Navigating the CDR: Consumer Data Right Policy Essentials

Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on facebook
Facebook

A CDR policy is required for data holders, and if your business is or will be a data holder under the CDR regime, now is an important time to act in the development of such a policy. According to Privacy Safeguard 1 and CDR Rule 7.2, all CDR entities must have a clearly expressed and up-to-date policy about how they manage CDR data (CDR policy). The policy must be provided free of charge and made available in accordance with the CDR Rules.

What needs to be included in a CDR Policy?

The CDR policy must include information about how a CDR consumer can access and seek correction of their CDR data, how they may complain, and how the entity will deal with a complaint. It must also:

  1. Indicate how the data holder will respond to consumer data requests;
  2. Specify the classes of CDR data they held or may hold in the future;
  3. Address the purposes for which they may collect, hold, use or disclose CDR data (each being explained separately);
  4. Indicate how the data holder will authorise access to CDR data;
  5. Indicate how the data holder will disclose CDR data;
  6. Set out the data holder’s privacy obligations;
  7. Set out the records the data holder must keep and maintain; and
  8. Set out the reporting requirements the data holder must comply with.

Data holders must also ensure that their CDR policy is distinct from any existing privacy or information security policy. The policy needs to be available to consumers free of charge and in their preferred format (hard copy / electronic).

What are the recommended steps in developing the policy?

To ensure compliance with Privacy Safeguard 1 and CDR Rule 7.2, data holders should:

  1. Develop and maintain a clearly expressed and up-to-date CDR policy;
  2. Make the policy available to consumers free of charge and in their preferred format;
  3. Ensure the policy is distinct from any existing privacy or information security policy;
  4. Include information about how a CDR consumer can access and seek correction of their CDR data, how they may complain, and how the entity will deal with a complaint;
  5. Include information about how the data holder will respond to consumer data requests, authorise access to CDR data, disclose CDR data, and their privacy obligations;
  6. Include information about the records the data holder must keep and maintain, and the reporting requirements the data holder must comply with; and
  7. Refer to the OAIC’s Guide to developing a CDR policy for further information and discussion about the requirements for a CDR policy.

For further information on the required format and contents for a CDR Policy, data holders should refer to the OAIC’s Guide to developing a CDR policy. This guide provides further information and discussion about the requirements for a CDR policy.

Conclusion

In summary, a CDR policy is required for data holders. Data holders must ensure that their CDR policy is distinct from any existing privacy or information security policy, and includes information about how a CDR consumer can access and seek correction of their CDR data, how they may complain, and how the entity will deal with a complaint. They must also include information about how the data holder will respond to consumer data requests, authorise access to CDR data, disclose CDR data, and their privacy obligations, as well as the records the data holder must keep and maintain, and the reporting requirements the data holder must comply with. Data holders should refer to the OAIC’s Guide to developing a CDR policy for further information and discussion about the requirements for a CDR policy.

If you would like assistance in developing the policy or confirmation that it is compliant, contact us.

More to explorer

Technicians installing photovoltaic solar panels on roof of house.

Compliance Quarter’s Submission to the AER’s Review of the Compliance Procedures and Guidelines

On 11 April 2024, Compliance Quarter put forward its submission on proposed changes to the AER Compliance Procedures and Guidelines. The AER is reviewing its Compliance procedures and guidelines, which set out the manner and form in which energy businesses in jurisdictions that have adopted the National Energy Retail Law must submit compliance information and data to the AER. We argue that there should be consideration of measures to incentivise early reporting of potential breaches. These may, for example, take the

person wearing foo dog costume

Obligations of Energy Retailers Regarding Best Offer Information

Energy retailers in Victoria have specific obligations under the Energy Retail Code of Practice to provide clear information to customers about their ‘best offer’ – that is, the plan that would minimize the customer‘s energy costs based on their usage history. The objective is to ensure small customers can easily understand whether they are on the retailer‘s best plan for them and how to access the retailer‘s best offer if not. One of the significant challenges in the energy sector (as in banking and elsewhere) is that customers

low angle photo of sydney opera house australia

Guide to the National Energy Retail Rules

The National Energy Retail Rules (NERR) are a set of rules that govern the sale and supply of electricity and gas by retailers to consumers in Australia, alongside the related National Energy Retail Law (NERL). The NERR came into effect on 1 July 2012 in Tasmania, the Australian Capital Territory, and the Commonwealth. South Australia followed on 1 February 2013, New South Wales on 1 July 2013, and Queensland on 1 July 2015. The NERR do not yet apply in

Leave a Reply

Your email address will not be published. Required fields are marked *