 1 May 2024.

8.2  Meaning of initial retailer

  In this Schedule, initial retailer means any of the following:

The AGL Energy Group

 (a) AGL Sales (Queensland Electricity) Pty Limited – ABN 66 078 875 902;

 (b) AGL South Australia Pty Ltd - ABN 49 091 105 092;

 (c) AGL Sales Pty Limited - ABN 88 090 538 337;

The Origin Energy Group

 (d) Origin Energy Electricity Limited - ABN 33 071 052 287;

 (e) any other subsidiary of Origin Energy Limited authorised or licensed to sell electricity in the National Electricity Market;

The Energy Australia Group

 (f) EnergyAustralia Pty Ltd - ABN 99 086 014 968;

 (g) EnergyAustralia Yallourn Pty Ltd - ABN 47 065 325 224.

8.3  Meaning of larger retailer

 (1) For this Part:

 (a) a retailer that had 10,000 or more small customers on the amendment day is a larger retailer; and

 (b) a retailer that had 10,000 or more small customers at all times during a financial year that begins on or after the amendment day is also a larger retailer on and from the day 12 months after the end of that financial year.

 (2) For this clause:

 (a) a person is a small customer of a retailer if the person is:

 (i) a domestic or small business customer of the retailer within the meaning given in section 3 of the Electricity Industry Act 2000 (Vic); or

 (ii) a small customer of the retailer within the meaning of section 5 of the National Energy Retail Law; and

 (b) the amendment day is the day on which Schedule 1 to the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2021 commenced.

8.4  Product data requests under Part 2 of these rules

 (1) Part 2 of these rules (Part 2) does not apply in relation to energy sector data except as provided in this clause.

 (2) Part 2 applies to the AER on and from 1 October 2022.  

 (3) Part 2 applies to the Victorian agency on and from the tranche 1 (VA) date.  

8.5  Consumer data requests under Part 3 of these rules

  Part 3 of these rules does not apply in relation to energy sector data.

8.6  Consumer data requests under Part 4 of these rules

 (1) Part 4 of these rules (Part 4) does not apply in relation to energy sector data except as provided in this clause.

Tranche 1 — 15 November 2022

 (2) Part 4 applies in relation to an initial retailer, except in relation to a complex request, on and from the tranche 1 date.

 (3) Part 4 applies to AEMO on and from the tranche 1 date.

Tranche 2 — 15 May 2023

 (4) Part 4 applies in relation to an initial retailer in relation to a complex request on and from the tranche 2 date.

Tranche 3 — 1 November 2023

 (5) Part 4 applies to a larger retailer, except in relation to a complex request, on and from the later of the tranche 3 date and the date that it becomes a larger retailer.

Tranche 4 — 1 May 2024

 (6) Part 4 applies to a larger retailer in relation to a complex request on and from the later of the tranche 4 date and the date that it becomes a larger retailer.

Application of Part 4 to small retailers that are accredited persons

 (7) Part 4 applies to a small retailer that is an accredited person, except in relation to a complex request, on and from the later of:

 (a) the day 12 months after the tranche 1 date; and

 (b) the day 12 months after the day that it became an accredited person.

 (8) Part 4 applies to a small retailer that is an accredited person in relation to a complex request on and from the later of:

 (a) the day 18 months after the tranche 1 date; and

 (b) the day 18 months after the day that it became an accredited person.

Voluntary application of Part 4 to small retailers

 (9) A small retailer may notify the Commission that it wishes Part 4 to apply to it:

 (a) except in relation to a complex request—on and from a specified date that is no earlier than the tranche 1 date; and

 (b) in relation to a complex request—on and from a specified date that is no earlier than the tranche 2 date.

 (10) Subject to subclauses (7) and (8), Part 4 applies in relation to the small retailer, in accordance with the request, on and from the dates so specified.

8.7  Authorisation to disclose CDR data before being required to do so

 (1) This clause applies in relation to a request for disclosure of CDR data that has been made to a retailer in accordance with Part 2, Part 3 or Part 4 of these rules (the relevant data request Part) if:

 (a) the request was made on or after the tranche 1 day; and

 (b) the requested CDR data is any of the following:

 (i) required product data;

 (ii) voluntary product data;

 (iii) required consumer data;

 (iv) voluntary consumer data; and

 (c) the requested CDR data includes some preapplication CDR data.

