Competition and Consumer (Consumer Data Right) Rules 2020 (Cth)

Competition and Consumer (Consumer Data Right) Rules 2020

made under the Competition and Consumer Act 2010

Compilation No. 10

Compilation date:4 March 2025

Includes amendments:Competition and Consumer (Consumer Data Right) Amendment (2025 Measures No. 1) Rules 2025

Prepared by The Treasury

About this compilation

This compilation

This is a compilation of the Competition and Consumer (Consumer Data Right) Rules 2020 that shows the text of the law as amended and in force on 4 March 2025 (the compilation date).

The notes at the end of this compilation (the endnotes) include information about amending laws and the amendment history of provisions of the compiled law.

Uncommenced amendments

The effect of uncommenced amendments is not shown in the text of the compiled law. Any uncommenced amendments affecting the law are accessible on the Legislation Register ( The details of amendments made up to, but not commenced at, the compilation date are underlined in the endnotes. For more information on any uncommenced amendments, see the series page on the Legislation Register for the compiled law.

Application, saving and transitional provisions for provisions and amendments

If the operation of a provision or amendment of the compiled law is affected by an application, saving or transitional provision that is not included in this compilation, details are included in the endnotes.

Modifications

If the compiled law is modified by another law, the compiled law operates as modified but the modification does not amend the text of the law. Accordingly, this compilation does not show the text of the compiled law as modified. For more information on any modifications, see the series page on the Legislation Register for the compiled law.

Self‑repealing provisions

If a provision of the compiled law has been repealed in accordance with a provision of the law, details are included in the endnotes.

Contents

Part 1PreliminaryDivision 1.1Preliminary1.1Name

This instrument is the Competition and Consumer (Consumer Data Right) Rules 2020.

1.3Authority

This instrument is made under section 56BA of the Competition and Consumer Act 2010.

Division 1.2Simplified outline and overview of these rules1.4Simplified outline of these rules

There are 3 ways to request CDR data under these rules.
Product data requests
Any person may request a data holder to disclose CDR data that relates to products offered by the data holder. Such a request is called a product data request.
A product data request is made in accordance with relevant data standards, using a specialised service provided by the data holder. Such a request cannot be made for CDR data that relates to a particular identifiable CDR consumer. The data is disclosed, in machine‑readable form, to the person who made the request. The data holder cannot impose conditions, restrictions or limitations of any kind on the use of the disclosed data.
Consumer data requests made by CDR consumers
A CDR consumer who, in accordance with a Schedule to these rules, is eligible to do so may directly request a data holder to disclose CDR data that relates to them. Such a request is called a consumer data request.
A consumer data request that is made directly to a data holder is made using a specialised online service provided by the data holder. The data is disclosed, in human‑readable form, to the CDR consumer who made the request.
Consumer data requests made on behalf of CDR consumers
A CDR consumer who, in accordance with a Schedule to these rules, is eligible to do so may request an accredited person to request a CDR participant to disclose CDR data that relates to the consumer. The request made by the accredited person is called a consumer data request.
A consumer data request that is made to a data holder on behalf of a CDR consumer by an accredited person must be made in accordance with relevant data standards, using a specialised service provided by the data holder. The data is disclosed, in machine‑readable form, to the accredited person.
Under the data minimisation principle, the accredited person may only collect, use and disclose CDR data in order to provide goods or services in accordance with a request from a CDR consumer, and may only use or disclose it for that purpose, or for a limited number of other purposes which require an additional consent from the CDR consumer.
When consumers are eligible to make requests
A consumer data request can only be made in relation to certain classes of product and consumer CDR data.
These are specified in Schedules to these rules that relate to different designated sectors. The relevant Schedule will also set out:
•
the circumstances in which a CDR consumer will be eligible to make or initiate a consumer data request for CDR data in that sector; and
•
the CDR data that must be disclosed by the data holder in response to a valid request and the CDR data that may be, but is not required to be, disclosed by the data holder.
These rules also deal with a range of ancillary and related matters.

1.5What these rules are about

(1)
These rules set out details of how the consumer data right works.
(2)
These rules should be read in conjunction with the following:
(a)
the Competition and Consumer Act 2010 (the Act), and in particular, Part IVD of the Act, which sets out the general framework for how the consumer data right works;
(b)
designation instruments made under section 56AC of the Act;
(c)
guidelines made by the Information Commissioner under section 56EQ of the Act;
(d)
data standards made under section 56FA of the Act;
(e)
regulations made under section 172 of the Act.

1.6Overview of these rules

Note: These rules cover a number of different sectors of the economy. It is intended that they will be amended from time to time in the future to deal with additional sectors.

(1)
Part 1 of these rules deals with preliminary matters, such as:
(a)
definitions of terms that are used in these rules; and
(b)
the usage, in these rules, of certain terms that are defined in the Act.
The other provisions of these rules should be read together with these definitions and other interpretive provisions. Part 1 also deals with services that must be provided by data holders and accredited persons that allow consumers to make and manage requests for CDR data.
(2)
Part 2 of these rules deals with product data requests, and should be read in conjunction with the relevant sector Schedule.
(3)
Part 3 of these rules deals with consumer data requests that are made by CDR consumers, and should be read in conjunction with the relevant sector Schedule. Only CDR consumers who are eligible to do so may make such requests. The eligibility criteria for each sector are set out in the relevant sector Schedule.
(4)
Part 4 of these rules deals with consumer data requests that involve accredited persons, and should be read in conjunction with the relevant sector Schedule.
(5)
Part 5 of these rules deals with how persons can become accredited persons. It also deals with ancillary matters, such as revocation and suspension of accreditation, obligations of accredited persons, and the Register of Accredited Persons. The rules set out in this Part should be read in conjunction with Division 3 of Part IVD of the Act.
(6)
Part 6 of these rules deals with dispute resolution.
(7)
Part 7 of these rules deals with rules relating to the privacy safeguards. The rules set out in this Part should be read in conjunction with Division 5 of Part IVD of the Act. Part 7 also sets out some additional civil penalty provisions that protect the privacy or confidentiality of CDR consumers’ CDR data.
(8)
Part 8 of these rules deals with data standards. The rules set out in this Part should be read in conjunction with Division 6 of Part IVD of the Act.
(9)
Part 9 of these rules deals with miscellaneous matters, such as review of decisions, reporting, record keeping and audit, and civil penalty provisions of the consumer data rules.
(9A)
Part 50 of these rules sets out application and transitional provisions.
(10)
Schedule 1 to these rules deals with default conditions on accreditations.
(11)
Schedule 2 to these rules sets out detailed steps for privacy safeguard 12 (subsection 56EO(1) of the Act and rule 7.11 of these rules). These steps are also relevant to persons who hold CDR data (service data) under a CDR outsourcing arrangement, and are an element of the ongoing obligations of accredited persons (see paragraph 5.12(1)(a)).
(12)
Schedule 3 to these rules deals with the banking and non-bank lenders sectors. Schedule 3 sets out:
(a)
particular classes of data holder in those sectors to which these rules do not apply; and
(b)
the specific types of CDR data in respect of which requests under these rules may be made; and
(c)
the circumstances in which CDR consumers are eligible in relation to data holders in those sectors; and
(d)
the progressive application of these rules to those sectors.

(13)
Schedule 4 to these rules deals with the energy sector. Schedule 4 sets out:
(a)
the specific types of CDR data in respect of which requests under these rules may be made; and
(b)
the circumstances in which CDR consumers are eligible in relation to data holders in the energy sector; and
(c)
some modifications of the general rules that apply in the energy sector because certain types of data are collected or held by agencies specified in the energy sector designation instrument rather than the retailers with which the CDR consumers have accounts; and
(d)
the progressive application of these rules to the energy sector.

1.6ASector Schedules

A sector Schedule may modify the operation of Parts 1 to 9 of these rules in relation to a particular designated sector or sectors and a particular matter (whether or not a provision in any of those Parts provides for the Schedule to deal with the matter).
Example: A sector Schedule may provide that these rules do not apply in relation to a particular class of data holders in the designated sector or sectors.

Division 1.3Interpretation1.7Definitions

Note: Expressions have the same meaning in this instrument as in the Competition and Consumer Act 2010 as in force from time to time—see paragraph 13(1)(b) of the Legislation Act 2003.
(1)
In this instrument:
ABNhas the meaning given by the A New Tax System (Australian Business Number) Act 1999.

account privileges, in relation to:
(a)
an account with a data holder; and
(b)
a particular designated sector;
has the meaning set out in a Schedule to these rules that relates to that sector.
accreditation applicant means a person who has applied to be an accredited person under rule 5.2.
accreditation number of an accredited person has the meaning given by rule 5.6.
accredited data recipient has a meaning affected by subrule (2).
Note: The term “accredited data recipient” is defined in the Act: see section 56AK of the Act. Subrule (2) deals with the usage of this term in these rules.
accredited person request service has the meaning given by subrule 1.13(3).
Actmeans the Competition and Consumer Act 2010.
addresses for service means both of the following:
(a)
a physical address for service in Australia;
(b)
an electronic address for service.
ADI(short for authorised deposit‑taking institution) has the meaning given by the Banking Act 1959.
affiliate has the meaning given by rule 1.10D.
AP disclosure consent has the meaning given by rule 1.10A.
associated person, of another person, means any of the following:
(a)
a person who:
(i)
makes or participates in making, or would (if the other person were an accredited person) make or participate in making, decisions that affect the management of CDR data by the other person; or
(ii)
has, or would have (if the other person were an accredited person), the capacity to significantly affect the other person’s management of CDR data;
(b)
if the other person is a body corporate—a person who:
(i)
is an associate (within the meaning of the Corporations Act 2001) of the other person; or
(ii)
is an associated entity (within the meaning of the Corporations Act 2001) of the other person.
authorisation to disclose CDR data means:
(a)
an authorisation given by a CDR consumer under Part 4 to a data holder; or
(b)
such an authorisation as amended in accordance with these rules.
business consumer disclosure consent has the meaning given by rule 1.10A.
business consumer statement has the meaning given by rule 1.10A.

category, of consents, has the meaning given by rule 1.10A.
CDR business consumer has the meaning given by rule 1.10A.

CDR complaint data, in relation to a CDR participant, means the following:
(a)
the number of CDR consumer complaints received by the CDR participant;
(b)
the number of such complaints for each complaint type into which the CDR participant categorises complaints in accordance with its complaints handling process;
(c)
the number of such complaints resolved;
(d)
the average number of days taken to resolve CDR consumer complaints through internal dispute resolution;
(e)
the number of CDR consumer complaints referred to a recognised external dispute resolution scheme;
(f)
the number of CDR consumer complaints resolved by external dispute resolution;
(g)
in relation to a CDR participant that is a data holder―the number of CDR product data complaints received.
Note: Complaints covered by paragraph (g) are not “CDR consumer complaints”.
CDR consumer has a meaning affected by subrule (2).
Note: The term “CDR consumer” is defined in the Act: see subsection 56AI(3) of the Act. Subrule (2) deals with the usage of this term in these rules.
CDR consumer complaint means any expression of dissatisfaction made by a CDR consumer to or about a CDR participant, or a CDR representative of a CDR participant:
(a)
that relates to:
(i)
that person’s obligations under or compliance with:
(A)
Part IVD of the Act; or
(B)
these rules; or
(C)
binding data standards; or
(ii)
the provision to the CDR consumer, by that person, of the goods or services in respect of which the consumer granted consent under Part 4; and
(b)
for which a response or resolution could reasonably be expected.
Note: Complaints of a kind referred to in sub‑subparagraph (a)(i)(B) include a complaint relating to the participant’s obligations under, or compliance with, rules dealing with the handling of CDR consumer complaints.
CDR data de‑identification process has the meaning given by rule 1.17.
CDR data deletion process has the meaning given by rule 1.18.
CDR insight, in relation to an insight disclosure consent, means the CDR data subject to the consent.
CDR logo means a logo or symbol, including one whose use requires a licence or authorisation from a person other than the Commonwealth, approved by the Commission for the purposes of this definition.
CDR outsourcing arrangement has the meaning given by rule 1.10.
CDR participant has a meaning affected by subrule (2).
Note: The term “CDR participant” is defined in the Act: see subsection 56AL(1) of the Act. Subrule (2) deals with the usage of this term in these rules.
CDR policy means a policy that a CDR participant has and maintains in compliance with subsection 56ED(3) of the Act.
CDR product data complaint means an expression of dissatisfaction made to a data holder about its required product data or its voluntary product data for which a response or resolution could reasonably be expected.
CDR representative has the meaning given by rule 1.10AA.
CDR representative arrangement has the meaning given by rule 1.10AA.
CDR representative principal has the meaning given by rule 1.10AA.
co‑approval option has the meaning given by rule 4A.5.
collection consent has the meaning given by rule 1.10A.
consent means:
(a)
a collection consent, a use consent or a disclosure consent; or
(b)
such a consent as amended in accordance with these rules.
consumer dashboard:
(a)
in relation to an accredited person—has the meaning given by rule 1.14; and
(b)
in relation to a data holder—has the meaning given by rules 1.15 and 4A.13.
consumer data request:
(a)
by a CDR consumer—has the meaning given by rule 3.3; and
(b)
by an accredited person on behalf of a CDR consumer—has the meaning given by rule 4.4 or rule 4.7A.
Note: The different types of consumer data request are summarised in the following table:

