Competition and Consumer (Consumer Data Right) Rules 2020 (Cth)
Competition and Consumer (Consumer Data Right) Rules 2020
made under section 56BA of the
Competition and Consumer Act 2010
Compilation No. 7
Compilation date: 1 February 2022
Includes amendments up to: F2021L01561
Registered: 10 February 2022
This compilation includes commenced amendments made by F2021L01392
About this compilation
This compilation
This is a compilation of the Competition and Consumer (Consumer Data Right) Rules 2020 that shows the text of the law as amended and in force on 1 February 2022 (the compilation date).
The notes at the end of this compilation (the endnotes) include information about amending laws and the amendment history of provisions of the compiled law.
Uncommenced amendments
The effect of uncommenced amendments is not shown in the text of the compiled law. Any uncommenced amendments affecting the law are accessible on the Legislation Register ( The details of amendments made up to, but not commenced at, the compilation date are underlined in the endnotes. For more information on any uncommenced amendments, see the series page on the Legislation Register for the compiled law.
Application, saving and transitional provisions for provisions and amendments
If the operation of a provision or amendment of the compiled law is affected by an application, saving or transitional provision that is not included in this compilation, details are included in the endnotes.
Editorial changes
For more information about any editorial changes made in this compilation, see the endnotes.
Modifications
If the compiled law is modified by another law, the compiled law operates as modified but the modification does not amend the text of the law. Accordingly, this compilation does not show the text of the compiled law as modified. For more information on any modifications, see the series page on the Legislation Register for the compiled law.
Self‑repealing provisions
If a provision of the compiled law has been repealed in accordance with a provision of the law, details are included in the endnotes.
Contents
Part 1—Preliminary 1
Division 1.1—Preliminary 1
1.1......................... Name............................................................................................................. 1
1.3......................... Authority....................................................................................................... 1
Division 1.2—Simplified outline and overview of these rules 2
1.4......................... Simplified outline of these rules.................................................................... 2
1.5......................... What these rules are about............................................................................. 3
1.6......................... Overview of these rules................................................................................ 3
Division 1.3—Interpretation 6
1.7......................... Definitions.................................................................................................... 6
1.8......................... Data minimisation principle......................................................................... 14
1.9......................... Fit and proper person criteria...................................................................... 15
1.10....................... Meaning of outsourced service provider and related terms......................... 16
1.10AA................. Meaning of CDR representative and related terms...................................... 17
1.10A.................... Types of consents....................................................................................... 18
1.10B..................... Meaning of eligible..................................................................................... 20
1.10C..................... Trusted advisers.......................................................................................... 20
1.10D.................... Meaning of sponsorship arrangement, sponsor and affiliate..................... 21
Division 1.4—General provisions relating to data holders and to accredited persons 22
Subdivision 1.4.1—Preliminary 22
1.11....................... Simplified outline of Division..................................................................... 22
Subdivision 1.4.2—Services for making requests under these rules 22
1.12....................... Product data request service........................................................................ 22
1.13....................... Consumer data request service.................................................................... 22
Subdivision 1.4.3—Services for managing consumer data requests made by accredited persons 24
1.14....................... Consumer dashboard—accredited person................................................... 24
1.15....................... Consumer dashboard—data holder............................................................. 25
Subdivision 1.4.4—Other obligations of accredited persons 27
1.16....................... Obligations relating to CDR outsourcing arrangements.............................. 27
1.16A.................... Obligations relating to CDR representative arrangements........................... 27
Subdivision 1.4.5—Deletion and de‑identification of CDR data 29
1.17....................... CDR data de‑identification process............................................................. 29
1.17A.................... Identification of otherwise redundant data that is not to be deleted.............. 30
1.18....................... CDR data deletion process.......................................................................... 30
Division 1.5—Application of rules in relation to SR data 31
1.19....................... Eligible CDR consumers in relation to secondary data holders................... 31
1.20....................... Consumer data request service—primary data holders and secondary data holders 31
1.21....................... Consumer dashboard—SR data request...................................................... 31
1.22....................... SR data request by a CDR consumer.......................................................... 31
1.23....................... SR data request by an accredited person..................................................... 32
1.24....................... SR data disclosed to primary data holder not to be used for other purposes 33
1.25....................... Dealing with unsolicited SR data................................................................ 34
1.26....................... Dispute resolution—primary data holders and secondary data holders....... 34
Part 2—Product data requests 35
2.1......................... Simplified outline of this Part...................................................................... 35
2.2......................... Making product data requests—flowchart.................................................. 35
2.3......................... Product data requests.................................................................................. 36
2.4......................... Disclosing product data in response to product data request....................... 36
2.5......................... Refusal to disclose required product data in response to product data request 37
2.6......................... Use of data disclosed pursuant to product data request............................... 38
Part 3—Consumer data requests made by eligible CDR consumers 39
Division 3.1—Preliminary 39
3.1......................... Simplified outline of this Part...................................................................... 39
3.2......................... How an eligible CDR consumer makes a consumer data request—flowchart 40
Division 3.2—Consumer data requests made by CDR consumers 41
3.3......................... Consumer data requests made by CDR consumers..................................... 41
3.4......................... Disclosing consumer data in response to a valid consumer data request..... 41
3.5......................... Refusal to disclose required consumer data in response to consumer data request 42
Part 4—Consumer data requests made by accredited persons 43
Division 4.1—Preliminary 43
4.1......................... Simplified outline of this Part...................................................................... 43
Division 4.2—Consumer data requests made by accredited persons to CDR participants 45
Subdivision 4.2.1—Preliminary 45
4.2......................... Consumer data requests made by accredited persons to CDR participants—flowchart 45
Subdivision 4.2.2—Requests to seek to collect CDR data from CDR participants 46
4.3......................... Request for accredited person to seek to collect CDR data.......................... 46
4.3A...................... Request for CDR principal to seek to collect CDR data on behalf of CDR representative 47
4.3B....................... Consumer data requests by accredited persons to CDR representatives...... 48
4.3C....................... Modifications of Division 4.3 in relation to CDR representative................ 49
Subdivision 4.2.3—Consumer data requests by accredited persons to data holders 50
4.4......................... Consumer data request by accredited person to data holder........................ 50