 (2) For these rules, the retailer may disclose any or all of the preapplication CDR data in response to the request in accordance with the relevant data request Part.

 (3) In this clause, pre-application CDR data means CDR data that, but for the operation of this Part, the data holder would be required or authorised by the relevant data request Part to disclose in response to the request.

Part 9—Other rules, and modifications of these rules, for the energy sector

9.1  Laws relevant to the management of CDR data—energy sector

  For paragraph (f) of the definition of “law relevant to the management of CDR data” in rule 1.7 of these rules:

 (a) the National Electricity Law; and

 (b) the National Energy Retail Law; and

 (c) the Electricity Industry Act 2000 (Vic);

  are laws relevant to the management of CDR data in relation to the energy sector.

9.2  Conditions for accredited person to be data holder

 (1) For paragraph 56AJ(4)(c) of the Act, this clause sets out conditions for a person that has collected CDR data in accordance with a consumer data request under Part 4 of these rules to be a data holder (rather than an accredited data recipient) of that CDR data and any CDR data that it directly or indirectly derived from that CDR data (together, the relevant CDR data).

 (2) The conditions are that:

 (a) the person is a retailer; and

 (b) the CDR data is information covered by item 1, 3 or 5 of the table in section 12 of the of the energy sector designation instrument; and

Note: These are the types of information for which a retailer is designated as a data holder under the designation instrument.

 (c) the CDR consumer is a customer of the person; and

 (d) the person:

 (i) reasonably believes that the relevant CDR data is relevant to the arrangement with the CDR consumer; and

 (ii) has asked the CDR consumer to agree to the person being a data holder, rather than an accredited data recipient, of the relevant CDR data; and

 (iii) has explained to the CDR consumer:

 (A) that, as a result, the privacy safeguards, to the extent that they apply to an accredited data recipient of CDR data, would no longer apply to the person in relation to the relevant CDR data; and

 (B) the manner in which it proposes to treat the relevant CDR data; and

 (C) why it is entitled to provide the CDR consumer with this option; and

 (iv) has outlined the consequences, to the CDR consumer, of not agreeing to this; and

 (e) the CDR consumer has agreed to the person being a data holder, rather than an accredited data recipient, of the relevant CDR data.

Related modifications of these rules

 (3) If a person becomes a data holder, rather than an accredited data recipient, of CDR data as a result of subsection 56AJ(4) of the Act and this clause:

 (b) for paragraph 4.26(1)(h) of these rules, any authorisations to disclose CDR data in relation to the consumer data request expire; and

 (c) if the person’s accreditation has been surrendered or revoked, the following do not apply to the person in relation to that CDR data:

 (i) subrule 5.23(2);

 (ii) paragraph 5.23(3)(b).

9.3  Consultation by Data Recipient Accreditor (rule 5.4)

  For paragraph 5.4(1)(c), the AER and the Essential Services Commission of Victoria are specified as authorities that the Data Recipient Accreditor may consult with.

9.4  AEMO not to appear on Registrar’s database (rule 5.25)

  For the purposes of subrule 5.25(1), AEMO is not to be treated as a data holder.

Note: The function of the database to be maintained under subrule 5.25(1) is to provide information for the making of consumer data requests to data holders. Since requests for AEMO data will be made to the relevant retailer, the database will not require details relating to AEMO.

9.5  Grounds for revocation, suspension and surrender of accreditation—energy sector

  For item 5 of the table in rule 5.17:

 (a) the relevant condition is that the accredited person was, at the time of the accreditation, a retailer; and

 (b) the accredited person ceases to satisfy the condition if its authorisation or licence to sell electricity in the National Electricity Market has been suspended or revoked.

 

Schedule 3—Miscellaneous amendments

Competition and Consumer (Consumer Data Right) Rules 2020

1  Rule 1.7, definition of eligible

Substitute:

eligible, in relation to a particular designated sector, has the meaning given by rule 1.10B.

Note: See also:

2  Rule 1.7, definitions of secondary user and secondary user instruction

Substitute:

secondary user: a person is a secondary user for an account with a data holder in a particular designated sector if:

 (a) the person is an individual who is 18 years of age or older; and

 (b) the person has account privileges in relation to the account; and

 (c) the account holder or account holders:

 (i) are individuals each of whom is 18 years or older; and

 (ii) in accordance with the requrements for the account, have given the data holder an instruction to treat the person as a secondary user for the purposes of these rules.

secondary user instruction means an instruction given for the purposes of paragraph (c) of the definition of secondary user.