A consumer data request made under:	is made by:	to:	for disclosure of CDR data to:
rule 3.3	a CDR consumer	a data holder	the CDR consumer
rule 4.4	an accredited person on behalf of a CDR consumer	a data holder	the accredited person
rule 4.7A	an accredited person on behalf of a CDR consumer	an accredited data recipient	the accredited person

consumer experience data standards means data standards expressed to be consumer experience data standards.
Example: The Data Standards Chair must make data standards about disclosure and security of CDR data, including consumer experience data standards for certain disclosures—see subparagraphs 8.11(1)(c)(iii) to (vi).
current:
(a)
a consent is current if it has not expired in accordance with rule 4.14 or 4.20K; and
(b)
an authorisation to disclose particular CDR data is current if it has not expired in accordance with rule 4.26.
Note: For paragraph (a), there are the following 3 kinds of consent:
· collection consents;
· use consents;
· disclosure consents.
data holder has a meaning affected by subrule (2).
Note: The term “data holder” is defined in the Act: see subsection 56AJ of the Act. Subrule (2) deals with the usage of this term in these rules.
data minimisation principle has the meaning given by rule 1.8.
Data Standards Advisory Committee has the meaning given by rule 8.2.
de‑identification consent has the meaning given by rule 1.10A.
direct marketing consent has the meaning given by rule 1.10A.
direct or indirect OSP means a direct OSP or an indirect OSP.

direct OSP has the meaning given by rule 1.10.

direct request service has the meaning given by subrule 1.13(2).
disclosure consent has the meaning given by rule 1.10A.
disclosure option has the meaning given by rule 4A.5.
disclosure option management service has the meaning given by rule 4A.6.
eligible:
(a)
in relation to a particular data holder, at a particular time—has the meaning given by rule 1.10B; and
(b)
in relation to a particular data holder in a particular designated sector, at a particular time—has the meaning given by rule 1.10B as affected by clause 2.1 of Schedule 3 and clause 2.1 of Schedule 4.
fit and proper person criteria has the meaning given by rule 1.9.
foreign entity means a person who:
(a)
is not a body corporate established by or under a law of the Commonwealth, of a State or of a Territory; and
(b)
is neither an Australian citizen, nor a permanent resident (within the meaning of the Australian Citizenship Act 2007).
Note: See subsection 56CA(2) of the Act.
general research, in relation to an accredited data recipient, means research by the accredited data recipient:
(a)
using CDR data that has been de‑identified in accordance with the CDR data de‑identification process; and
(b)
that does not relate to the provision of goods or services to any particular CDR consumer.
goods includes products.
indirect OSP has the meaning given by rule 1.10.

insight disclosure consent has the meaning given by rule 1.10A.
joint account:
(a)
means a joint account with a data holder for which there are 2 or more joint account holders, each of which is an individual who:
(i)
so far as the data holder is aware, is acting in their own capacity and not on behalf of another person; and
(ii)
is eligible in relation to the data holder; but
(b)
does not include a partnership account with a data holder.
law relevant to the management of CDR data means any of the following:
(a)
the Act;
(b)
any regulation made for the purposes of the Act;
(c)
these rules;
(d)
the Corporations Act 2001 and the Corporations Regulations 2001;
(e)
the Privacy Act 1988;
(f)
in relation to a particular designated sector—any law that is specified for the purposes of this paragraph in a sector Schedule.
Note: In relation to paragraph (f):
· for the banking sector and non-bank lenders sector, see clause 7.1 of Schedule 3; and
· for the energy sector, see clause 9.1 of Schedule 4.
level, in relation to accreditation, has the meaning given by rule 5.1A.

local agent, in relation to a foreign entity, means a person who:
(a)
is appointed by the foreign entity; and
(b)
has addresses for service; and
(c)
is authorised to accept service of documents on behalf of the foreign entity.
meet the external dispute resolution requirements, for a particular designated sector, has the meaning set out in the relevant sector Schedule.
Note: For the meaning of the term:
· in the banking sector and non-bank lenders sector, see clause 5.2 of Schedule 3; and
· in the energy sector, see clause 5.2 of Schedule 4.

meet the internal dispute resolution requirements, for a particular designated sector, has the meaning set out in the relevant sector Schedule.
Note: For the meaning of the term:
· in the banking sector and non-bank lenders sector, see clause 5.1 of Schedule 3; and
· in the energy sector, see clause 5.1 of Schedule 4.
nominated representative has the meaning given by subparagraph 1.13(1)(c)(i) or subparagraph 1.13(1)(d)(i), as appropriate.
non‑disclosure option has the meaning given by rule 4A.5.
ordinary means of contacting an account holder by a data holder means:
(a)
if the data holder has agreed with the account holder on a particular means of contacting the account holder for the purposes of the relevant provision—that means; and
(b)
otherwise—the default means by which the data holder contacts the account holder in relation to the account.
OSP chain principal has the meaning given by rule 1.10.

partnership account, with a data holder, means an account with a data holder that is held by or on behalf of a partnership or the partners in a partnership.
permitted use or disclosure has the meaning given by rule 7.5.

pre‑approval option has the meaning given by rule 4A.5.
primary data holder, in relation to SR data and a particular designated sector, means the data holder specified in the sector Schedule as the primary data holder for the SR data.
product data request has the meaning given by rule 2.3.
product data request service has the meaning given by rule 1.12.
recognised external dispute resolution scheme means a dispute resolution scheme that is recognised under section 56DA of the Act.
redundant data has the meaning given by paragraph 56EO(2)(a) of the Act.
Register of Accredited Persons means the Register of Accredited Persons established under subsection 56CE(1) of the Act.
relates to direct marketing has the meaning given by rule 7.5.

requester, in relation to a product data request, means the person who made the request under rule 2.3.
required consumer data, in relation to a particular designated sector, has the meaning set out in the relevant sector Schedule.
Note: For the meaning of the term:
· in the banking sector and non-bank lenders sector, see clause 3.2 of Schedule 3; and
· in the energy sector, see clause 3.2 of Schedule 4.
required product data, in relation to a particular designated sector, has the meaning set out in the relevant sector Schedule.
Note: For the meaning of the term:
· in the banking sector and non-bank lenders sector, see clause 3.1 of Schedule 3; and
· in the energy sector, see clause 3.1 of Schedule 4.
restricted ADI means an ADI that has an authority under section 9 of the Banking Act 1959 to carry on a banking business in Australia for a limited time specified in accordance with section 9D of that Act.
secondary data holder, in relation to SR data and a particular designated sector, means the data holder specified in the sector Schedule as the secondary data holder for the SR data.
secondary user: a person is a secondary user for an account with a data holder in a particular designated sector at a particular time, if, at that time:
(a)
the person is an individual who is 18 years of age or older; and
(b)
the person has account privileges in relation to the account; and
(c)
the account holder or account holders:
(i)
are individuals each of whom is 18 years or older; and
(ii)
are eligible in relation to the data holder; and
(iii)
in accordance with the requirements for the account, have given the data holder an instruction to treat the person as a secondary user for the purposes of these rules; and
(iv)
have not withdrawn that instruction.
secondary user instruction means an instruction given for the purposes of paragraph (c) of the definition of secondary user.
sector Schedule means a Schedule to these rules that deals with a particular designated sector or sectors.
service data:
(a)
in relation to a CDR outsourcing arrangement—has the meaning given by rule 1.10; and
(b)
in relation to a CDR representative arrangement— has the meaning given by rule 1.10AA.
sponsor has the meaning given by rule 1.10D.
sponsored accreditation means accreditation at the sponsored level mentioned in rule 5.1A.
Note: See also rules 1.10D and 5.1B.
sponsorship arrangement has the meaning given by rule 1.10D.
SR data (for shared responsibility data), in relation to a CDR consumer and a particular designated sector, has the meaning set out in the relevant sector Schedule.
Note: Where CDR data for which there is a CDR consumer in a designated sector is held by one data holder, but it would be more practical for consumer data requests for the data to be directed to, and actioned by, a different data holder with which the CDR consumer has a relationship, such CDR data may be specified as SR data in the sector Schedule. Parts 3 and 4 then apply with the modifications set out in Division 1.5.
SR data request (for shared responsibility data request) means a consumer data request for CDR data that is, or that includes, SR data of the CDR consumer.
TA disclosure consent has the meaning given by rule 1.10A.
trial product, in relation to a particular designated sector, has the meaning set out in the relevant sector Schedule.

trusted adviser has the meaning given by rule 1.10C.
type of CDR data means a type of data that is identified in the data standards.
Note: See paragraph 8.11(1)(d).
unrestricted accreditation means accreditation at the unrestricted level mentioned in rule 5.1A.
use consent has the meaning given by rule 1.10A.
valid has the meaning given by subrule 3.3(3) or subrule 4.3(3) as appropriate.
voluntary consumer data, in relation to a particular designated sector, has the meaning set out in the relevant sector Schedule.
Note: For the meaning of the term:
· in the banking sector and non-bank lenders sector, see clause 3.2 of Schedule 3; and
· in the energy sector, see clause 3.2 of Schedule 4.
voluntary product data, in relation to a particular designated sector, has the meaning set out in the relevant sector Schedule.
Note: For the meaning of the term:
· in the banking sector and non-bank lenders sector, see clause 3.1 of Schedule 3; and
· in the energy sector, see clause 3.1 of Schedule 4.
(2)
The table has effect:

Meaning of references to certain terms
A reference, in a particular provision of these rules, to:	is, depending on the context, a reference to:
1	a CDR consumer	(a) a CDR consumer for any CDR data; or (b) a CDR consumer for the particular CDR data that is dealt with in relation to the reference.
2	a data holder	(a) a data holder of any CDR data; or (b) the data holder of the particular CDR data that is dealt with in relation to the reference.
3	an accredited data recipient	(a) an accredited data recipient of any CDR data; or (b) the accredited data recipient of the particular CDR data that is dealt with in relation to the reference.
4	a CDR participant	(a) a CDR participant for any CDR data; or (b) the CDR participant for the particular CDR data that is dealt with in relation to the reference.

References to data holder
(3)
In these rules, depending on the context, a reference to a data holder is a reference to a data holder that would be required or that is authorised to disclose CDR data in response to a product data request or a consumer data request that is made in accordance with these rules.
References to a person’s CDR data
(4)
In these rules, a reference to a person’s CDR data is a reference to the CDR data for which that person is a CDR consumer.
References to accredited person
(5)
In these rules, unless the contrary intention appears, a reference to an accredited person making a consumer data request, collecting CDR data, obtaining consents, providing a consumer dashboard, or using or disclosing CDR data does not include a reference to an accredited person doing those things on behalf of an OSP principal in its capacity as a direct or indirect OSP of:
(a)
another accredited person; or
(b)
a CDR representative of itself or of another accredited person;
in accordance with the relevant CDR outsourcing arrangement.

1.8Data minimisation principle

(1)
The collection of CDR data by an accredited person complies with the data minimisation principle if, when making a consumer data request on behalf of a CDR consumer, the accredited person does not seek to collect:
(a)
more CDR data than is reasonably needed; or
(b)
CDR data that relates to a longer time period than is reasonably needed;
in order for it, or a relevant CDR representative, to provide the goods or services requested by the CDR consumer.
(2)
The use or disclosure of CDR data by an accredited person or a CDR representative complies with the data minimisation principle if, when providing the requested goods or services, or doing any other thing that constitutes a permitted use or disclosure of collected CDR data, the use or disclosure of the collected data, or any CDR data directly or indirectly derived from it, does not go beyond what is reasonably needed in order to provide the requested goods or services or to effect the permitted use or disclosure.

1.9Fit and proper person criteria

(1)
For these rules, the fit and proper person criteria, in relation to a person, are the following:
(a)
whether the person, or any associated person, has, within the previous 10 years, been convicted of:
(i)
a serious criminal offence; or
(ii)
an offence of dishonesty;
against any law of the Commonwealth or of a State or a Territory, or a law of a foreign jurisdiction;
(b)
whether the person, or any associated person, has been found to have contravened:
(i)
a law relevant to the management of CDR data; or
(ii)
a similar law of a foreign jurisdiction;
(c)
whether the person, or any associated person, has been the subject of:
(i)
a determination under paragraph 52(1)(b) or any of paragraphs 52(1A)(a), (b), (c) or (d) of the Privacy Act 1988; or
(ii)
a finding or determination of a similar nature under a similar law of a foreign jurisdiction;
(d)
if the person is a body corporate—whether any of the directors (within the meaning of the Corporations Act 2001) of the person, or any associated person:
(i)
has been disqualified from managing corporations; or
(ii)
is subject to a banning order;
(e)
whether the person, or any associated person, has a history of insolvency or bankruptcy;
(f)
whether the person, or any associated person, has been the subject of a determination made under an external dispute resolution scheme that:
(i)
included a requirement to pay monetary compensation; and
(ii)
was, at the time the determination was made:
(A)
recognised under the Privacy Act 1988; or
(B)
a recognised external dispute resolution scheme;
(g)
any other relevant matter, including but not limited to the objects of Part IVD of the Act.
Note: The objects of Part IVD are set out in section 56AA of the Act.
(2)
In this rule:
banning order has the same meaning as in the Corporations Act 2001.
serious criminal offence means an offence for which, if the act or omission had taken place in the Jervis Bay Territory, a person would be liable, on first conviction, to imprisonment for a period of not less than 5 years.
Note: The Jervis Bay Territory is mentioned because it is a jurisdiction in which the Commonwealth has control over the criminal law.