4.5......................... Data holder must ask eligible CDR consumer to authorise disclosure........ 51
4.6......................... Disclosing consumer data in response to a consumer data request.............. 52
4.6A...................... Disclosure of CDR data relating to account not permitted if not approved by account holder 53
4.7......................... Refusal to disclose required consumer data in response to consumer data request 53
Subdivision 4.2.4—Consumer data requests by accredited persons to accredited data recipients 54
4.7A...................... Consumer data request by accredited person to accredited data recipient.... 54
4.7B....................... Accredited data recipient may ask eligible CDR consumer for AP disclosure consent 54
Division 4.3—Giving and amending consents 56
Subdivision 4.3.1—Preliminary 56
4.8......................... Purpose of Division.................................................................................... 56
4.9......................... Object.......................................................................................................... 56
Subdivision 4.3.2—Giving consents 56
4.10....................... Requirements relating to accredited person’s processes for seeking consent 56
4.11....................... Asking CDR consumer to give consent...................................................... 56
4.12....................... Restrictions on seeking consent.................................................................. 59
Subdivision 4.3.2A—Amending consents 59
4.12A.................... Amendment of consent............................................................................... 59
4.12B..................... Inviting CDR consumer to amend consent.................................................. 59
4.12C..................... Process for amending consents................................................................... 60
Subdivision 4.3.2B—Withdrawing consents 60
4.13....................... Withdrawal of consents, and notifications................................................... 60
Subdivision 4.3.2C—Duration of consent 61
4.14....................... Duration of consent..................................................................................... 61
Subdivision 4.3.3—Information relating to de‑identification of CDR data 62
4.15....................... Additional information relating to de‑identification of CDR data................ 62
Subdivision 4.3.4—Election to delete redundant data 62
4.16....................... Election to delete redundant data................................................................. 62
4.17....................... Information relating to redundant data......................................................... 63
Subdivision 4.3.5—Notification requirements 63
4.18....................... CDR receipts............................................................................................... 63
4.18A.................... Notification if collection consent expires..................................................... 64
4.18B..................... Notification if collection consent or AP disclosure consent expires............ 64
4.18C..................... Notification if collection consent is amended.............................................. 65
4.19....................... Updating consumer dashboard.................................................................... 65
4.20....................... Ongoing notification requirement—collection consents and use consents.. 65
4.20A.................... Application of Subdivision to sponsor and affiliate.................................... 66
Division 4.4—Authorisations to disclose CDR data 67
4.21....................... Purpose of Division.................................................................................... 67
4.22....................... Requirements relating to data holder’s processes for seeking authorisation 67
4.22A.................... Inviting CDR consumer to amend a current authorisation........................... 67
4.23....................... Asking CDR consumer to give authorisation to disclose CDR data or inviting CDR consumer to amend a current authorisation.................................................................................... 67
4.24....................... Restrictions when asking CDR consumer to authorise disclosure of CDR data 68
4.25....................... Withdrawal of authorisation to disclose CDR data and notification............ 68
4.26....................... Duration of authorisation to disclose CDR data.......................................... 68
4.27....................... Updating consumer dashboard.................................................................... 69
4.28....................... Notification requirements for consumer data requests on behalf of secondary users 69
Part 4A—Joint accounts 70
Division 4A.1—Preliminary 70
4A.1...................... Purpose of Part........................................................................................... 70
4A.2...................... Simplified outline of this Part...................................................................... 70
4A.3...................... Interpretation............................................................................................... 71
Division 4A.2—Disclosure options 72
4A.4...................... Simplified outline of this Division.............................................................. 72
4A.5...................... Disclosure options for joint accounts.......................................................... 72
4A.6...................... Obligation to provide disclosure option management service...................... 73
4A.7...................... Changing to a more restrictive disclosure option......................................... 74
4A.8...................... Obtaining agreement on change to a less restrictive disclosure option........ 74
Division 4A.3—Consumer data requests that relate to joint accounts 76
Subdivision 4A.3.1—Preliminary 76
4A.9...................... Application of Division............................................................................... 76
Subdivision 4A.3.2—How consumer data requests to data holders under Part 4 that relate to joint accounts are handled 76
4A.10.................... How data holder is to deal with a consumer data request............................ 76
4A.11.................... Asking relevant account holders for approval to disclose joint account data 77
4A.12.................... Continuation and removal of approvals....................................................... 77
4A.13.................... Consumer dashboard for joint account holders........................................... 78
4A.14.................... Notification requirements for consumer data requests on joint accounts..... 78
4A.15.................... Avoidance of harm...................................................................................... 79
Part 5—Rules relating to accreditation etc. 80
Division 5.1—Preliminary 80
5.1......................... Simplified outline of this Part...................................................................... 80
Division 5.2—Rules relating to accreditation process 81
Subdivision 5.2.1A—Levels of accreditation 81
5.1A...................... Levels of accreditation................................................................................. 81
5.1B....................... Sponsored accreditation.............................................................................. 81
Subdivision 5.2.1—Applying to be accredited person 82
5.2......................... Applying to be an accredited person........................................................... 82
Subdivision 5.2.2—Consideration of application to be accredited person 82
5.3......................... Data Recipient Accreditor may request further information........................ 82
5.4......................... Data Recipient Accreditor may consult....................................................... 83
5.5......................... Criteria for accreditation.............................................................................. 83
5.6......................... Accreditation decision―accreditation number............................................ 83
5.7......................... Accreditation decision—notifying accreditation applicant........................... 84
5.8......................... When accreditation takes effect................................................................... 84
5.9......................... Default conditions on accreditation............................................................. 84
5.10....................... Other conditions on accreditation................................................................ 84
5.11....................... Notification to accredited person relating to conditions............................... 85
Subdivision 5.2.3—Obligations of accredited person 85
5.12....................... Obligations of accredited person................................................................. 85
5.13....................... Accredited person must comply with conditions......................................... 86