3  After rule 1.10A

Insert:

1.10B  Meaning of eligible

Note: Sector Schedules may add additional criteria for eligibility.  See also:

 (1) A CDR consumer is eligible, in relation to a particular data holder at a particular time, if, at that time:

 (a) the CDR consumer is either:

 (i) an individual who is 18 years of age or older; or

 (ii) a person who is not an individual; and

              (b) the CDR consumer is an account holder or a secondary user for an account with the data holder that is open; and

 (c) any additional criteria set by the relevant sector Schedule for this subrule are met.

       (2) A CDR consumer is also eligible, in relation to a particular data holder at a particular time, if, at that time:

 (a) the CDR consumer is a partner in a partnership for which there is a partnership account with the data holder; and

 (b) the account is open; and

 (c) any additional criteria set by the relevant sector Schedule for this subrule are met.

4  Subparagraph 1.13(1)(c)(i)

After “individuals” insert “18 years of age or older”.

5  Subparagraph 1.13(1)(d)(i)

After “individuals” insert “18 years of age or older”.

6  Subrule 3.3(3), note

Substitute:

Note:  See rule 1.7 for the meaning of “eligible”.  See also:

7  Paragraph 4.3C (1)(g)

Repeal.

8  Paragraph 4.3C (1)(h)

Renumber as “(g)”.

9  Paragraph 4.3C (1)(i)

Renumber as “(h)”.

10  Paragraph 4.3C (1)(ia)

Renumber as “(i)”.

11  Subrule 4.5(1), note

Substitute:

Note:  See rule 1.7 for the meaning of “eligible”.  See also:

12  Subrule 4.7(1)

Omit all words up to “request:”, substitute:

  Despite subrules 4.5(3), 4.6(4) and 4.22A(1), a data holder may refuse to ask for an authorisation in relation to the relevant CDR data, to invite a CDR consumer to amend the authorisation, or to disclose required consumer data in response to the request:

13  Subrule 4.7B(1), note

Substitute:

Note: See rule 1.7 for the meaning of “eligible”.  See also:

14  Rule 7.2

Substitute:

7.2  Rule relating to privacy safeguard 1—open and transparent management of CDR data

Policy about the management of CDR data

 (1) For paragraph 56ED(3)(b) of the Act, the Information Commissioner may approve a form for a CDR policy.

 (2) For paragraph 56ED(3)(b) of the Act, the CDR entity’s CDR policy must be in the form of a document that is distinct from any of the CDR entity’s privacy policies.

Additional information for CDR policy

 (3) In addition to the information referred to in subsection 56ED(4) of the Act, the data holder’s CDR policy must indicate:

 (a) whether it accepts requests for:

 (i) voluntary product data; or

 (ii) voluntary consumer data; and

 (b) if so:

 (i) whether it charges fees for disclosure of such data; and

 (ii) if it does―how information about those fees can be obtained.

 (4) In addition to the information referred to in subsection 56ED(5) of the Act, the CDR policy of an accredited person who is or who may become an accredited data recipient of CDR data must include the following:

 (a) a statement indicating the consequences to the CDR consumer if they withdraw a consent to collect and use CDR data;

 (b) a list of any other accredited persons with whom the accredited person has a sponsorship arrangement;

 (c) for each such arrangement—the nature of the services one party provides to the other party;

 (d) a list of the CDR representatives of the accredited person;

 (e) for each CDR representative—the nature of the goods and services that the CDR representative provides to custormers using CDR data;

 (f) a list of the outsourced service providers of the accredited person (whether based in Australia or based overseas, and whether or not any is an accredited person);

 (g) for each such service provider:

 (i) the nature of the services it provides;

 (ii) the CDR data or classes of CDR data that may be disclosed to it or collected by it;

 (h) if the accredited person wishes to undertake general research using the CDR data:

 (i) a description of the research to be conducted;

 (iii) a description of any additional benefit to be provided to the CDR consumer for consenting to the use;

 (i) if the accredited person is likely to disclose CDR data of a kind referred to in subsection 56ED(5) of the Act to such a service provider that:

 (i) is based overseas; and

 (ii) is not an accredited person;