1.10Meaning of direct OSP, indirect OSP and related terms

Persons in a chain of outsourced service providers
(1)
In these rules, where a person who is an accredited person or a CDR representative is the principal in one or more CDR outsourcing arrangements:
(a)
the provider in each such arrangement is a direct OSP (for “direct outsourced service provider”) of the person; and
(b)
where a direct OSP of the person is also the principal in a further CDR outsourcing arrangement, the provider in the further arrangement is an indirect OSP of the person; and
(c)
where an indirect OSP of the person is also the principal in a further CDR outsourcing arrangement, the provider in the further arrangement is also an indirect OSP of the person; and
(d)
the person is the OSP chain principal of each direct and indirect OSP.
Note: Paragraph (c) can be applied repeatedly, so there may be a chain of indirect OSPs for each direct OSP.
(2)
Paragraph (1)(d) does not apply in relation to a person who is an accredited person or CDR representative that is a direct or indirect OSP of an OSP chain principal.

Content of a CDR outsourcing arrangement
(3)
In these rules, a CDR outsourcing arrangement is a written contract between a person (the OSP principal) and another person (the provider) under which:
(a)
the provider will do one or both of the following:
(i)
collect CDR data from a CDR participant in accordance with these rules on behalf of the OSP chain principal (for an OSP chain principal with unrestricted accreditation);

(ii)
use or disclose service data to provide specified goods or services to the OSP principal; and
(b)
the provider is required to comply with the following requirements in relation to any service data:
(i)
in holding, using or disclosing the service data, the provider must comply with the following as if it were the OSP principal:
(A)
the OSP principal’s CDR policy as it relates to deletion and de‑identification of CDR data and the treatment of redundant or de‑identified CDR data;
(B)
section 56EG of the Act (privacy safeguard 4);
(C)
section 56EI of the Act (privacy safeguard 6);
(D)
section 56EJ of the Act (privacy safeguard 7);
(E)
section 56EK of the Act (privacy safeguard 8);

(F)
section 56EL of the Act (privacy safeguard 9);

(ii)
the provider must take the steps in Schedule 2 to protect the service data as if it were an accredited data recipient;
(iii)
the provider must not disclose service data other than:
(A)
to another direct or indirect OSP of the OSP chain principal; or
(B)
to the OSP chain principal; or
(C)
in circumstances where the disclosure of the service data by the OSP chain principal would be permitted under these rules;
(iv)
the provider must not use or disclose the service data other than in accordance with a contract with the OSP principal; and
(v)
the provider must:
(A)
when directed by the OSP principal, do any of the things referred to in paragraphs (5)(a), (b), (c) or (d); and
(B)
when directed by the OSP chain principal, do any of the things referred to in paragraphs (5)(a), (b), (c) or (d); and
(C)
if the OSP chain principal is a CDR representative—when directed by the CDR representative principal of the OSP chain principal, do any of the things referred to in paragraphs (5)(b), (c) or (d);

(vi)
if the provider is the OSP principal in a further CDR outsourcing arrangement (the arrangement), it must ensure that the other person in the arrangement complies with the requirements of the arrangement, including in relation to service data of the other person that was disclosed to it by the OSP chain principal or another direct or indirect OSP of the OSP chain principal.
Note: See rule 1.18 for the definition of “CDR data deletion process”.
(4)
For subparagraph (3)(a)(ii), the provision of the specified goods or services must be:
(a)
where the OSP principal is the OSP chain principal—for the purpose of enabling the OSP chain principal to provide CDR consumers for the service data with the goods and services for the purposes of which a relevant consent to collect the service data, or the CDR data from which it was directly or indirectly derived, was given; and
(b)
otherwise—for the purpose of enabling the OSP principal to provide the goods and services specified in the CDR outsourcing arrangement for which it is the provider.
(5)
For subparagraph (3)(b)(v), the things are the following:
(a)
provide that person with access to any service data that it holds;
(b)
in accordance with the CDR data deletion process, delete any service data that it holds and make the required records;
(c)
provide to that person any such required records;
(d)
direct any other person to which it has disclosed service data under a further CDR outsourcing arrangement to take corresponding steps.
Service data
(6)
In these rules, service data, in relation to a person who is a direct or indirect OSP of an OSP chain principal, means any CDR data of a CDR consumer of the OSP chain principal held by the person that:
(a)
was disclosed to the person by the OSP chain principal for the purposes of the relevant CDR outsourcing arrangement; or
(b)
was collected from a CDR participant by the person on behalf of the OSP chain principal in accordance with the relevant CDR outsourcing arrangement; or
(c)
was disclosed to the person by another direct or indirect OSP of the OSP chain principal in accordance with the relevant CDR outsourcing arrangement for the other direct or indirect OSP; or
(d)
is directly or indirectly derived from such CDR data.
Note: Service data may be disclosed to other direct or indirect OSPs in accordance with provisions in the relevant CDR outsourcing arrangements.
(7)
For paragraph (6)(a), where an accredited person gives a direct or indirect OSP (the provider) permission to access or use CDR data collected by the provider on behalf of the OSP chain principal in accordance with subparagraph (3)(a)(i), the accredited person is taken to disclose the CDR data to the provider.
1.10AAMeaning of CDR representative and related terms

Note: From the point of view of a CDR consumer who is the customer of a CDR representative, the consumer deals with the CDR representative, as if it were an accredited person, and might not deal with the CDR representative principal at all. The consumer requests the goods or services from the CDR representative; the CDR representative identifies the CDR data that it needs in order to provide the goods and services; the consumer gives their consent to the CDR representative for the collection and use of the CDR data. The consumer is informed that the CDR representative principal will do the actual collecting, but as a background detail.
A CDR representative cannot deal with a person in their capacity as a CDR business consumer.
(1)
In these rules, a CDR representative arrangement is a written contract between a person with unrestricted accreditation (the CDR representative principal) and a person without accreditation (the CDR representative):
(a)
under which the CDR representative will offer goods and services to CDR consumers, but not in their capacity as CDR business consumers, for which it will need to use or disclose CDR data of the CDR consumer; and
(b)
under which, where the CDR representative has obtained the consent of a CDR consumer to the collection, use and disclosure of CDR data in accordance with rule 4.3A:
(i)
the CDR representative principal will:
(A)
make any appropriate consumer data request; and
(B)
disclose the relevant CDR data to the CDR representative; and
(ii)
the CDR representative will use or disclose the CDR data to provide the relevant goods or services to the CDR consumer; and
(c)
that specifies that the provisions referred to in paragraphs (a) and (b) do not operate until the details of the CDR representative have been entered on the Register of Accredited Persons; and
(d)
under which the CDR representative is required to comply with:
(i)
any rules that are expressed as applying to a CDR representative; and
(ii)
any consumer experience data standards that are expressed as applying to an accredited data recipient, as if the CDR representative were an accredited data recipient.
(2)
A CDR representative arrangement may provide for the CDR representative:
(a)
to seek any consent for the use or disclosure of service data that the CDR representative principal could seek in the same circumstances; and

(b)
to make any use or disclosure of service data that would be:
(i)
a permitted use or disclosure of the CDR data of the kind mentioned in paragraph 7.5(1)(j); or
(ii)
a permitted use or disclosure of the CDR data that relates to direct marketing of the kind mentioned in paragraph 7.5(3)(e).
(3)
A CDR representative arrangement must require the CDR representative:
(a)
not to enter into another CDR representative arrangement; and
(b)
not to engage a person as the provider in a CDR outsourcing arrangement in relation to service data except as provided in the CDR representative arrangement.
Note: Because a CDR representative cannot collect CDR data except through its CDR representative principal, it cannot engage the provider to collect CDR data.

(4)
A CDR representative arrangement must require the CDR representative to comply with the following requirements in relation to any service data:
(a)
in holding, using or disclosing the service data, the CDR representative must comply with the following as if it were the CDR representative principal:
(i)
section 56EE of the Act (privacy safeguard 2);
(ii)
section 56EG of the Act (privacy safeguard 4);
(iia)
section 56EI of the Act (privacy safeguard 6);
(iib)
section 56EJ of the Act (privacy safeguard 7);

(iii)
section 56EN of the Act, other than subsection (1) (privacy safeguard 11);
(iv)
section 56EO of the Act (privacy safeguard 12);
(v)
section 56EP of the Act, other than subsection (1) (privacy safeguard 13);
(b)
the CDR representative must take the steps in Schedule 2 to protect the service data as if it were the CDR representative principal;
(c)
the CDR representative must not use or disclose the service data other than in accordance with a contract with the CDR representative principal;
(d)
the CDR representative must not use or disclose the service data unless the use or disclosure would be:
(i)
a permitted use or disclosure of the CDR data of the kind mentioned in paragraph 7.5(1)(j); or
(ii)
a permitted use or disclosure of the CDR data that relates to direct marketing of the kind mentioned in paragraph 7.5(3)(e);
(e)
the CDR representative must, when so directed by the CDR representative principal:
(i)
do any of the following:
(A)
delete any service data that it holds in accordance with the CDR data deletion process;
(B)
provide, to the CDR representative principal, records of any deletion that are required to be made under the CDR data deletion process; and
(ii)
require its direct and indirect OSPs to do the same;
(f)
the CDR representative must adopt and comply with the CDR representative principal’s CDR policy in relation to the service data;
(g)
the CDR representative must comply with sections 56EK and 56EL of the Act (privacy safeguards 8 and 9) as if it were an accredited data recipient.
Note 1: For paragraph (4)(c), the CDR representative principal may be a direct or indirect OSP of the CDR representative, either as a result of provisions in the written agreement that make it also an CDR outsourcing arrangement under rule 1.10, or under a separate CDR outsourcing arrangement.
Note 2: For paragraph (4)(d), the permitted uses or disclosures are those that would be permitted if the representative were an accredited data recipient that had collected the CDR data under the consumer data request. They include disclosure to a direct or indirect OSP for the purposes of providing the relevant goods and services.
Note 3: For paragraph (4)(e), see rule 1.18 for the definition of “CDR data deletion process”.
(5)
In these rules, service data, in relation to a CDR representative, consists of any CDR data that:
(a)
was disclosed to the CDR representative for the purposes of the CDR representative arrangement; or
(b)
is directly or indirectly derived from such CDR data.

1.10ATypes of consents

(1)
For these rules:
(a)
a collection consent is a consent given by a CDR consumer under these rules for an accredited person to collect particular CDR data from a CDR participant for that CDR data; and
(b)
a use consent is a consent given by a CDR consumer under these rules for an accredited data recipient of particular CDR data, or a CDR representative that holds the CDR data as service data, to use that CDR data in a particular way; and
(c)
a disclosure consent is a consent given by a CDR consumer under these rules for an accredited data recipient of particular CDR data, or a CDR representative that holds the CDR data as service data, to disclose that CDR data:
(i)
to an accredited person in response to a consumer data request (an AP disclosure consent); or
(ii)
to an accredited person for the purposes of direct marketing; or
(iii)
to a trusted adviser of the CDR consumer (a TA disclosure consent); or
(iv)
to a specified person in accordance with an insight disclosure consent; or
(v)
other than in the case of a CDR representative—to a specified person in accordance with a business consumer disclosure consent; and
(d)
a direct marketing consent is a consent given by a CDR consumer under these rules for an accredited data recipient of particular CDR data, or a CDR representative that holds the CDR data as service data, to use or disclose the CDR data for the purposes of direct marketing; and
(e)
a de‑identification consent is a consent given by a CDR consumer under these rules for an accredited data recipient of particular CDR data, or a CDR representative that holds the CDR data as service data, to de‑identify some or all of the collected CDR data and do either or both of the following:
(i)
use the de‑identified data for general research;
(ii)
disclose (including by selling) the de‑identified data.
Note: A direct marketing consent or a de-identification consent could consist of either or both a use consent or a disclosure consent.
(2)
For these rules, each of the following is a category of consents:
(a)
collection consents;
(b)
use consents relating to the goods or services requested by the CDR consumer;
(c)
direct marketing consents;
(d)
de‑identification consents;
(e)
AP disclosure consents;
(f)
TA disclosure consents;
(g)
insight disclosure consents;
(h)
business consumer disclosure consents.
Insight disclosure consents
(3)
For these rules, an insight disclosure consent in relation to particular CDR data of a CDR consumer held by an accredited data recipient, or a CDR representative that holds the CDR data as service data, is a disclosure consent given by the CDR consumer under these rules that:
(a)
authorises the accredited data recipient or CDR representative to disclose the CDR data to a specified person for one or more of the following purposes:
(i)
verifying the consumer’s identity;
(ii)
verifying the consumer’s account balance;
(iii)
verifying the details of credits to or debits from the consumer’s accounts; but
(b)
where the CDR data relates to more than one transaction—does not authorise the accredited data recipient or CDR representative to disclose an amount or date in relation to any individual transaction.
(4)
An accredited person must not make:
(a)
the giving of an insight disclosure consent; or
(b)
the specification of a particular person for the purposes of paragraph (3)(a);
a condition for supply of the goods or services requested by the CDR consumer.
Note: This subrule is a civil penalty provision (see rule 9.8).