5.14....................... Notification requirements............................................................................ 86
5.15....................... Provision of information to the Accreditation Registrar.............................. 87
Subdivision 5.2.4—Transfer, suspension, surrender and revocation of accreditation 89
5.16....................... Transfer of accreditation.............................................................................. 89
5.17....................... Revocation, suspension, or surrender of accreditation................................ 89
5.18....................... Revocation of accreditation—process......................................................... 91
5.19....................... Suspension of accreditation—duration........................................................ 92
5.20....................... General process for suspension of accreditation or extension of suspension 92
5.21....................... Process for urgent suspensions or extensions............................................. 92
5.22....................... When surrender, revocation or suspension takes effect............................... 93
5.23....................... Consequences of surrender, suspension or revocation of accreditation....... 93
Division 5.3—Rules relating to Register of Accredited Persons 95
5.24....................... Maintaining the Register of Accredited Persons......................................... 95
5.25....................... Other information to be kept in association with Register of Accredited Persons 96
5.26....................... Amendment and correction of entries in Register of Accredited Persons and database 97
5.27....................... Publication or availability of specified information in the Register of Accredited Persons 97
5.28....................... Making information available to the Commission, the Information Commissioner and the Data Recipient Accreditor................................................................................................... 97
5.29....................... Publication of specified information by the Commission............................ 98
5.30....................... Other functions of Accreditation Registrar.................................................. 98
5.31....................... Obligation to comply with Accreditation Registrar’s request...................... 98
5.32....................... Automated decision‑making—Accreditation Registrar............................... 98
5.33....................... Temporary restriction on use of the Register in relation to data holder........ 99
5.34....................... Temporary direction to refrain from processing consumer data requests.... 99
Part 6—Rules relating to dispute resolution 101
6.1......................... Requirement for data holders―internal dispute resolution........................ 101
6.2......................... Requirement for data holders―external dispute resolution....................... 101
Part 7—Rules relating to privacy safeguards 102
Division 7.1—Preliminary 102
7.1......................... Simplified outline of this Part.................................................................... 102
Division 7.2—Rules relating to privacy safeguards 103
Subdivision 7.2.1—Rules relating to consideration of CDR data privacy 103
7.2......................... Rule relating to privacy safeguard 1—open and transparent management of CDR data 103
7.3......................... Rule relating to privacy safeguard 2—anonymity and pseudonymity....... 105
7.3A...................... Rule relating to privacy safeguard 4—destruction of unsolicited data—CDR representative 106
Subdivision 7.2.2—Rules relating to collecting CDR data 106
7.4......................... Rule relating to privacy safeguard 5—notifying of the collection of CDR data 106
Subdivision 7.2.3—Rules relating to dealing with CDR data 107
7.5......................... Meaning of permitted use or disclosure and relates to direct marketing.. 107
7.5A...................... Limitation to disclosures of CDR data under a disclosure consent............ 109
7.6......................... Use or disclosure of CDR data by accredited data recipients, outsourced service providers and others 109
7.7......................... Rule relating to privacy safeguard 6—use or disclosure of CDR data by accredited data recipients 110
7.8......................... Rule relating to privacy safeguard 7—use or disclosure of CDR data for direct marketing by accredited data recipients................................................................................................... 111
7.8A...................... Rule relating to privacy safeguards 8 and 9—failure by CDR representative to comply with safeguards.................................................................................................................. 111
7.9......................... Rule relating to privacy safeguard 10—notifying of the disclosure of CDR data 111
Subdivision 7.2.4—Rules relating to integrity and security of CDR data 112
7.10....................... Rule relating to privacy safeguard 11—quality of CDR data.................... 112
7.10A.................... Rule relating to privacy safeguard 11—quality of data—CDR representative 113
7.11....................... Rule relating to privacy safeguard 12—security of CDR data................... 113
7.12....................... Rule relating to privacy safeguard 12—de‑identification of redundant data 113
7.13....................... Rule relating to privacy safeguard 12—deletion of redundant data........... 114
Subdivision 7.2.5—Rules relating to correction of CDR data 114
7.14....................... No fee for responding to or actioning correction request.......................... 114
7.15....................... Rule relating to privacy safeguard 13—steps to be taken when responding to correction request 115
7.16....................... Rule relating to privacy safeguard 13—correction of data—CDR representative 115
Part 8—Rules relating to data standards 116
Division 8.1—Preliminary 116
8.1......................... Simplified outline of this Part.................................................................... 116
Division 8.2—Data Standards Advisory Committees 117
8.2......................... Establishment of Data Standards Advisory Committee............................. 117
8.3......................... Functions of Data Standards Advisory Committee................................... 117
8.4......................... Appointment to Data Standards Advisory Committee.............................. 117
8.5......................... Termination of appointment and resignation............................................. 117
8.6......................... Procedural directions................................................................................. 117
8.7......................... Observers.................................................................................................. 118
Division 8.3—Reviewing, developing and amending data standards 119
8.8......................... Notification when developing or amending data standards....................... 119
8.9......................... Consultation when developing or amending data standards...................... 119
8.10....................... Matters to have regard to when making or amending data standards........ 119
Division 8.4—Data standards that must be made 121
8.11....................... Data standards that must be made............................................................. 121
Part 9—Other matters 123
Division 9.1—Preliminary 123
9.1......................... Simplified outline of this Part.................................................................... 123
Division 9.2—Review of decisions 124
9.2......................... Review of decisions by the Administrative Appeals Tribunal................... 124
Division 9.3—Reporting, record keeping and audit 125
Subdivision 9.3.1—Reporting and record keeping 125
9.3......................... Records to be kept and maintained............................................................ 125
9.4......................... Reporting requirements............................................................................. 128
9.5......................... Requests from CDR consumers for copies of records.............................. 132
Subdivision 9.3.2—Audits 133
9.6......................... Audits by the Commission and the Information Commissioner................ 133
9.7......................... Audits by the Data Recipient Accreditor................................................... 133
Division 9.4—Civil penalty provisions 134
9.8......................... Civil penalty provisions............................................................................ 134
Schedule 1—Default conditions on accreditations 136
Schedule 2—Steps for privacy safeguard 12—security of CDR data held by accredited data recipients 140
Schedule 3—Provisions relevant to the banking sector 150
Schedule 4—Provisions relevant to the energy sector 168
Endnotes188
Endnote 1—About the endnotes 188
Endnote 2—Abbreviation key 189
Endnote 3—Legislation history 190
Endnote 4—Amendment history 191
Endnote 5—Editorial changes 199
Part 1—Preliminary
Division 1.1—Preliminary
1.1 Name
This instrument is the Competition and Consumer (Consumer Data Right) Rules 2020.