  —the countries in which such persons are likely to be based if it is practicable to specify those countries in the policy;

 (j) if applicable—the following information about deidentification of CDR data that is not redundant data:

 (i) how the accredited person uses CDR data that has been deidentified in accordance with the CDR data deidentification process to provide goods or services to CDR consumers;

 (ii) the further information specified in subrule (5);

 (k) the following information about deletion of redundant CDR data:

 (i) when it deletes redundant data;

 (ii) how a CDR consumer may elect for this to happen;

 (iii) how it deletes redundant data;

 (l) if applicable—the following information about deidentification of redundant CDR data:

 (i) if the deidentified data is used by the accredited person—examples of how the accredited person ordinarily uses deidentified data; and

 (ii) the further information specified in subrule (5);

 (m) the following information about the CDR consumer’s election to delete their CDR data:

 (i) information about how the election operates and its effect;

 (ii) information about how CDR consumers can exercise the election.

Note 1: The specified service providers are the accredited person’s “outsourced service providers”.

Note 2: For paragraph (d), if the service provider is an accredited person who is based overseas, paragraph 56ED(5)(f) of the Act requires similar information to be contained in the accredited person’s CDR policy.

Note 3:  This subrule is a civil penalty provision (see rule 9.8).

 (5) For subparagraphs (4)(e)(ii) and (g)(ii), the further information is:

 (a) how the accredited person who is or who may become an accredited data recipient of CDR data deidentifies CDR data, including a description of techniques that it uses to deidentify data; and

 (b) if the accredited person ordinarily discloses (by sale or otherwise) deidentified data to one or more other persons:

 (i) that fact; and

 (ii) to what classes of person it ordinarily discloses such data; and

 (iii) why it so discloses such data.

 (6) In addition to the information referred to in paragraphs 56ED(4)(b) and (5)(d) of the Act, the CDR policy of the CDR entity (the data holder or accredited person who is or who may become an accredited data recipient of CDR data) must include the following information in relation to the CDR entity's internal dispute resolution processes:

 (a) where a CDR consumer complaint can be made;

 (b) how a CDR consumer complaint can be made;

 (c) when a CDR consumer complaint can be made;

 (d) when acknowledgement of a CDR consumer complaint can be expected;

 (e) what information is required to be provided by the complainant;

 (f) the CDR entity’s process for handling CDR consumer complaints;

 (g) time periods associated with various stages in the CDR consumer complaint process;

 (h) options for redress;

 (i) options for review, both internally (if available) and externally.

Note: This subrule is a civil penalty provision (see rule 9.8).

 (7) If an accredited person is who is or who may become an accredited data recipient of CDR data proposes to store CDR data other than in Australia or an external territory, its CDR policy must specify any country in which they propose to store CDR data.

Note: This subrule is a civil penalty provision (see rule 9.8).

Availability of policy

 (8) For paragraph 56ED(7)(b) of the Act, the CDR entity must make its CDR policy readily available through each online service by means of which the CDR entity, or a CDR representative of the CDR entity, ordinarily deals with CDR consumers.

Note: This subrule is a civil penalty provision (see rule 9.8).

 (9) For subsection 56ED(8) of the Act, if a copy of the CDR entity’s policy is requested by a CDR consumer, the CDR entity must give the CDR consumer a copy:

 (a) electronically; or

 (b) in hard copy;

  as directed by the consumer.

Note: This subrule is a civil penalty provision (see rule 9.8).

15  Paragraph 7.3(1)(a)

Omit “accredited data recipient”, substitute “accredited person who is or may become an accredited data recipient of CDR data”.

17  Paragraph 7.5(1)(h)

After “paragraph (e)” insert “or (g)”.

18  Rule 8.1, third boxed paragraph

Omit “a Data Standards Advisory Committee”, substitute “Data Standards Advisory Committees”.

19  Division 8.2, heading

Omit “Committee”, substitute “Committees”.

20  Rule 8.2

Substitute:

8.2  Establishment of Data Standards Advisory Committee

 (1) The Data Standards Chair must, by written instrument, establish and maintain a committee to advise the Chair about data standards in relation to each designated sector (a Data Standards Advisory Committee).

Note: For variation and revocation, see subsection 33(3) of the Acts Interpretation Act 1901 and paragraph 13(1)(a) of the Legislation Act 2003.