(5)
A CDR representative must not make:
(a)
the giving of an insight disclosure consent; or
(b)
the specification of a particular person for the purposes of paragraph (3)(a);
a condition for supply of the goods or services requested by the CDR consumer.
(6)
A CDR representative principal contravenes this subrule if its CDR representative makes:
(a)
the giving of an insight disclosure consent; or
(b)
the specification of a particular person for the purposes of paragraph (3)(a);
a condition for supply of the goods or services requested by the CDR consumer.
Note: This subrule is a civil penalty provision (see rule 9.8).
(7)
To avoid doubt, paragraphs (4)(a), (5)(a) and (6)(a) do not apply where the only good or service that is requested by the CDR consumer is for CDR data to be collected from a data holder and CDR insights disclosed in accordance with the insight disclosure consent.

Consents in relation to CDR representatives
(8)
For an accredited person with a CDR representative, a consent given by a CDR consumer under these rules to the CDR representative for the accredited person to collect particular CDR data from a CDR participant for that CDR data and disclose it to the CDR representative is also a collection consent.
CDR business consumers
(9)
For these rules, a CDR consumer is taken to be a CDR business consumer in relation to a consumer data request to be made by an accredited person if the accredited person has taken reasonable steps to confirm that:
(a)
the CDR consumer is not an individual; or
(b)
the CDR consumer has an active ABN.
(10)
For these rules, a business consumer statement is a statement made by a CDR business consumer that:
(a)
is given in relation to a consent in one of the following categories:
(i)
use consents relating to the goods or services requested by the CDR business consumer;
(ii)
TA disclosure consents;
(iii)
insight disclosure consents;
(iv)
business consumer disclosure consents; and
(b)
certifies that the consent is given for the purpose of enabling the accredited person to provide goods or services to the CDR business consumer in its capacity as a business (and not as an individual).
Note: Only an accredited person is able to deal with a CDR consumer in the CDR consumer’s capacity as a CDR business consumer, and is hence able to invite a CDR consumer to provide a business consumer statement.
(11)
For these rules, a business consumer disclosure consent in relation to particular CDR data of a CDR business consumer held by an accredited data recipient is a disclosure consent given by the CDR business consumer under these rules that:
(a)
authorises the accredited data recipient to disclose the CDR data to a specified person; and
(b)
includes a business consumer statement.
(12)
An accredited person must not make:
(a)
the giving of a business consumer disclosure consent; or
(b)
the giving of a business consumer statement; or

(c)
the specification of a particular person for the purposes of paragraph (11)(a);
a condition for supply of the goods or services requested by the CDR business consumer.
Note: This subrule is a civil penalty provision (see rule 9.8).
(13)
To avoid doubt, paragraphs (12)(a) and (b) do not apply where the only good or service that is requested by the CDR business consumer is for CDR data to be collected from a data holder and provided to a specified person.

(14)
An accredited person may not deal with a person in their capacity as a CDR business consumer before the earlier of the following:
(a)
if the Data Standards Chair makes data standards about the matters referred to in both of subparagraphs 8.11(1)(a)(iv) and subparagraph 8.11(1)(c)(vi) before 1 December 2023—the day on which the last of those standards is made;
(b)
1 December 2023.
Note: This subrule is a civil penalty provision (see rule 9.8).

1.10BMeaning of eligible

Note: Sector Schedules may add additional criteria for eligibility. See also:
•
for the banking sector and non-bank lenders sector—clause 2.1 of Schedule 3;
•
for the energy sector—clause 2.1 of Schedule 4.
(1)
A CDR consumer is eligible, in relation to a particular data holder at a particular time, if, at that time:
(a)
the CDR consumer is either:
(i)
an individual who is 18 years of age or older; or
(ii)
a person who is not an individual; and
(b)
the CDR consumer is an account holder or a secondary user for an account with the data holder that is open; and
(c)
any additional criteria set by the relevant sector Schedule for this subrule are met.
(2)
A CDR consumer is also eligible, in relation to a particular data holder at a particular time, if, at that time:
(a)
the CDR consumer is a partner in a partnership for which there is a partnership account with the data holder; and
(b)
the account is open; and
(c)
any additional criteria set by the relevant sector Schedule for this subrule are met.

1.10CTrusted advisers

(1)
An accredited person or CDR representative may invite a CDR consumer to nominate one or more persons as trusted advisers of the CDR consumer for the purposes of this rule.
(2)
A trusted adviser must belong to one of the following classes:
(a)
qualified accountants within the meaning of the Corporations Act 2001;
(b)
persons who are admitted to the legal profession (however described) and hold a current practising certificate under a law of a State or Territory that regulates the legal profession;
(c)
registered tax agents, BAS agents and tax (financial) advisers within the meaning of the Tax Agent Services Act 2009;
(d)
financial counselling agencies within the meaning of the Corporations Regulations 2001;
(e)
relevant providers within the meaning of the Corporations Act 2001 other than:
(i)
provisional relevant providers under section 910A of that Act; and
(ii)
limited‑service time‑sharing advisers under section 910A of that Act;
(f)
mortgage brokers within the meaning of the National Consumer Credit Protection Act 2009.
(3)
Where the accredited person or CDR representative has taken reasonable steps to confirm that a person nominated as a trusted adviser was, and remains, a member of a class mentioned in subrule (2), the person is taken to be a member of that class for the purposes of this rule.
(4)
The accredited person or CDR representative must not make:
(a)
the nomination of a trusted adviser; or
(b)
the nomination of a particular person as a trusted adviser; or
(c)
the giving of a TA disclosure consent;
a condition for supply of the goods or services requested by the CDR consumer.
(5)
To avoid doubt, paragraphs (4)(a) and (c) do not apply where the only good or service that is requested by the CDR consumer is for CDR data to be collected from a data holder and provided to a trusted adviser.

1.10DMeaning of sponsorship arrangement, sponsor and affiliate

(1)
A sponsorship arrangement is a written contract between a person with unrestricted accreditation (the sponsor) and another person (the affiliate), under which:
(a)
the sponsor agrees to disclose to the affiliate, in response to a consumer data request made by the affiliate in accordance with subrule 5.1B(2), CDR data that it holds as an accredited data recipient; and
(b)
the affiliate undertakes to provide the sponsor with such information and access to its operations as is needed for the sponsor to fulfil its obligations as a sponsor.
Note: A person does not need to have sponsored accreditation to enter into a sponsorship arrangement as an affiliate, but will need it to make the consumer data requests mentioned in paragraph (a)
(2)
A sponsorship arrangement may also provide for the sponsor to:
(a)
make consumer data requests at the request of the affiliate; or
(b)
use or disclose CDR data at the request of the affiliate.

Division 1.4General provisions relating to data holders and to accredited personsSubdivision 1.4.1Preliminary1.11Simplified outline of Division

This Division sets out:
•
general obligations of data holders which relate to product data requests and consumer data requests; and
•
general obligations for data holders and accredited persons to provide CDR consumers with consumer dashboards, which contain information relating to consumer data requests, and allow CDR consumers to manage consents and authorisations, under these rules.

Subdivision 1.4.2Services for making requests under these rules1.12Product data request service

(1)
A data holder must provide an online service that:
(a)
can be used to make product data requests in relation to data that it holds; and
(b)
enables requested data to be disclosed in machine‑readable form; and
(c)
conforms with the data standards.
Note 1: See rule 2.3 for the meaning of “product data request”.
Note 2: This subrule is a civil penalty provision (see rule 9.8).
Note 3: For the energy sector, this rule is modified by clause 4.2 of Schedule 4.
(2)
Such a service is a product data request service.

1.13Consumer data request service

(1)
A data holder must provide:
(a)
an online service that:
(i)
can be used by eligible CDR consumers to make consumer data requests directly to the data holder; and
(ii)
allows a request to be made in a manner that is no less timely, efficient and convenient than any of the online services that are ordinarily used by customers of the data holder to deal with it; and
(iii)
enables requested data to be disclosed in human‑readable form; and
(iv)
sets out any fees for disclosure of voluntary consumer data; and
(v)
conforms with the data standards; and
(b)
an online service that:
(i)
can be used by accredited persons to make consumer data requests, on behalf of eligible CDR consumers, to the data holder; and
(ii)
enables requested data to be disclosed in machine‑readable form; and
(iii)
conforms with the data standards; and
(c)
for each eligible CDR consumer that is not an individual—a service that can be used to:
(i)
nominate one or more individuals 18 years of age or older (nominated representatives) who are able to give, amend and withdraw authorisations to disclose CDR data for the purposes of these rules on behalf of the CDR consumer; and
(ii)
withdraw such a nomination; and
(d)
for each partnership that relates to a partnership account with the data holder—a service that can be used to:
(i)
nominate one or more individuals 18 years of age or older (nominated representatives) who are able to give, amend and withdraw authorisations to disclose CDR data that relate to the partnership accounts of that partnership for the purposes of these rules on behalf of the CDR consumers who are its partners; and
(ii)
withdraw such a nomination; and
(e)
in relation to each account in relation to which a person has account privileges―a service that can be used by the account holder to:
(i)
make a secondary user instruction; and
(ii)
withdraw the instruction.
Note 1: See rule 3.3 for the meaning of “consumer data request” in relation to a request made by a CDR consumer directly to a data holder.
Note 2: See rule 4.4 for the meaning of “consumer data request” in relation to a request made by an accredited person to a data holder on behalf of a CDR consumer.
Note 3: In the circumstances of paragraphs (1)(c) and (d), a person or partnership that does not have a nominated representative will not be able to give or amend authorisations, or use the dashboard to manage authorisations (see subrule 1.15(2A)), and accordingly, the data holder will be neither required nor permitted to disclose the requested CDR data under these rules.
Note 4: To avoid doubt, a service may be offered in an online form even if this subrule does not require it to be an online service.
Note 5: This subrule is a civil penalty provision (see rule 9.8).
(2)
The service referred to in paragraph (1)(a) is the data holder’s direct request service.
(3)
The service referred to in paragraph (1)(b) is the data holder’s accredited person request service.
(4)
A data holder does not contravene subrule (1) in relation to subparagraph (1)(a)(ii) so long as it takes reasonable steps to ensure that the online service complies with that subparagraph.

Subdivision 1.4.3Services for managing consumer data requests made by accredited persons1.14Consumer dashboard – accredited person

(1)
Subject to subrule (5), an accredited person must provide each eligible CDR consumer on whose behalf the accredited person makes a consumer data request with an online service that:
(a)
can be used by the CDR consumer to manage:
(i)
such requests; and
(ii)
associated consents; and
(b)
contains the details of each consent specified in subrule (3) and the information specified in subrule (3A); and
(c)
allows the CDR consumer, at any time, to withdraw a current consent; and
(d)
as part of the process of withdrawing a consent, displays a message, in accordance with the data standards, about the consequences of proceeding with withdrawing a consent; and
(e)
allows the CDR consumer to elect that redundant data be deleted in accordance with these rules and be able to withdraw such an election; and
(f)
is simple and straightforward to use; and
(g)

is prominently displayed and readily accessible to the CDR consumer.
Note: This subrule is a civil penalty provision (see rule 9.8).
(2)
Such a service is the accredited person’s consumer dashboard for that consumer.
(2A)
The consumer dashboard may also allow a CDR consumer to amend a current consent.
(3)
For paragraph (1)(b), the information is the following for each consent:
(a)
details of the CDR data to which the consent relates;
(b)
for a use consent―details of the specific use or uses for which the CDR consumer has given their consent;
(c)
when the CDR consumer gave the consent;
(d)
whether the consent applies:
(i)
on a single occasion; or
(ii)
over a period of time;
(e)
if a collection consent or disclosure consent applies over a period of time:
(i)
what that period is; and
(ii)
how often data has been, and is expected to be, collected or disclosed over that period;
(ea)
for an insight disclosure consent—a description of the CDR insight and to whom it was disclosed;
(eb)
if a business consumer statement has been given in relation to the consent—that fact;
(f)
if the consent is current—when it is scheduled to expire;
(g)
if the consent is not current—when it expired;
(h)
information relating to CDR data that was collected or disclosed pursuant to the consent (see rules 7.4 and 7.9);
(ha)
if the accredited person is an affiliate and the CDR data will be collected by a sponsor at its request:
(i)
the sponsor’s name; and
(ii)
the sponsor’s accreditation number;
(i)
details of each amendment (if any) that has been made to the consent.
Note 1: For paragraph (f), consents expire at the latest 12 months (or 7 years for certain consents by a CDR business consumer) after they are given or, in some circumstances, amended: see paragraph 4.14(1)(c).
Note 2: For limits on the specific uses that are possible, see the data minimisation principle (rule 1.8).
Note 3: The consumer dashboard could contain other information too, for example, the written notices referred to in rule 7.15 (which deals with correction requests under privacy safeguard 13, section 56EP of the Act).
(3A)
For paragraph (1)(b), the other information is:
(a)
a statement that the CDR consumer is entitled to request further records in accordance with rule 9.5; and
(b)
information about how to make such a request.
(4)
An accredited person does not contravene paragraph (1)(f) if the accredited person takes reasonable steps to ensure that the online service complies with that paragraph.
Dashboard in relation to CDR representative
(5)
Where a CDR representative principal makes a consumer data request at the request of a CDR representative, it may arrange for the CDR representative to provide the consumer dashboard on its behalf.