1.3 Authority
This instrument is made under section 56BA of the Competition and Consumer Act 2010.
Division 1.2—Simplified outline and overview of these rules
1.4 Simplified outline of these rules
There are 3 ways to request CDR data under these rules.
Product data requests
Any person may request a data holder to disclose CDR data that relates to products offered by the data holder. Such a request is called a product data request.
A product data request is made in accordance with relevant data standards, using a specialised service provided by the data holder. Such a request cannot be made for CDR data that relates to a particular identifiable CDR consumer. The data is disclosed, in machine‑readable form, to the person who made the request. The data holder cannot impose conditions, restrictions or limitations of any kind on the use of the disclosed data.
Consumer data requests made by CDR consumers
A CDR consumer who, in accordance with a Schedule to these rules, is eligible to do so may directly request a data holder to disclose CDR data that relates to them. Such a request is called a consumer data request.
A consumer data request that is made directly to a data holder is made using a specialised online service provided by the data holder. The data is disclosed, in human‑readable form, to the CDR consumer who made the request.
Consumer data requests made on behalf of CDR consumers
A CDR consumer who, in accordance with a Schedule to these rules, is eligible to do so may request an accredited person to request a CDR participant to disclose CDR data that relates to the consumer. The request made by the accredited person is called a consumer data request.
A consumer data request that is made to a data holder on behalf of a CDR consumer by an accredited person must be made in accordance with relevant data standards, using a specialised service provided by the data holder. The data is disclosed, in machine‑readable form, to the accredited person.
Under the data minimisation principle, the accredited person may only collect and use CDR data in order to provide goods or services in accordance with a request from a CDR consumer, and may only use it for that purpose, or for a limited number of other purposes which require an additional consent from the CDR consumer.
When consumers are eligible to make requests
A consumer data request can only be made in relation to certain classes of product and consumer CDR data. These are specified in Schedules to these rules that relate to different designated sectors. The relevant Schedule will also set out:
• the circumstances in which a CDR consumer will be eligible to make or initiate a consumer data request for CDR data in that sector; and
• the CDR data that must be disclosed by the data holder in response to a valid request and the CDR data that may be, but is not required to be, disclosed by the data holder.
Schedule 3 relates to the banking sector. Initially, these rules will apply only in relation to certain products that are offered by certain data holders within the banking sector. These rules will then apply to a progressively broader range of data holders and products.
Schedule 4 relates to the energy sector. In this sector, the product data that can be requested is data that is required by law to be passed to either the AER or the Victorian agency; product data requests are therefore made to those agencies as data holders. In addition, some of the relevant consumer data is in practice collected and held by AEMO, which does not have a direct relationship with consumers. Responsibility for dealing with a consumer data request for this data made by or on behalf of a customer of a retailer is therefore shared between AEMO and the retailer.
These rules also deal with a range of ancillary and related matters.
1.5 What these rules are about
(1) These rules set out details of how the consumer data right works.
(2) These rules should be read in conjunction with the following:
(a) the Competition and Consumer Act 2010 (the Act), and in particular, Part IVD of the Act, which sets out the general framework for how the consumer data right works;
(b) designation instruments made under section 56AC of the Act;
(c) guidelines made by the Information Commissioner under section 56EQ of the Act;
(d) data standards made under section 56FA of the Act;
(e) regulations made under section 172 of the Act.
1.6 Overview of these rules
(1) Part 1 of these rules deals with preliminary matters, such as:
(a) definitions of terms that are used in these rules; and
(b) the usage, in these rules, of certain terms that are defined in the Act.
The other provisions of these rules should be read together with these definitions and other interpretive provisions. Part 1 also deals with services that must be provided by data holders and accredited persons that allow consumers to make and manage requests for CDR data.
(2) Part 2 of these rules deals with product data requests, and should be read in conjunction with the relevant sector Schedule.
(3) Part 3 of these rules deals with consumer data requests that are made by CDR consumers, and should be read in conjunction with the relevant sector Schedule. Only CDR consumers who are eligible to do so may make such requests. The eligibility criteria for each sector are set out in the relevant sector Schedule.