 (2) To avoid doubt, a Data Standards Advisory Committee may be appointed to cover more than one designated sector.             

21  Rule 8.3

Omit “the Data Standards Advisory Committee”, substitute “a Data Standards Advisory Committee”.

22  Paragraph 8.4(1)(a)

Omit “the Data Standards Advisory Committee”, substitute “a Data Standards Advisory Committee”.

23  Subrule 8.5(1)

Omit “the Data Standards Advisory Committee”, substitute “a Data Standards Advisory Committee”.

24  Subrule 8.5(2)

Omit “the Committee”, substitute “a Committee”.

25  Rule 8.6

Omit “the Data Standards Advisory Committee”, substitute “a Data Standards Advisory Committee”.

26  Subrule 8.7(1)

Omit “the Data Standards Advisory Committee”, substitute “a Data Standards Advisory Committee”.

27  Subrule 8.7(2)

Omit “the Committee”, substitute “a Committee”.

28  Rule 9.8

Substitute:

9.8  Civil penalty provisions

  For section 56BL of the Act, the following provisions of these rules are civil penalty provisions (within the meaning of the Regulatory Powers Act):

 (a) subrule 1.12(1); 

 (b) subrule 1.13(1);

 (c) subrule 1.14(1);

 (d) subrule 1.15(1);

 (e) subrule 1.15(5)

 (f) subrule 1.15(7)

 (g) subrule 1.16(1);

 (h) subrule 1.16A(2); 

 (i) subrule 1.20(2);

 (j) subrule 1.22(3);

 (k) subrule 1.22(4);

 (l) subrule 1.22(5);

 (m) subrule 1.23(4):

 (n) subrule 1.23(5);

 (o) subrule 1.23(6);

 (p) rule 1.25;

 (q) subrule 2.4(2A); 

 (r) subrule 2.4(3);

 (s) rule 2.6;

 (t) subrule 3.4(3);

 (u) subrule 4.3(5);

 (v) subrule 4.3C(2):

 (w) subrule 4.4(3);

 (x) subrule 4.5(2);

 (y) subrule 4.5(3);

 (z) subrule 4.6(3);

 (aa) subrule 4.6(4);

 (bb) subrule 4.7B(3)

 (cc) subrule 4.13(2);

 (dd) subrule 4.18(1);

 (ee) subrule 4.18A(2);

 (ff) subrule 4.18B(2);

 (gg) subrule 4.18B(3);

 (hh) subrule 4.18C(2);

 (ii) rule 4.19;

 (jj) subrule 4.20(2);

 (kk) subrule 4.22A(1)

 (ll) subrule 4.25(2);

 (mm) rule 4.27;

 (nn) subrule 4.28(2);

 (oo) subrule 4A.6(1); 

 (pp) subrule 4A.7(3); 

 (qq) subrule 4A.8(2); 

 (rr) subrule 4A.8(3); 

 (ss) subrule 4A.13(1); 

 (tt) subrule 4A.14(2); 

 (uu) subrule 4A.14(3); 

 (vv) subrule 5.1B(2); 

 (ww) subrule 5.1B(3); 

 (xx) subrule 5.1B(4); 

 (yy) subrule 5.1B(5); 

 (zz) subrule 5.12(1);

 (aaa) rule 5.13;

 (bbb) subrule 5.14(1);

 (ccc) subrule 5.23(2);

 (ddd) subrule 5.23(3);

 (eee) subrule 5.23(4);

 (fff) subrule 5.31(2);

 (ggg) rule 6.1;

 (hhh) rule 6.2;

 (iii) subrule 7.2(4);

 (jjj) subrule 7.2(6);

 (kkk) subrule 7.2(7);

 (lll) subrule 7.2(8);

 (mmm) subrule 7.2(9);

 (nnn) subrule 7.3(2); 

 (ooo) subrule 7.3A(1); 

 (ppp) subrule 7.6(1);

 (qqq) subrule 7.8A(1); 

 (rrr) subrule 7.8A(2); 

 (sss) subrule 7.10A(1); 

 (ttt) subrule 7.14(1);

 (uuu) subrule 7.14(2);

 (vvv) subrule 7.16(1); 

 (www) subrule 9.6(4);

 (xxx) subrule 9.7(3).