1.15Consumer dashboard – data holder

(1)
If a data holder receives a consumer data request from an accredited person on behalf of a CDR consumer, the data holder must, in the circumstances specified in a sector Schedule, ensure that it provides the CDR consumer with an online service that:
(a)
can be used by the CDR consumer to manage authorisations to disclose CDR data in response to consumer data requests; and
(b)
contains the details of each authorisation to disclose CDR data specified in subrule (3); and
(ba)
contains any information in the data standards that is specified as information for the purposes of this rule; and
(bb)
contains any information on the Register of Accredited Persons that is specified as information for the purposes of this rule; and
(c)
allows the CDR consumer, at any time, to withdraw a current authorisation; and
(d)
as part of the process of withdrawing an authorisation, displays a message, in accordance with the data standards, about the consequences of proceeding with withdrawing an authorisation; and
(e)
is simple and straightforward to use, and is no more complicated to use than the process for giving the authorisation to disclose CDR data; and
(f)
is prominently displayed and readily accessible to the CDR consumer; and
(g)
contains any other details, and does anything else, required by these rules.
Note 1: This subrule is a civil penalty provision (see rule 9.8).
Note 2: The circumstances are specified in the following provisions of the sector Schedules:
•
for the banking sector and non-bank lenders sector—clause 2.3 of Schedule 3;
•
for the energy sector—clause 2.3 of Schedule 4.
(2)
Such a service is the data holder’s consumer dashboard for that consumer.
Note: If the consumer data request relates to a joint account, there may be an obligation to provide all joint account holders with consumer dashboards: see rule 4A.13.
(2A)
For subrule (1), the online service must allow only nominated representatives to manage authorisations in the following circumstances:
(a)
where the CDR consumer is not an individual;
(b)
where the CDR data relates to a partnership account.
(3)
For paragraph (1)(b) and paragraph (5)(a), the information is the following for each authorisation:
(a)
details of the CDR data that has been authorised to be disclosed;
(b)
when the CDR consumer gave the authorisation;
(c)
the period for which the CDR consumer gave the authorisation;
(d)
if the authorisation is current—when it is scheduled to expire;
(e)
if the authorisation is not current—when it expired;
(f)
information relating to CDR data that was disclosed pursuant to the authorisation (see rule 7.9);
(g)
for a disclosure of CDR data that relates to the authorisation but that was pursuant to a request under subsection 56EN(4) of the Act—that fact;
(h)
details of each amendment (if any) that has been made to the authorisation.
Note 1: For paragraph (d), authorisations to disclose CDR data expire at the latest 12 months after they are given: see paragraph 4.26(1)(e).
Note 2: The consumer dashboard could contain other information too, for example, the written notice referred to in rules 7.10 (which deals with quality of CDR data under privacy safeguard 11, section 56EN of the Act) and 7.15 (which deals with correction requests under privacy safeguard 13, section 56EP of the Act).
(3A)
Paragraph (3)(h) applies on and after 1 July 2024.
(4)
A data holder does not contravene paragraph (1)(e) if the data holder takes reasonable steps to ensure that the online service complies with the paragraph.
Secondary users
(5)
If the CDR consumer is a secondary user for an account, the data holder must also provide the account holder with an online service that:
(a)
for each authorisation to disclose CDR data given by the secondary user—contains the details specified in subrule (3); and
(b)
allows the account holder, at any time, to withdraw the secondary user instruction; and
(c)
as part of the process of withdrawing a secondary user instruction, displays a message, in accordance with the data standards, about the consequences of proceeding with withdrawing a secondary user instruction; and
(d)
is simple and straightforward to use, and is no more complicated to use than the processes for giving the authorisation or instruction; and
(e)
is prominently displayed and readily accessible to the account holder.
Note: This subrule is a civil penalty provision (see rule 9.8).
(6)
A data holder does not contravene paragraph (5)(d) if the data holder takes reasonable steps to ensure that the online service complies with the paragraph.
(7)
If the data holder provides a consumer dashboard for the account holder, the service mentioned in subrule (5) must be included in the consumer dashboard.
Note: This subrule is a civil penalty provision (see rule 9.8).

Subdivision 1.4.4Other obligations of accredited persons1.16Obligations relating to outsourcing arrangements

OSPs of accredited person
(1)
If an accredited person is the OSP chain principal of one or more direct or indirect OSPs, it must ensure that each direct and indirect OSP complies with its requirements under the relevant CDR outsourcing arrangement.
(2)
The accredited person breaches this subrule if a direct OSP or indirect OSP of the accredited person fails to comply with a required provision of the relevant CDR outsourcing arrangement.
Note: This subrule is a civil penalty provision (see rule 9.8).
OSPs of CDR representative of accredited person
(3)
If an accredited person is the CDR representative principal in a CDR representative arrangement under which it permits the CDR representative to engage direct or indirect OSPs, it must ensure that each such direct and indirect OSP complies with its requirements under the relevant CDR outsourcing arrangement.
(4)
The accredited person breaches this subrule if a direct OSP or indirect OSP of the CDR representative fails to comply with a required provision of the relevant CDR outsourcing arrangement.
Note: This subrule is a civil penalty provision (see rule 9.8).
Accredited person acting as OSP for another accredited person
(5)
If an accredited person collects CDR data on behalf of another accredited person (the principal) as a direct or indirect OSP:
(a)
rules 7.4 and 7.9 apply only in relation to the principal; and
(b)
paragraph 7.10(1)(a) requires the principal to be identified.
Meaning of required provision
(6)
For this rule, a provision of a CDR outsourcing arrangement is a required provision if the arrangement would cease to be a CDR outsourcing arrangement under subrule 1.10(3) if the provision were removed.

1.16AObligations relating to CDR representative arrangements

Compliance with CDR representative arrangement
(1)
If an accredited person is the CDR representative principal in a CDR representative arrangement, it must ensure that the CDR representative complies with its requirements under the arrangement.
(2)
The accredited person breaches this subrule if the CDR representative:
(a)
fails to comply with a provision required to be included in the CDR representative arrangement by subrule 1.10AA(1), (3) or (4), or takes or omits to take action which would constitute a failure to comply with such a provision even if it is not included in the CDR representative arrangement; or
(b)
does one of the things referred to in subrule 1.10AA(2) in circumstances where the CDR representative arrangement does not provide for the CDR representative to do that thing.
Note: This subrule is a civil penalty provision (see rule 9.8).
Compliance with Division 4.3A
(3)
The accredited person must ensure that the CDR representative complies with Division 4.3A.
(4)
The accredited person breaches this subrule if the CDR representative fails to comply with a provision of Division 4.3A.
Note: This subrule is a civil penalty provision (see rule 9.8).

Subdivision 1.4.5Deletion and de-identification of CDR data1.17CDR data de-identification process

(1)
This rule sets out the CDR data de‑identification process for particular CDR data (the relevant data).
Note: This process is applied by an accredited data recipient when de‑identifying CDR data in accordance with a consent from a CDR consumer (see Subdivision 4.3.3) and when de‑identifying redundant data for the purposes of privacy safeguard 12 (see rule 7.12).
(2)
First, the accredited data recipient must consider whether, having regard to the following:
(a)
the DDF;
(b)
the techniques that are available for de‑identification of data;
(c)
the extent to which it would be technically possible for any person to be once more identifiable, or reasonably identifiable, after de‑identification in accordance with such techniques;
(d)
the likelihood (if any) of any person once more becoming so identifiable, or reasonably identifiable from the data after de‑identification;
it would be possible to de‑identify the relevant data to the extent (the required extent) that no person would any longer be identifiable, or reasonably identifiable, from:
(e)
the relevant data after the proposed de‑identification; and
(f)
other information that would be held, following the completion of the de‑identification process, by any person.
(3)
If this is possible, the accredited data recipient must:
(a)
determine the technique that is appropriate in the circumstances to de‑identify the relevant data to the required extent; and
(b)
apply that technique to de‑identify the relevant data to the required extent; and
(c)
delete, in accordance with the CDR data deletion process, any CDR data that must be deleted in order to ensure that no person is any longer identifiable, or reasonably identifiable, from the information referred to in paragraphs (2)(e) and (f); and
(d)
as soon as practicable, make a record to evidence the following:
(i)
its assessment that it is possible to de‑identify the relevant data to the required extent;
(ii)
that the relevant data was de‑identified to that extent;
(iii)
how the relevant data was de‑identified, including records of the technique that was used;
(iv)
any persons to whom the de‑identified data is disclosed.
(4)
If this is not possible, the accredited data recipient must delete the relevant data and any CDR data directly or indirectly derived from it in accordance with the CDR data deletion process.
Note: For the CDR data deletion process, see rule 1.18.
(5)
For this rule, the DDF is The De‑Identification Decision‑Making Framework published by the Office of the Australian Information Commissioner and Data61, as in force from time to time.
Note: The De‑Identification Decision‑Making Framework could in 2023 be downloaded from Data61’s website ( level="5">1.17AIdentification of otherwise redundant data that is not to be deleted
(1)
Where the accredited data recipient has identified CDR data as redundant, it must identify whether any of the following provisions of the Act apply to the CDR data:
(a)
paragraphs 56BAA(2)(a), (b) or (c) of the Act (deletion request by consumer);
(b)
paragraphs 56EO(2)(b) or (c) of the Act (privacy safeguard 12).
(2)
Where one of those provisions applies, the accredited person must retain the CDR data while that provision applies.
(3)
For the purposes of paragraph 56BAA(2)(c) of the Act, in relation to CDR data of a CDR consumer, the person may:
(a)
request the CDR consumer to state whether or not proceedings of the kind mentioned in that paragraph are current or anticipated; and
(b)
rely on that statement.
1.18CDR data deletion process
For these rules, the CDR data deletion process in relation to a person that holds CDR data that is to be deleted consists of the following steps:
(a)
delete, to the extent reasonably practicable, that CDR data and any copies of that CDR data;
(b)
make a record to evidence the deletion; and
(c)
where another person holds the CDR data on its behalf and will perform those steps—direct that person to notify it when those steps have been performed.
Note: The CDR data deletion process is to be followed whenever these rules require a person to delete CDR data.
Division 1.5Application of rules in relation to SR data
Note: The effect of this Division is that, from the point of view of a CDR consumer or an accredited person, the primary data holder for SR data is treated as if it were the relevant data holder: consumer data requests for the SR data are made to it; authorisations for disclosure are made to it; it is the entity that discloses or refuses to disclose the requested data; any complaints are made to it; it keeps the records that the CDR consumer can request under rule 9.5.
1.19Eligible CDR consumers in relation to secondary data holders
If a CDR consumer is eligible to make or initiate a consumer data request to a primary data holder for SR data, the CDR consumer is not also eligible to make or initiate a consumer data request for that data to the secondary data holder.
Note: As a result of this rule, a secondary data holder that only holds SR data is not required to provide request services under rule 1.13; however, it will be required to provide a service under subrule 1.20(2).
1.20Consumer data request service – primary data holders and secondary data holders
Primary data holders
(1)
Rule 1.13 (consumer data request service) applies in relation to a data holder for CDR data as if it were also a data holder for any SR data for which it is the primary data holder.
Secondary data holders
(2)
A secondary data holder in relation to SR data must provide an online service that:
(a)
can be used by the primary data holder to request from the secondary data holder any SR data needed to respond to an SR data request; and
(b)
enables the requested data to be disclosed to the primary data holder in machine‑readable form; and
(c)
conforms with the data standards.
Note: This subrule is a civil penalty provision (see rule 9.8).
1.21Consumer dashboard – SR data request
Rule 1.15 (provision of dashboard) applies in relation to an SR data request as if the primary data holder were the data holder for the requested SR data.
1.22SR data request by a CDR consumer
Note: This rule relates to Division 3.2.
(1)
This rule applies where a CDR consumer proposes to make an SR data request.
(2)
The request must be made to the primary data holder, using the primary data holder’s direct request service.
Dealing with the request
(3)
The primary data holder must, using the service mentioned in subrule 1.20(2) in accordance with the data standards, request the secondary data holder to disclose any SR data that the primary data holder needs in order to respond to the SR data request.
Note: This subrule is a civil penalty provision (see rule 9.8).
(4)
If the secondary data holder chooses to disclose the SR data requested to the primary data holder, it must do so in accordance with any relevant data standards.
Note: This subrule is a civil penalty provision (see rule 9.8).
(5)
If the secondary data holder chooses not to disclose the SR data requested to the primary data holder, it must notify the primary data holder of its refusal.
Note: This subrule is a civil penalty provision (see rule 9.8).
Responding to the request
(6)
Rule 3.4 (disclosing consumer data in response to a consumer data request) and rule 3.5 (refusal to disclose) apply as if the primary data holder were the data holder for any SR data covered by the SR data request.
(7)
Subrule 3.4(3) does not apply in relation to SR data that the secondary data holder has refused to disclose to the primary data holder.
1.23SR data request by an accredited person
Note: This rule relates to Subdivisions 4.2.2, 4.2.3 and 4.3.2 and Division 4.4.
(1)
This rule applies where an accredited person proposes to make an SR data request on behalf of a CDR consumer.
Making the request
(2)
The request must be made to the primary data holder, using the primary data holder’s accredited person request service.
Dealing with the request
(3)
Rule 4.5 (asking CDR consumer for authorisation to disclose CDR data) applies as if the primary data holder were the data holder for any SR data covered by the SR data request.
(4)
If the CDR consumer authorises disclosure of requested data, the primary data holder must, using the service mentioned in subrule 1.20(2) and in accordance with the data standards, request the secondary data holder to disclose any SR data that the primary data holder needs in order to respond to the SR data request.
Note: This subrule is a civil penalty provision (see rule 9.8).
(5)
If the secondary data holder chooses to disclose the SR data requested to the primary data holder, it must do so in accordance with any relevant data standards.
Note: This subrule is a civil penalty provision (see rule 9.8).
(6)
If the secondary data holder chooses not to disclose the SR data requested to the primary data holder, it must notify the primary data holder of its refusal.
Note: This subrule is a civil penalty provision (see rule 9.8).
Responding to the request
(7)
Subject to subrule (8), rule 4.6 (disclosing consumer data in response to a consumer data request) applies as if the primary data holder were the data holder for any SR data covered by the SR data request.
(8)
Subrule 4.6(4) does not apply in relation to SR data that the secondary data holder has refused to disclose to the primary data holder.
(9)
Rule 4.7 (refusal to disclose) applies as if the primary data holder were the data holder for any SR data covered by the SR data request.
Notification of withdrawal of consent
(10)
Rule 4.13 (withdrawal of consent) applies as if the primary data holder were the data holder for any SR data covered by the SR data request.