(4) Part 4 of these rules deals with consumer data requests that involve accredited persons, and should be read in conjunction with the relevant sector Schedule.
(5) Part 5 of these rules deals with how persons can become accredited persons. It also deals with ancillary matters, such as revocation and suspension of accreditation, obligations of accredited persons, and the Register of Accredited Persons. The rules set out in this Part should be read in conjunction with Division 3 of Part IVD of the Act.
(6) Part 6 of these rules deals with dispute resolution.
(7) Part 7 of these rules deals with rules relating to the privacy safeguards. The rules set out in this Part should be read in conjunction with Division 5 of Part IVD of the Act. Part 7 also sets out some additional civil penalty provisions that protect the privacy or confidentiality of CDR consumers’ CDR data.
(8) Part 8 of these rules deals with data standards. The rules set out in this Part should be read in conjunction with Division 6 of Part IVD of the Act.
(9) Part 9 of these rules deals with miscellaneous matters, such as review of decisions, reporting, record keeping and audit, and civil penalty provisions of the consumer data rules.
(10) Schedule 1 to these rules deals with default conditions on accreditations.
(11) Schedule 2 to these rules sets out detailed steps for privacy safeguard 12 (subsection 56EO(1) of the Act and rule 7.11 of these rules). These steps are also relevant to persons who hold CDR data (service data) under a CDR outsourcing arrangement, and are an element of the ongoing obligations of accredited persons (see paragraph 5.12(1)(a)).
(12) Schedule 3 to these rules contains details that are relevant to the banking sector. Schedule 3:
(a) sets out the specific CDR data in respect of which requests under these rules may be made; and
(b) sets out the circumstances in which CDR consumers are eligible in relation to requests for banking sector CDR data that relates to themselves; and
(c) deals with the progressive application of these rules to the banking sector.
(13) Schedule 4 to these rules contains details that are relevant to the energy sector. Schedule 4:
(a) sets out the specific CDR data in respect of which requests under these rules may be made; and
(b) sets out the circumstances in which CDR consumers are eligible in relation to requests for energy sector CDR data that relates to themselves; and
(c) sets out some modifications of the general rules that apply in the energy sector because certain types of data are collected or held by agencies specified in its designation instrument rather than the retailers with which the CDR consumers have accounts; and
(d) deals with the progressive application of these rules to the energy sector.
It is intended that these rules will be amended at a later time to deal with additional sectors of the economy.
Division 1.3—Interpretation
1.7 Definitions
Note 1: A number of expressions used in this instrument are defined in the Act, including the following:
· Accreditation Registrar;
· accredited data recipient;
· accredited person;
· Australian Consumer Law;
· Australian Energy Regulator;
· binding data standard;
· CDR consumer;
· CDR data;
· CDR participant;
· collects;
· Commission;
· court/tribunal order;
· data holder;
· Data Recipient Accreditor;
· data standard;
· Data Standards Body;
· Data Standards Chair;
· designated sector;
· directly or indirectly derived;
· privacy safeguards;
· Regulatory Powers Act.
Note 2: Information Commissioner has the same meaning as in the Act: see section 3A of the Australian Information Commissioner Act 2010 and paragraph 13(1)(b) of the Legislation Act 2003.
(1) In this instrument:
account privileges, in relation to:
(a) an account with a data holder; and
(b) a particular designated sector;
has the meaning set out in a Schedule to these rules that relates to that sector.
accreditation applicant means a person who has applied to be an accredited person under rule 5.2.
accreditation number of an accredited person has the meaning given by rule 5.6.
accredited data recipient has a meaning affected by subrule (2).
Note: The term “accredited data recipient” is defined in the Act: see section 56AK of the Act. Subrule (2) deals with the usage of this term in these rules.
accredited person request service has the meaning given by subrule 1.13(3).
Act means the Competition and Consumer Act 2010.
addresses for service means both of the following:
(a) a physical address for service in Australia;
(b) an electronic address for service.
ADI (short for authorised deposit‑taking institution) has the meaning given by the Banking Act 1959.
affiliate has the meaning given by rule 1.10D.
AP disclosure consent has the meaning given by rule 1.10A.
associated person, of another person, means any of the following:
(a) a person who:
(i) makes or participates in making, or would (if the other person were an accredited person) make or participate in making, decisions that affect the management of CDR data by the other person; or
(ii) has, or would have (if the other person were an accredited person), the capacity to significantly affect the other person’s management of CDR data;
(b) if the other person is a body corporate—a person who:
(i) is an associate (within the meaning of the Corporations Act 2001) of the other person; or
(ii) is an associated entity (within the meaning of the Corporations Act 2001) of the other person.
authorisation to disclose CDR data means:
(a) an authorisation given by a CDR consumer under Part 4 to a data holder; or
(b) such an authorisation as amended in accordance with these rules.
category, of consents, has the meaning given by rule 1.10A.
CDR complaint data, in relation to a CDR participant, means the following:
(a) the number of CDR consumer complaints received by the CDR participant;
(b) the number of such complaints for each complaint type into which the CDR participant categorises complaints in accordance with its complaints handling process;
(c) the number of such complaints resolved;
(d) the average number of days taken to resolve CDR consumer complaints through internal dispute resolution;
(e) the number of CDR consumer complaints referred to a recognised external dispute resolution scheme;
(f) the number of CDR consumer complaints resolved by external dispute resolution;
(g) in relation to a CDR participant that is a data holder―the number of CDR product data complaints received.
Note: Complaints covered by paragraph (g) are not “CDR consumer complaints”.
CDR consumer has a meaning affected by subrule (2).
Note: The term “CDR consumer” is defined in the Act: see subsection 56AI(3) of the Act. Subrule (2) deals with the usage of this term in these rules.