Note: Subrules 2.5(2), 3.5(2), 4.7(3), 5.25(3), 5.25(5), 5.34(4), 9.3(1), 9.3(2), 9.3(2A), 9.3(5), 9.4(1) ), 9.4(1A), 9.4(2) 9.4(2A), 9.4(3), 9.5(4), 9.5(5) and 9.5(6) are also civil penalty provisions within the meaning of the Regulatory Powers Act.

29  Schedule 1, clause 2.1, heading

Substitute:

2.1  Ongoing reporting obligation on accredited persons without streamlined accreditation

30  Schedule 1, before subclause 2.1(1)

Insert:

 (1A) This clause applies to an accredited person other than one with streamlined accreditation under rule 5.5.

31  Schedule 3, clause 1.2, definition of banking sector designation instrument

Substitute:

banking sector designation instrument means the Consumer Data Right (Authorised DepositTaking Institutions) Designation 2019.

32  Schedule 3, clause 2.1

Substitute:

2.1  Additional criteria for eligibility—banking sector

 (1) For subrule 1.10B(1), the additional criterion for CDR consumer to be eligible, in relation to a particular data holder in the banking sector at a particular time, is that the person is able to access the account online.

Note: Subrule 1.10B(1) provides criteria for account holders and secondary account holders of the account to be eligible.

 (2) For subrule 1.10B(2), the additional criterion for a CDR consumer who is a partner in a partnership to be eligible, in relation to a particular data holder in the banking sector at a particular time, is that the partnership account is set up in such a way that it can be accessed online.

Note: For a partnership account, subrule 1.10B(2) provides criteria for persons who are partners in the partnership (but who need not themselves be account holders or secondary account holders) to be eligible.

33  Schedule 3, after clause 2.2

Insert:

2.3  Consumer dashboard—application of rule 1.15

  For subrule 1.15(1), if a data holder receives a consumer data request from an accredited person on behalf of an eligible CDR consumer the data holder must provide the CDR consumer with the consumer dashboard.

34  Schedule 3, paragraph 3.1(1)

After “in relation to”, insert “a data holder in”.

35  Schedule 3, paragraph 3.1(2)

After “in relation to”, insert “a data holder in”.

36  Schedule 3, clause 3.1

At the end, add:

 (3) In this clause, a reference to a product is a reference to a product offered by or on behalf of the data holder.

37  Schedule 3, subclause 3.2(1), note 1

Repeal.

38  Schedule 3, clause 5.1

Substitute:

5.1  Meeting internal dispute resolution requirements―banking sector

 (1) For the banking sector, a CDR participant meets the internal dispute resolution requirements if its internal dispute resolution processes comply with provisions of Regulatory Guide 271 that deal with the following:

 (a) standards that its internal dispute resolution procedures or processes must meet regarding the following:

 (i) commitment and culture;

 (ii) the enabling of complaints;

 (iii) resourcing;

 (iv) responsiveness;

 (v) objectivity and fairness;

 (vi) policy and procedures;

 (vii) data collection, analysis and internal reporting;

 (viii) continuous improvement;

 (b) outsourcing internal dispute resolution processes;

 (c) acknowledgement of complaint;

 (d) what an internal dispute resolution response must contain;

 (e) maximum timeframes for an internal dispute resolution response;

 (f) internal dispute resolution response requirements for multi-tier internal dispute resolution processes;

 (g) the role of customer advocates;

 (h) establishing links between internal dispute resolution processes and external dispute resolution;

 (i) systemic issues.

 (2) In this clause:

Regulatory Guide 271 means Regulatory Guide 271 published by the Australian Securities & Investments Commission, as in force from time to time and applied as if:

 (a) references to complaints were references to CDR consumer complaints; and

 (b) references to financial firms and financial service providers were references to CDR participants.

Note: Regulatory Guide 271 could in 2021 be accessed from the Australian Securities & Investments Commission’s website (https://asic.gov.au).

39  Schedule 3, clause 6.2, table item 2

In column 2, omit “, a “voluntarily participating ADI””.

40  Schedule 3

Add at the end:

7.5  Grounds for revocation, suspension and surrender of accreditation—banking sector

  For item 5 of the table in rule 5.17:

 (b) the relevant condition is that the accredited person was, at the time of the accreditation, an ADI; and

 (c) the accredited person ceases to satisfy the condition if  its authority to carry on banking business is no longer in force.