(iii)
AEMO data in relation to any such account; and
(b)
CDR data is neither required consumer data nor voluntary consumer data in relation to a consumer data request made by or on behalf of a particular person if the data is:
(i)
customer data in relation to any account holder or secondary user other than that person; or
(ii)
AEMO data in relation to premises other than premises covered by the relevant arrangement at the time to which the data relates.
(5)
In this clause, energy sector data is neither required consumer data nor voluntary consumer data in relation to a data holder that is not a retailer or AEMO.
Note: The effect of this provision is that an accredited person who becomes a data holder in relation to energy sector CDR data by the operation of subsection 56AJ(3) of the Act is not required to respond to a consumer data request for the data.
Exception to required consumer data―open accounts
(6)
Despite subclause (2), for an account that is open at a particular time, CDR data that relates to a transaction or event that occurred more than 2 years before that time is not required consumer data.
Note: As a result, such CDR data would be voluntary consumer data.
Exception to required consumer data―closed accounts
(7)
Despite subclause (2), for an account that is closed at a particular time, each of the following is not required consumer data:
(a)
CDR data held by AEMO, other than metering data;
(b)
CDR data held by a retailer, other than billing data; and
(c)
CDR data that is not excluded by paragraph (a) or (b), but relates to a transaction or event that occurred more than 2 years before that time.

Part 4Roles of AEMO and the energy sector agencies4.1AER and the Victorian agency may act on each other’s behalf

(1)
Where these rules require or permit one of the energy sector agencies to do any thing in relation to receiving or responding to product data requests (including the provision of a product data request service), the other agency may, at the first agency’s request, do the thing on behalf of the first agency.
(2)
In this clause, the energy sector agencies are the AER and the Victorian agency.

4.2Product data request service

(1)
Despite rule 1.12, a data holder of energy sector data, other than the AER and the Victorian agency, is not required to provide a product data request service.
(2)
However, if such a data holder chooses to provide an online service that can be used to make product data requests, the service must comply with rule 1.12.

4.3Meaning of SR data and primary data holder – energy sector

For these rules:
(a)
SR data, in relation to the energy sector, means AEMO data in relation to a CDR consumer; and
(b)
the primary data holder for the SR data is the relevant retailer.
Note: Paragraph (a) also makes AEMO the secondary data holder for the SR data.

4.4SR data must be obtained from AEMO

On receiving an SR data request under Part 3 or Part 4 of these rules, a retailer must request from AEMO, using the service mentioned in subrule 1.20(2), any SR data to be used in responding to the request
Note: AEMO is the secondary data holder for the SR data. This provision requires a retailer that happens to be the direct holder of any AEMO data that is subject to a consumer data request to ignore its data holding in responding to the request, and obtain the data from AEMO for that purpose.

4.5Civil penalties do not apply

A civil penalty imposed by these rules for a breach of a provision of these rules, including one imposed by rule 9.8 by declaring the relevant provision to be a civil penalty provision, does not apply in relation to AEMO, the AER or the Victorian agency in relation to energy sector data.

Part 5—Dispute resolutionenergy sector

Note: See the definitions of “meet the internal dispute resolution requirements” and “meet the external dispute resolution requirements” in subrule 1.7(1). See also paragraphs 5.12(b) and (c) of these rules, and rules 6.1 and 6.2.