CDR consumer complaint means any expression of dissatisfaction made by a CDR consumer to or about a CDR participant, or a CDR representative of a CDR participant:
(a) that relates to:
(i) that person’s obligations under or compliance with:
(A) Part IVD of the Act; or
(B) these rules; or
(C) binding data standards; or
(ii) the provision to the CDR consumer, by that person, of the goods or services in respect of which the consumer granted consent under Part 4; and
(b) for which a response or resolution could reasonably be expected.
Note: Complaints of a kind referred to in sub‑subparagraph (a)(i)(B) include a complaint relating to the participant’s obligations under, or compliance with, rules dealing with the handling of CDR consumer complaints.
CDR data de‑identification process has the meaning given by rule 1.17.
CDR data deletion process has the meaning given by rule 1.18.
CDR insight, in relation to an insight disclosure consent, means the CDR data subject to the consent.
CDR logo means a logo or symbol, including one whose use requires a licence or authorisation from a person other than the Commonwealth, approved by the Commission for the purposes of this definition.
CDR outsourcing arrangement has the meaning given by rule 1.10.
CDR participant has a meaning affected by subrule (2).
Note: The term “CDR participant” is defined in the Act: see subsection 56AL(1) of the Act. Subrule (2) deals with the usage of this term in these rules.
CDR policy means a policy that a CDR participant has and maintains in compliance with subsection 56ED(3) of the Act.
CDR principal has the meaning given by rule 1.10AA.
CDR product data complaint means an expression of dissatisfaction made to a data holder about its required product data or its voluntary product data for which a response or resolution could reasonably be expected.
CDR representative has the meaning given by rule 1.10AA.
CDR representative arrangement has the meaning given by rule 1.10AA.
co‑approval option has the meaning given by rule 4A.5.
collection consent has the meaning given by rule 1.10A.
consent means:
(a) a collection consent, a use consent or a disclosure consent; or
(b) such a consent as amended in accordance with these rules.
consumer dashboard:
(a) in relation to an accredited person—has the meaning given by rule 1.14; and
(b) in relation to a data holder—has the meaning given by rules 1.15 and 4A.13.
consumer data request:
(a) by a CDR consumer—has the meaning given by rule 3.3; and
(b) by an accredited person on behalf of a CDR consumer—has the meaning given by rule 4.4 or rule 4.7A.
Note: The different types of consumer data request are summarised in the following table:
| A consumer data request made under: | is made by: | to: | for disclosure of CDR data to: |
| rule 3.3 | a CDR consumer | a data holder | the CDR consumer |
| rule 4.4 | an accredited person on behalf of a CDR consumer | a data holder | the accredited person |
| rule 4.7A | an accredited person on behalf of a CDR consumer | an accredited data recipient | the accredited person |
current:
(a) a consent is current if it has not expired in accordance with rule 4.14; and
(b) an authorisation to disclose particular CDR data is current if it has not expired in accordance with rule 4.26.
Note: For paragraph (a), there are the following 3 kinds of consent:
· collection consents;
· use consents;
· disclosure consents.
data holder has a meaning affected by subrule (2).
Note: The term “data holder” is defined in the Act: see subsection 56AJ of the Act. Subrule (2) deals with the usage of this term in these rules.
data minimisation principle has the meaning given by rule 1.8.
Data Standards Advisory Committee has the meaning given by rule 8.2.
de‑identification consent has the meaning given by rule 1.10A.
direct marketing consent has the meaning given by rule 1.10A.
direct request service has the meaning given by subrule 1.13(2).
disclosure consent has the meaning given by rule 1.10A.
disclosure option has the meaning given by rule 4A.5.
disclosure option management service has the meaning given by rule 4A.6.
eligible, in relation to a particular designated sector, has the meaning given by rule 1.10B.
Note: See also:
· for the banking sector—clause 2.1 of Schedule 3; and
· for the energy sector—clause 2.1 of Schedule 4.
fit and proper person criteria has the meaning given by rule 1.9.
foreign entity means a person who:
(a) is not a body corporate established by or under a law of the Commonwealth, of a State or of a Territory; and
(b) is neither an Australian citizen, nor a permanent resident (within the meaning of the Australian Citizenship Act 2007).
Note: See subsection 56CA(2) of the Act.
general research, in relation to an accredited data recipient, means research by the accredited data recipient:
(a) using CDR data that has been de‑identified in accordance with the CDR data de‑identification process; and
(b) that does not relate to the provision of goods or services to any particular CDR consumer.
goods includes products.
insight disclosure consent has the meaning given by rule 1.10A.
joint account:
(a) means a joint account with a data holder for which there are 2 or more joint account holders, each of which is an individual who:
(i) so far as the data holder is aware, is acting in their own capacity and not on behalf of another person; and
(ii) is eligible in relation to the data holder; but
(b) does not include a partnership account with a data holder.
law relevant to the management of CDR data means any of the following:
(a) the Act;
(b) any regulation made for the purposes of the Act;
(c) these rules;
(d) the Corporations Act 2001 and the Corporations Regulations 2001;
(e) the Privacy Act 1988;
(f) in relation to a particular designated sector—any law that is specified for the purposes of this paragraph in a sector Schedule.
Note: In relation to paragraph (f):
· for the banking sector, see clause 7.1 of Schedule 3; and
· for the energy sector, see clause 9.1 of Schedule 4.
level, in relation to accreditation, has the meaning given by rule 5.1A.
local agent, in relation to a foreign entity, means a person who:
(a) is appointed by the foreign entity; and
(b) has addresses for service; and
(c) is authorised to accept service of documents on behalf of the foreign entity.
meet the internal dispute resolution requirements, in relation to a particular designated sector, has the meaning set out in the relevant sector Schedule.