5.1Meeting internal dispute resolution requirements – energy sector

Accredited persons
(1)
For the energy sector, an accredited person, other than an accredited person that is also a retailer, meets the internal dispute resolution requirements if its internal dispute resolution processes comply with provisions of Regulatory Guide 271 that deal with the following:
(a)
standards that its internal dispute resolution procedures or processes must meet regarding the following:
(i)
commitment and culture;
(ii)
the enabling of complaints;
(iii)
resourcing;
(iv)
responsiveness;
(v)
objectivity and fairness;
(vi)
policy and procedures;
(vii)
data collection, analysis and internal reporting;
(viii)
continuous improvement;
(b)
outsourcing internal dispute resolution processes;
(c)
acknowledgement of complaint;
(d)
what an internal dispute resolution response must contain;
(e)
maximum timeframes for an internal dispute resolution response;
(f)
internal dispute resolution response requirements for multi‑tier internal dispute resolution processes;
(g)
the role of customer advocates;
(h)
establishing links between internal dispute resolution processes and external dispute resolution;
(i)
systemic issues.
Data holders
(2)
For the energy sector, a retailer (including a retailer that is also an accredited person) meets the internal dispute resolution requirements if its internal dispute resolution processes satisfy the applicable requirements for the retailer’s standard complaints and dispute resolution procedures under the National Energy Retail Law or the Energy Retail Code (Victoria).
(3)
Part 6 does not apply in relation to the AER, the Victorian agency or AEMO, in their capacity as data holders in the energy sector.
Definition
(4)
In this clause:
Regulatory Guide 271 means Regulatory Guide 271 published by the Australian Securities & Investments Commission, as in force from time to time and applied as if:
(a)
references to complaints were references to CDR consumer complaints; and
(b)
references to financial firms and financial service providers were references to CDR participants.
Note: Regulatory Guide 271 could in 2023 be accessed from the Australian Securities & Investments Commission’s website ( level="5">5.2Meeting external dispute resolution requirements – energy sector
Note: Schemes operated by the Australian Financial Complaints Authority Limited and the energy and water ombudsman of each State and Territory are recognised as external dispute resolution schemes for section 56DA of the Act.
How accredited persons and retailers meet the external dispute resolution requirements
(1)
For the energy sector, persons of the following kinds meet the external dispute resolution requirements in the circumstances indicated:
(a)
an accredited person that is not a retailer—if it is an AFCA member;
(b)
a retailer that is not an accredited person—if it is an EWO member;
(c)
an accredited person that is also a retailer, but not a limited retailer—if it is both an AFCA member and an EWO member;
(d)
an accredited person that is also a limited retailer—if it is an EWO member.
Meaning of AFCA member
(2)
In this clause, a retailer or an accredited person is an AFCA member if it is a member of the recognised external dispute resolution scheme operated by the Australian Financial Complaints Authority Limited for the energy sector.
Meaning of EWO member
(3)
In this clause, a retailer or accredited person is an EWO member if, in each relevant jurisdiction:
(a)
if the jurisdiction has an energy and water ombudsman recognised in accordance with section 56DA of the Act—the retailer is a member of the external dispute resolution scheme operated by that ombudsman in relation to CDR consumer complaints; and
(b)
otherwise—the retailer has taken the necessary steps to participate in the dispute resolution process provided by the jurisdiction that is appropriate for CDR consumer complaints.
Meaning of limited retailer
(4)
A retailer is a limited retailer if:
(a)
it uses any energy sector CDR data that it collects only in order to provide goods or services within the energy sector; and
(b)
it does not use non‑energy sector CDR data that it collects in order to provide goods or services outside the energy sector.
Part 6—Privacy safeguardsenergy sector6.1Responding to correction request (rule 7.15)
(1)
This clause applies to a retailer that receives a request under subsection 56EP(1) or (2) of the Act that relates to AEMO data.
(2)
In relation to the AEMO data, rule 7.15 applies as if paragraphs (b) and (c) were replaced by the following:
“ (b)
as soon as practicable:
(i)
initiate the relevant correction procedures under the National Electricity Rules in relation to any NMI standing data or metering data for which correction is requested; and
(ii)
if the request relates to DER register data, provide the requester with information about how the requester can contact the distributor to have the data corrected.”.
Part 7—Reporting and record keepingenergy sector7.1Reporting requirements (rule 9.4)
Rule 9.4 applies to AER and the Victorian agency as if subrule 9.4(1) were replaced by the following, referring to either as “the Agency”:
“(1)
The Agency must prepare a report for each reporting period that:
(a)
is in the form approved by the Commission for the purposes of this rule; and
(b)
sets out the number (if any) of product data requests received by the Agency during the reporting period; and
(c)
sets out:
(i)
the number of times the Agency refused to disclose CDR data; and
(ii)
the rule or data standard relied upon to refuse to disclose that data; and
(iii)
the number of times the Agency has relied on each of those rules or data standards as a ground of refusal.”.
Part 8Staged application of these rules to the energy sector8.1Interpretation
In this Part:
complex request means a consumer data request that:
(a)
is made on behalf of a large customer; or
(b)
is made on behalf of a secondary user; or
(c)
relates to a joint account or a partnership account; or
(d)
is made on behalf of a CDR consumer who has a nominated representative.
initial retailer has the meaning given by clause 8.2.
large customer means a CDR consumer that is:
(a)
in relation to a retailer that is subject to the Electricity Industry Act 2000 (Vic)—a customer that is not a relevant customer for the purposes of that Act; or
(b)
otherwise—a large customer for the purposes of the National Energy Retail Law.
larger retailer has the meaning given by clause 8.3.
small retailer means a retailer that is not either an initial retailer or a larger retailer.
tranche 1 date means 15 November 2022.
tranche 1 (VA) date means a date specified by the Minister in a notifiable instrument made for the purposes of this definition.
tranche 2 date means 15 May 2023.
tranche 3 date means 1 November 2023.
tranche 4 date means 1 May 2024.
8.2Meaning of initial retailer
In this Schedule, initial retailer means any of the following:
The AGL Energy Group
(a)
AGL Sales (Queensland Electricity) Pty Limited – ABN 66 078 875 902;
(b)
AGL South Australia Pty Ltd – ABN 49 091 105 092;
(c)
AGL Sales Pty Limited – ABN 88 090 538 337;
The Origin Energy Group
(d)
Origin Energy Electricity Limited – ABN 33 071 052 287;
(e)
any other subsidiary of Origin Energy Limited authorised or licensed to sell electricity in the National Electricity Market;
The Energy Australia Group
(f)
EnergyAustralia Pty Ltd – ABN 99 086 014 968.
8.3Meaning of larger retailer
(1)
In this Part:
(a)
a retailer that had 10,000 or more small customers on the amendment day is a larger retailer; and
(b)
a retailer that had 10,000 or more small customers at all times during a financial year that begins on or after the amendment day is also a larger retailer on and from the day 12 months after the end of that financial year.
(2)
In this clause:
(a)
a person is a small customer of a retailer if the person is:
(i)
a domestic or small business customer of the retailer within the meaning given in section 3 of the Electricity Industry Act 2000 (Vic); or
(ii)
a small customer of the retailer within the meaning of section 5 of the National Energy Retail Law; and
(b)
the amendment day is the day on which Schedule 1 to the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2021 commenced.
8.4Product data requests under Part 2 of these rules
(2)
Part 2 of these rules applies to the AER on and from 1 October 2022.
(3)
Part 2 of these rules applies to the Victorian agency on and from the tranche 1 (VA) date.
8.5Consumer data requests under Part 3 of these rules
Part 3 of these rules does not apply in relation to energy sector data.
8.6Consumer data requests under Part 4 of these rules
Tranche 1 — 15 November 2022
(2)
Part 4 of these rules applies in relation to an initial retailer, except in relation to a complex request, on and from the tranche 1 date.
(3)
Part 4 of these rules applies to AEMO on and from the tranche 1 date.
Tranche 2 — 15 May 2023
(4)
Part 4 of these rules applies in relation to an initial retailer in relation to a complex request on and from the tranche 2 date.
Tranche 3 — 1 November 2023
(5)
Part 4 of these rules applies to a larger retailer, except in relation to a complex request, on and from the later of the tranche 3 date and the date that it becomes a larger retailer.
Tranche 4 —1 May 2024
(6)
Part 4 of these rules applies to a larger retailer in relation to a complex request on and from the later of:
(a)
the tranche 4 date; and
(b)
the day that is 6 months after the day that it became a larger retailer.
Application of Part 4 to small retailers that are accredited persons
(7)
Part 4 of these rules applies to a person who is both a small retailer and an accredited person, except in relation to a complex request, on and from the later of the day that is 12 months after:
(a)
the day that the person became an accredited person; and
(b)
the day that the person became a small retailer.
(8)
Part 4 of these rules applies to a person who is both a small retailer and an accredited person, in relation to a complex request, on and from the later of the day that is 18 months after:
(a)
the day that the person became an accredited person; and
(b)
the day that the person became a small retailer.
Voluntary application of Part 4 to small retailers
(9)
A small retailer may notify the Commission that it wishes Part 4 to apply to it:
(a)
except in relation to a complex request—on and from a specified date that is no earlier than the tranche 1 date; and
(b)
in relation to a complex request—on and from a specified date that is no earlier than the tranche 2 date.
(10)
Subject to subclauses (7) and (8), Part 4 applies in relation to the small retailer, in accordance with the request, on and from the dates so specified.
8.7Authorisation to disclose CDR data before being required to do so
(1)
This clause applies in relation to a request for disclosure of CDR data that has been made to a retailer in accordance with Part 2, Part 3 or Part 4 of these rules (the relevant data request Part) if:
(b)
the requested CDR data is any of the following:
(i)
required product data;
(ii)
voluntary product data;
(iii)
required consumer data;
(iv)
voluntary consumer data; and
(c)
the requested CDR data includes some pre‑application CDR data.
(2)
For these rules, the retailer may disclose any or all of the pre‑application CDR data in response to the request in accordance with the relevant data request Part.
(3)
In this clause, pre‑application CDR data means CDR data that, but for the operation of this Part, the data holder would be required or authorised by the relevant data request Part to disclose in response to the request.
Part 9Other rules, and modifications of these rules, for the energy sector9.1Laws relevant to the management of CDR data – energy sector
For paragraph (f) of the definition of “law relevant to the management of CDR data” in rule 1.7 of these rules:
(a)
the National Electricity Law; and
(b)
the National Energy Retail Law; and
(c)
the Electricity Industry Act 2000 (Vic);
are laws relevant to the management of CDR data in relation to the energy sector.
9.2Conditions for accredited person to be data holder
(1)
For paragraph 56AJ(4)(c) of the Act, this clause sets out conditions for a person that has collected CDR data in accordance with a consumer data request under Division 4.3 of these rules to be a data holder (rather than an accredited data recipient) of that CDR data and any CDR data that it directly or indirectly derived from that CDR data (together, the relevant CDR data).
(2)
The conditions are that:
(a)
the person is a retailer; and
(b)
the CDR data is information covered by item 1, 3 or 5 of the table in section 12 of the of the energy sector designation instrument; and
Note: These are the types of information for which a retailer is designated as a data holder under the designation instrument.
(c)
the CDR consumer is a customer of the person; and
(d)
the person:
(i)
reasonably believes that the relevant CDR data is relevant to the arrangement with the CDR consumer; and
(ii)
has asked the CDR consumer to agree to the person being a data holder, rather than an accredited data recipient, of the relevant CDR data; and
(iii)
has explained to the CDR consumer:
A)
that, as a result, the privacy safeguards, to the extent that they apply to an accredited data recipient of CDR data, would no longer apply to the person in relation to the relevant CDR data; and
(B)
that the privacy safeguards applicable to a data holder will instead apply to the person in relation to the relevant CDR data; and
(C)
the manner in which the person proposes to treat the relevant CDR data; and
(D)
why the person is entitled to provide the CDR consumer with this option; and
(iv)
has outlined the consequences, to the CDR consumer, of not agreeing to this; and
(e)
the CDR consumer has agreed to the person being a data holder, rather than an accredited data recipient, of the relevant CDR data.
Related modifications of these rules
(3)
If a person becomes a data holder, rather than an accredited data recipient, of CDR data as a result of subsection 56AJ(4) of the Act and this clause:
(b)
for paragraph 4.26(1)(h) of these rules, any authorisations to disclose CDR data in relation to the consumer data request expire; and
(c)
if the person’s accreditation has been surrendered or revoked, the following do not apply to the person in relation to that CDR data:
(i)
subrule 5.23(2);
(ii)
paragraph 5.23(3)(b).
9.3Consultation by Data Recipient Accreditor (rule 5.4)
For paragraph 5.4(1)(c), the AER and the Essential Services Commission of Victoria are specified as authorities that the CDR Accreditor may consult with.
9.4AEMO not to appear on Registrar’s database (rule 5.25)
For the purposes of subrule 5.25(1), AEMO is not to be treated as a data holder.
Note: The function of the database to be maintained under subrule 5.25(1) is to provide information for the making of consumer data requests to data holders. Since requests for AEMO data will be made to the relevant retailer, the database will not require details relating to AEMO.
9.5Grounds for revocation, suspension and surrender of accreditation – energy sector
For item 5 of the table in rule 5.17:
(a)
the relevant condition is that the accredited person was, at the time of the accreditation, a retailer; and
(b)
the accredited person ceases to satisfy the condition if its authorisation or licence to sell electricity in the National Electricity Market has been suspended or revoked.
Endnotes
Endnote 1About the endnotes
The endnotes provide information about this compilation and the compiled law.
The following endnotes are included in every compilation:
Endnote 1—About the endnotes
Endnote 2—Abbreviation key
Endnote 3—Legislation history
Endnote 4—Amendment history
Abbreviation key—Endnote 2
The abbreviation key sets out abbreviations that may be used in the endnotes.
Legislation history and amendment history—Endnotes 3 and 4
Amending laws are annotated in the legislation history and amendment history.
The legislation history in endnote 3 provides information about each law that has amended (or will amend) the compiled law. The information includes commencement details for amending laws and details of any application, saving or transitional provisions that are not included in this compilation.

The amendment history in endnote 4 provides information about amendments at the provision (generally section or equivalent) level. It also includes information about any provision of the compiled law that has been repealed in accordance with a provision of the law.

Misdescribed amendments

A misdescribed amendment is an amendment that does not accurately describe how an amendment is to be made. If, despite the misdescription, the amendment can be given effect as intended, then the misdescribed amendment can be incorporated through an editorial change made under section 15V of the Legislation Act 2003.

If a misdescribed amendment cannot be given effect as intended, the amendment is not incorporated and “(md not incorp)” is added to the amendment history.Endnote 2Abbreviation key

ad = added or inserted	orig = original
am = amended	par = paragraph(s)/subparagraph(s)
amdt = amendment	/sub‑subparagraph(s)
c = clause(s)	pres = present
C[x] = Compilation No. x	prev = previous
Ch = Chapter(s)	(prev…) = previously
def = definition(s)	Pt = Part(s)
Dict = Dictionary	r = regulation(s)/rule(s)
disallowed = disallowed by Parliament	reloc = relocated
Div = Division(s)	renum = renumbered
exp = expires/expired or ceases/ceased to have	rep = repealed
effect	rs = repealed and substituted
F = Federal Register of Legislation	s = section(s)/subsection(s)
gaz = gazette	Sch = Schedule(s)
LA = Legislation Act 2003	Sdiv = Subdivision(s)
LIA = Legislative Instruments Act 2003	SLI = Select Legislative Instrument
(md not incorp) = misdescribed amendment	SR = Statutory Rules
cannot be given effect	Sub‑Ch = Sub‑Chapter(s)
mod = modified/modification	SubPt = Subpart(s)
No. = Number(s)	underlining = whole or part not
o = order(s)	commenced or to be commenced
Ord = Ordinance

Endnote 3Legislation history

Name	Registration	Commencement	Application, saving and transitional provisions
Competition and Consumer (Consumer Data Right) Rules 2020	5 February 2020 (F2020L00094)	6 February 2020	—
Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2020	18 June 2020 (F2020L00757)	19 June 2020	—
Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2020	1 October 2020 (F2020L01278)	2 October 2020	—
Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020	22 December 2020 (F2020L01688)	23 December 2020	Schedule 1, item 105
Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2021	5 October 2021 (F2021L01392)	Sch 1: 1 February 2022 (s 2(1) item 2) Sch 2 and Sch 6 (items 1–3, 15, 18, 19): 19 October 2021 (s 2(1) items 3, 5) Remainder: 6 October 2021 (s 2(1) items 1, 4, 6, 7)	Schedule 7
Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2021	15 November 2021 (F2021L01561)	16 November 2021 (s 2(1))	—
Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2023	21 July 2023 (F2023L01027)	22 July 2023 (s 2(1))	—
Competition and Consumer (Consumer Data Right) Amendment (2024 Measures No. 1) Rules 2024	11 November 2024 (F2024L01409)	12 November 2024	—
Competition and Consumer (Consumer Data Right) Amendment (2025 Measures No. 1) Rules 2025	3 March 2025 (F2025L00272)	4 March 2025	—