Note: For the meaning of the term:
· in the banking sector, see clause 5.1 of Schedule 3; and
· in the energy sector, see clause 5.1 of Schedule 4.
nominated representative has the meaning given by subparagraph 1.13(1)(c)(i) or subparagraph 1.13(1)(d)(i), as appropriate.
non‑disclosure option has the meaning given by rule 4A.5.
ordinary means of contacting an account holder by a data holder means:
(a) if the data holder has agreed with the account holder on a particular means of contacting the account holder for the purposes of the relevant provision—that means; and
(b) otherwise—the default means by which the data holder contacts the account holder in relation to the account.
outsourced service provider has the meaning given by rule 1.10.
partnership account, with a data holder, means an account with a data holder that is held by or on behalf of a partnership or the partners in a partnership.
pre‑approval option has the meaning given by rule 4A.5.
primary data holder, in relation to SR data and a particular designated sector, means the data holder specified in the sector Schedule as the primary data holder for the SR data.
product data request has the meaning given by rule 2.3.
product data request service has the meaning given by rule 1.12.
recognised external dispute resolution scheme means a dispute resolution scheme that is recognised under section 56DA of the Act.
redundant data has the meaning given by paragraph 56EO(2)(a) of the Act.
Register of Accredited Persons means the Register of Accredited Persons established under subsection 56CE(1) of the Act.
requester, in relation to a product data request, means the person who made the request under rule 2.3.
required consumer data, in relation to a particular designated sector, has the meaning set out in the relevant sector Schedule.
Note: For the meaning of the term:
· in the banking sector, see clause 3.2 of Schedule 3; and
· in the energy sector, see clause 3.2 of Schedule 4.
required product data, in relation to a particular designated sector, has the meaning set out in the relevant sector Schedule.
Note: For the meaning of the term:
· in the banking sector, see clause 3.1 of Schedule 3; and
· in the energy sector, see clause 3.1 of Schedule 4.
restricted ADI means an ADI that has an authority under section 9 of the Banking Act 1959 to carry on a banking business in Australia for a limited time specified in accordance with section 9D of that Act.
secondary data holder, in relation to SR data and a particular designated sector, means the data holder specified in the sector Schedule as the secondary data holder for the SR data.
secondary user: a person is a secondary user for an account with a data holder in a particular designated sector if:
(a) the person is an individual who is 18 years of age or older; and
(b) the person has account privileges in relation to the account; and
(c) the account holder or account holders:
(i) are individuals each of whom is 18 years or older; and
(ii) in accordance with the requrements for the account, have given the data holder an instruction to treat the person as a secondary user for the purposes of these rules.
secondary user instruction means an instruction given for the purposes of paragraph (c) of the definition of secondary user.
sector Schedule means a Schedule to these rules that deals with a particular designated sector.
service data:
(a) in relation to a CDR outsourcing arrangement—has the meaning given by rule 1.10; and
(b) in relation to a CDR representative arrangement— has the meaning given by rule 1.10AA.
sponsor has the meaning given by rule 1.10D.
sponsored accreditation means accreditation at the sponsored level mentioned in rule 5.1A.
Note: See also rules 1.10D and 5.1B.
sponsorship arrangement has the meaning given by rule 1.10D.
SR data (for shared responsibility data), in relation to a CDR consumer and a particular designated sector, has the meaning set out in the relevant sector Schedule.
Note: Where CDR data for which there is a CDR consumer in a designated sector is held by one data holder, but it would be more practical for consumer data requests for the data to be directed to, and actioned by, a different data holder with which the CDR consumer has a relationship, such CDR data may be specified as SR data in the sector Schedule. Parts 3 and 4 then apply with the modifications set out in Division 1.5.
SR data request (for shared responsibility data request) means a consumer data request for CDR data that is, or that includes, SR data of the CDR consumer.
TA disclosure consent has the meaning given by rule 1.10A.
trusted adviser has the meaning given by rule 1.10C.
type of CDR data means a type of data that is identified in the data standards.
Note: See paragraph 8.11(1)(d).
unrestricted accreditation means accreditation at the unrestricted level mentioned in rule 5.1A.
use consent has the meaning given by rule 1.10A.
valid has the meaning given by subrule 3.3(3) or subrule 4.3(3) as appropriate.
voluntary consumer data, in relation to a particular designated sector, has the meaning set out in the relevant sector Schedule.
Note: For the meaning of the term:
· in the banking sector, see clause 3.2 of Schedule 3; and
· in the energy sector, see clause 3.2 of Schedule 4.
voluntary product data, in relation to a particular designated sector, has the meaning set out in the relevant sector Schedule.
Note: For the meaning of the term:
· in the banking sector, see clause 3.1 of Schedule 3; and
· in the energy sector, see clause 3.1 of Schedule 4.
(2) The table has effect:
| Meaning of references to certain terms | ||
| A reference, in a particular provision of these rules, to: | is, depending on the context, a reference to: | |
| 1 | a CDR consumer | (a) a CDR consumer for any CDR data; or (b) a CDR consumer for the particular CDR data that is dealt with in relation to the reference. |
| 2 | a data holder | (a) a data holder of any CDR data; or (b) the data holder of the particular CDR data that is dealt with in relation to the reference. |
| 3 | an accredited data recipient | (a) an accredited data recipient of any CDR data; or (b) the accredited data recipient of the particular CDR data that is dealt with in relation to the reference. |
| 4 | a CDR participant | (a) a CDR participant for any CDR data; or (b) the CDR participant for the particular CDR data that is dealt with in relation to the reference. |
References to data holder
(3) In these rules, depending on the context, a reference to a data holder is a reference to a data holder that would be required or that is authorised to disclose CDR data in response to a product data request or a consumer data request that is made in accordance with these rules.