Endnote 4Amendment history

Provision affected	How affected
Part 1
Division 1.1
r 1.2	rep LA s 48D
Division 1.2
r 1.4	am F2020L01688; F2021L01561; F2024L01409; F2025L00272
r 1.6	am F2020L01278, F2020L01688; F2021L01392; F2021L01561; F2023L01027; F2024L01409; F2025L00272
r 1.6A	ad F2025L00272
Division 1.3
r 1.7	am F2020L00757, F2020L01278, F2020L01688; F2021L01392; F2021L01561; F2023L01027; F2024L01409; F2025L00272
ed C8
r 1.8	am F2020L01688
rs F2023L01027
am F2024L01409
r 1.9	am F2020L01688; F2023L01027
r 1.10	rs F2020L01278
am F2021L01392
rs F2023L01027
r 1.10AA	ad F2021L01392
rs F2023L01027
am F2024L01409
r 1.10A	ad F2020L01688
am F2021L01392; F2024L01409
rs F2023L01027
r 1.10B	ad F2021L01561 am F2025L00272
r 1.10C	ad F2021L01392
am F2023L01027; F2024L01409
r 1.10D	ad F2021L01392
am F2023L01027
Division 1.4
Subdivision 1.4.1
r 1.11	am F2020L01688; F2024L01409
Subdivision 1.4.2
r 1.12	am F2021L01561; F2025L00272
r 1.13	am F2020L00757, F2020L01688; F2021L01561; F2023L01027; F2024L01409
Subdivision 1.4.3
r 1.14	am F2020L01688; F2021L01392; F2023L01027; F2024L01409
r 1.15	rs F2020L01688
am F2021L01392; F2021L01561; F2023L01027; F2024L01409; F2025L00272
Subdivision 1.4.4
Subdivision 1.4.4 heading	am F2020L01688
r 1.16	rs F2020L01278
am F2021L01392
ed C4
rs F2023L01027
r 1.16A	ad F2021L01392
rs F2023L01027
am F2024L01409
Subdivision 1.4.5
r 1.17	am F2021L01392; F2023L01027
r 1.18	am F2020L01278, F2020L01688; F2021L01561
Division 1.5
Division 1.5	ad F2021L01561
r 1.19	ad F2021L01561
r 1.20	ad F2021L01561
r 1.21	ad F2021L01561
r 1.22	ad F2021L01561
am F2023L01027
ed C8
r 1.23	ad F2021L01561
am F2023L01027
ed C8
r 1.24	ad F2021L01561
r 1.25	ad F2021L01561
r 1.26	ad F2021L01561
Part 2
r 2.1	am F2021L01561; F2025L00272
r 2.3	am F2020L01688; F2021L01561; F2025L00272
r 2.4	am F2020L01688; F2021L01561; F2025L00272
Part 3
Division 3.1
r 3.1	am F2021L01392; F2025L00272
Division 3.2
r 3.3	am F2021L01561; F2025L00272
r 3.4	am F2021L01392; F2021L01561; F2025L00272
r 3.5	am F2020L00757; F2021L01392
Part 4
Division 4.1
Division 4.1	rs F2020L01688
r 4.1	am F2021L01392; F2023L01027; F2024L01409; F2025L00272
Division 4.2
Division 4.2 heading	am F2020L01688
Subdivision 4.2.1
Subdivision 4.2.1	ad F2020L01688
r 4.2	am F2023L01027; F2024L01409; F2025L00272
Subdivision 4.2.2
Subdivision 4.2.2 heading	ad F2020L01688
r 4.3	rs F2020L01688
am F2021L01392; F2023L01027; F2024L01409
r 4.3A	ad F2021L01392
am F2023L01027; F2024L01409
ed C8
r 4.3B	ad F2021L01392
am F2023L01027
r 4.3C	ad F2021L01392
am F2021L01561
rep F2023L01027
Subdivision 4.2.3
Subdivision 4.2.3 heading	ad F2020L01688
r 4.4	rs F2020L01688
am F2021L01392; F2023L01027; F2024L01409; F2025L00272
r 4.5	am F2020L01688; F2021L01561; F2025L00272
r 4.6	am F2020L01688; F2021L01392; F2021L01561; F2025L00272
r 4.6A	ad F2020L01688
am F2023L01027; F2024L01409
r 4.7	am F2020L00757; F2021L01392; F2021L01561; F2023L01027
Subdivision 4.2.4
Subdivision 4.2.4	ad F2020L01688
r 4.7A	am F2021L01392; F2023L01027; F2024L01409
r 4.7B	am F2021L01561; F2023L01027; F2025L00272
Division 4.3
Division 4.3 heading	am F2023L01027
Division 4.3	rs F2020L01688
Subdivision 4.3.1
r 4.8	rs F2023L01027
Subdivision 4.3.2
r 4.10	am F2021L01392; F2023L01027
rs F2024L01409
r 4.11	am F2021L01392; F2023L01027; F2024L01409; F2025L00272
r 4.12	am F2023L01027; F2024L01409
Subdivision 4.3.2A
r 4.12B	am F2023L01027; F2024L01409
r 4.12C	am F2023L01027; F2024L01409
Subdivision 4.3.2B
r 4.13	rs F2023L01027
Subdivision 4.3.2C
r 4.14	rs F2023L01027
r 4.15	am F2024L01409
Subdivision 4.3.4
r 4.16	am F2021L01392
rs F2023L01027
Subdivision 4.3.5
r 4.18	am F2023L01027
rs F2024L01409
r 4.18AA	ad F2023L01027
r 4.18A	am F2023L01027; F2024L01409
r 4.18B	rs F2023L01027
r 4.18C	rs F2023L01027
r 4.19	rs F2023L01027
r 4.20	am F2023L01027; F2024L01409
r 4.20A	ad F2021L01392
Division 4.3A
Division 4.3A	ad F2023L01027
Subdivision 4.3A.1
r 4.20B	ad F2023L01027
r 4.20C	ad F2023L01027
Subdivision 4.3A.2
r 4.20D	ad F2023L01027
rs F2024L01409
r 4.20E	ad F2023L01027
am F2024L01409; F2025L00272
r 4.20F	ad F2023L01027
am F2024L01409
Subdivision 4.3A.3
r 4.20G	ad F2023L01027
r 4.20H	ad F2023L01027
am F2024L01409
r 4.20I	ad F2023L01027
am F2024L01409
Subdivision 4.3A.4
r 4.20J	ad F2023L01027
Subdivision 4.3A.5
r 4.20K	ad F2023L01027
Subdivision 4.3A.6
r 4.20L	ad F2023L01027
Subdivision 4.3A.7
r 4.20M	ad F2023L01027
r 4.20N	ad F2023L01027
Subdivision 4.3A.8
r 4.20O	ad F2023L01027
rs F2024L01409
r 4.20P	ad F2023L01027
r 4.20Q	ad F2023L01027
am F2024L01409
r 4.20R	ad F2023L01027
r 4.20S	ad F2023L01027
r 4.20T	ad F2023L01027
r 4.20U	ad F2023L01027
am F2024L01409
Division 4.4
Division 4.4	rs F2020L01688
r 4.22A	am F2023L01027
r 4.23	am F2023L01027
r 4.25	rs F2023L01027
r 4.26	am F2023L01027
r 4.26A	ad F2023L01027
Part 4A
Part 4A	ad F2021L01392
Division 4A.1
r 4A.1	ad F2021L01392
r 4A.2	ad F2021L01392
r 4A.3	ad F2021L01392
Division 4A.2
r 4A.4	ad F2021L01392
r 4A.5	ad F2021L01392
r 4A.6	ad F2021L01392
r 4A.7	ad F2021L01392
r 4A.8	ad F2021L01392
Division 4A.3
Subdivision 4A.3.1
r 4A.9	ad F2021L01392
Subdivision 4A.3.2
r 4A.10	ad F2021L01392
r 4A.11	ad F2021L01392
r 4A.12	ad F2021L01392
r 4A.13	ad F2021L01392
am F2024L01409
r 4A.14	ad F2021L01392
r 4A.15	ad F2021L01392
Part 5
r 5.1	am F2025L00272
Division 5.2
Subdivision 5.2.1A
Subdivision 5.2.1A	ad F2021L01392
r 5.1A	ad F2021L01392
r 5.1B	ad F2021L01392
am F2023L01027; F2025L00272
Subdivision 5.2.1
r 5.2	am F2021L01392; F2023L01027; F2025L00272
Subdivision 5.2.2
r 5.3	am F2025L00272
r 5.4	am F2021L01561; F2023L01027; F2025L00272
r 5.5	am F2021L01392; F2021L01561; F2025L00272
r 5.6	am F2025L00272
r 5.7	am F2025L00272
r 5.8	am F2025L00272
r 5.10	am F2020L01688; F2025L00272
r 5.11	am F2025L00272
Subdivision 5.2.3
r 5.12	am F2020L01688; F2021L01392; F2021L01561; F2025L00272
rs F2023L01027
r 5.14	am F2021L01392; F2023L01027; F2025L00272
ed C8
r 5.15	am F2021L01392; F2025L00272
Subdivision 5.2.4
r 5.17	am F2020L00757; F2021L01392; F2021L01561; F2025L00272
ed C7
r 5.18	am F2020L00757; F2021L01392; F2025L00272
r 5.19	am F2025L00272
r 5.20	am F2025L00272
r 5.21	am F2025L00272
r 5.23	am F2023L01027
Division 5.3
r 5.24	am F2020L00757; F2021L01392; F2025L00272
r 5.25	am F2021L01561; F2025L00272
r 5.26	am F2025L00272
r 5.27	am F2023L01027
r 5.28	am F2025L00272
r 5.30	am F2020L00757; F2025L00272
r 5.33	ad F2020L01688
r 5.34	ad F2020L01688
Part 6
r 6.1	am F2021L01561; F2025L00272
rs F2023L01027
r 6.2	am F2021L01561; F2025L00272
rs F2023L01027
Part 7
Division 7.1
r 7.1	am F2023L01027
Division 7.2
Subdivision 7.2.1
r 7.2	am F2020L01278, F2020L01688; F2021L01392
rs F2021L01561
am F2021L01392; F2023L01027
rs F2024L01409
r 7.3	am F2021L01392; F2021L01561; F2023L01027
r 7.3A	ad F2021L01392
am F2023L01027
r 7.3B	ad F2023L01027
Subdivision 7.2.2
r 7.4	am F2020L01278, F2020L01688
rs F2021L01392
am F2023L01027
Subdivision 7.2.3
r 7.5	am F2020L01278, F2020L01688; F2021L01392
ed C4
am F2021L01561
rs F2023L01027
r 7.5A	ad F2020L01688
am F2021L01392
rs F2023L01027
r 7.6	am F2020L01278; F2021L01392
rs F2023L01027
r 7.8A	ad F2021L01392
am F2023L01027
r 7.8B	ad F2023L01027
r 7.9	am F2020L01278, F2020L01688; F2021L01392; F2023L01027
Subdivision 7.2.4
r 7.10	am F2020L01278, F2020L01688; F2023L01027
r 7.10A	ad F2021L01392
am F2023L01027
r 7.11	am F2021L01392; F2023L01027
r 7.12	am F2020L01278; F2021L01392
ed C5
am F2023L01027
Subdivision 7.2.5
r 7.15	am F2021L01561
r 7.16	ad F2021L01392
am F2023L01027
Part 8
Division 8.1
r 8.1	am F2021L01561
Division 8.2
Division 8.2 heading	am F2021L01561
r 8.2	rs F2021L01561
r 8.3	am F2021L01561
r 8.4	am F2021L01561; F2025L00272
r 8.5	am F2021L01561
r 8.6	am F2021L01561
r 8.7	am F2021L01561
Division 8.4
r 8.11	am F2020L01688; F2021L01392; F2021L01561; F2023L01027; F2024L01409
Part 9
r 9.2	am F2025L00272
Division 9.3
Subdivision 9.3.1
r 9.3	am F2020L01278, F2020L01688; F2021L01392; F2021L01561; F2023L01027; F2025L00272
r 9.4	am F2020L01688; F2021L01392
ed C5
am F2021L01561; F2023L01027
r 9.5	am F2020L01688; F2021L01392; F2023L01027
Subdivision 9.3.2
r 9.7	am F2020L01688; F2023L01027; F2025L00272
Division 9.4
r 9.8	am F2020L01278, F2020L01688
rs F2021L01392; F2021L01561; F2023L01027
am F2024L01409
Part 50	ad F2024L01409
Schedule 1
Part 2
c 2.1	am F2020L01688; F2021L01392; F2021L01561; F2023L01027; F2025L00272
c 2.2	ad F2021L01392
am F2023L01027
Schedule 2
Part 1
c 1.1	am F2023L01027
c 1.5	am F2021L01392
Part 2
c 2.1	am F2023L01027
c 2.2	am F2020L00757, F2020L01278; F2021L01392
Schedule 3
Schedule 3 heading	am F2025L00272
Part 1
Part 1	rs F2025L00272
Part 2
Part 2	rs F2025L00272
Part 3
Part 3	rs F2025L00272
Part 4
Part 4	rs F2020L01688
rep F2021L01392
Part 5
Part 5 heading	am F2023L01027 rs F2025L00272
Part 5	am F2023L01027
c 5.1	rs F2021L01561
am F2023L01027; F2025L00272
c 5.2	ad F2023L01027 rs F2025L00272
Part 6
Part 6	rs F2025L00272
Part 7
Part 7 heading	am F2025L00272
c 7.1A	ad F2025L00272
c 7.1	am F2025L00272
c 7.2	am F2020L01688; F2023L01027; F2024L01409; F2025L00272
c 7.5	ad F2021L01561
Part 8
Part 8	ad F2025L00272
Schedule 4
Schedule 4	ad F2021L01561
Part 1
c 1.1	ad F2021L01561
c 1.2	ad F2021L01561
c 1.3	ad F2021L01561
am F2023L01027
c 1.4	ad F2021L01561
c 1.5	ad F2024L01409
Part 2
c 2.1	ad F2021L01561
am F2023L01027
c 2.2	ad F2021L01561
am F2023L01027
c 2.3	ad F2021L01561
Part 3
c 3.1A	ad F2024L01409
c 3.1	ad F2021L01561
am F2023L01027
c 3.2	ad F2021L01561
am F2023L01027
ed C8
Part 4
c 4.1	ad F2021L01561
am F2023L01027
c 4.2	ad F2021L01561
c 4.3	ad F2021L01561
c 4.4	ad F2021L01561
c 4.5	ad F2021L01561
Part 5
Part 5	am F2023L01027
c 5.1	ad F2021L01561
am F2023L01027
c 5.2	ad F2021L01561
rs F2023L01027
Part 6
c 6.1	ad F2021L01561
Part 7
c 7.1	ad F2021L01561
Part 8
c 8.1	ad F2021L01561
am F2023L01027; F2024L01409
c 8.2	ad F2021L01561
am F2023L01027
c 8.3	ad F2021L01561
am F2023L01027
c 8.4	ad F2021L01561
am F2024L01409
c 8.5	ad F2021L01561
c 8.6	ad F2021L01561
am F2024L01409
c 8.7	ad F2021L01561
am F2023L01027
Part 9
c 9.1	ad F2021L01561
c 9.2	ad F2021L01561
am F2023L01027
c 9.3	ad F2021L01561 am F2025L00272
c 9.4	ad F2021L01561
c 9.5	ad F2021L01561