Note: These rules will progressively apply to a broader range of data holders:
· for the banking sector, see Part 6 of Schedule 3;
· for the energy sector, see Part 8 of Schedule 4.
References to a person’s CDR data
(4) In these rules, a reference to a person’s CDR data is a reference to the CDR data for which that person is a CDR consumer.
References to accredited person
(5) In these rules, unless the contrary intention appears, a reference to an accredited person making a consumer data request, collecting CDR data, obtaining consents, providing a consumer dashboard, or using or disclosing CDR data does not include a reference to an accredited person doing those things on behalf of a principal in its capacity as the provider in an outsourced service arrangement, in accordance with the arrangement.
1.8 Data minimisation principle
Note: The data minimisation principle is relevant when:
· a CDR consumer requests an accredited person to provide goods or services to the CDR consumer or to another person; and
· the accredited person needs to access the CDR consumer’s CDR data in order to provide those goods or services.
The data minimisation principle is also relevant when an accredited person uses CDR data to provide requested goods or services to a CDR consumer.
The data minimisation principle limits the CDR data that an accredited person can collect, and also limits the uses that the accredited person can make of collected CDR data.
An accredited person complies with the data minimisation principle if:
(a) when making a consumer data request on behalf of a CDR consumer, it does not seek to collect:
(i) more CDR data than is reasonably needed; or
(ii) CDR data that relates to a longer time period than is reasonably needed;
in order to provide the goods or services requested by the CDR consumer; and
(b) when providing the requested goods or services, or using collected CDR data for any other purpose consented to by the CDR consumer, it does not use the collected CDR data, or CDR data derived from it, beyond what is reasonably needed in order to provide the requested goods or services or fulfil the other purpose.
1.9 Fit and proper person criteria
(1) For these rules, the fit and proper person criteria, in relation to a person, are the following:
(a) whether the person, or any associated person, has, within the previous 10 years, been convicted of:
(i) a serious criminal offence; or
(ii) an offence of dishonesty;
against any law of the Commonwealth or of a State or a Territory, or a law of a foreign jurisdiction;
(b) whether the person, or any associated person, has been found to have contravened:
(i) a law relevant to the management of CDR data; or
(ii) a similar law of a foreign jurisdiction;
(c) whether the person, or any associated person, has been the subject of:
(i) a determination under paragraph 52(1)(b) or any of paragraphs 52(1A)(a), (b), (c) or (d) of the Privacy Act 1988; or
(ii) a finding or determination of a similar nature under a similar law of a foreign jurisdiction;
(d) if the person is a body corporate—whether any of the directors (within the meaning of the Corporations Act 2001) of the person, or any associated person:
(i) has been disqualified from managing corporations; or
(ii) is subject to a banning order;
(e) whether the person, or any associated person, has a history of insolvency or bankruptcy;
(f) whether the person, or any associated person, has been the subject of a determination made under an external dispute resolution scheme that:
(i) included a requirement to pay monetary compensation; and
(ii) was, at the time the determination was made:
(A) recognised under the Privacy Act 1988; or
(B) a recognised external dispute resolution scheme;
(g) any other relevant matter, including but not limited to the objects of Part IVD of the Act.
Note: The objects of Part IVD are set out in section 56AA of the Act.
(2) In this rule:
banning order has the same meaning as in the Corporations Act 2001.
serious criminal offence means an offence for which, if the act or omission had taken place in the Jervis Bay Territory, a person would be liable, on first conviction, to imprisonment for a period of not less than 5 years.
Note: Jervis Bay Territory is mentioned because it is a jurisdiction in which the Commonwealth has control over the criminal law.
1.10 Meaning of outsourced service provider and related terms
(1) For these rules, where two persons are the principal and the provider in a CDR outsourcing arrangement, the provider is an outsourced service provider of the principal.
(2) For these rules, a CDR outsourcing arrangement is a written contract between a person (the principal) and another person (the provider) under which:
(a) the provider will do one or both of the following:
(i) collect CDR data from a CDR participant in accordance with these rules on behalf of the principal;
(ii) provide goods or services to the principal using CDR data that it has collected on behalf of the principal or that has been disclosed to it by the principal; and
(b) the provider is required to comply with the following requirements in relation to any service data:
(i) the provider must take the steps in Schedule 2 to protect the service data as if it were an accredited data recipient; and
(ii) the provider must not use or disclose the service data other than in accordance with a contract with the principal; and
(iii) the provider must, when so directed by the principal, do any of the following:
(A) provide the principal with access to any service data that it holds;
(B) return to the principal CDR data that the principal disclosed to it;
(C) delete any service data that it holds in accordance with the CDR data deletion process;
(D) provide, to the principal, records of any deletion that are required to be made under the CDR data deletion process;
(E) direct any other person to which it has disclosed CDR data to take corresponding steps; and
(v) the provider must not disclose any service data to another person, otherwise than under a further CDR outsourcing arrangement; and
(vi) if the provider does disclose such CDR data in accordance with subparagraph (v), it must ensure that the other person complies with the requirements of the further CDR outsourcing arrangement.
Note 1: See rule 1.18 for the definition of “CDR data deletion process”.
Note 2: For collection of CDR data under subparagraph (2)(a)(i), the principal must be the accredited person on whose behalf the CDR data may be collected under these rules—that is, the provider cannot further outsource collection.
However, the provision of goods and services using the CDR data under subparagraph (2)(a)(ii) can be further outsourced by the provider using another CDR outsourcing arrangement.
(3) For subparagraph (2)(a)(ii), the principal is taken to disclose CDR data to the provider if the principal gives the provider permission to access or use CDR data collected by the provider on behalf of the principal.
(4) For these rules, the service data in relation to a CDR outsourcing arrangement consists of any CDR data that:
(a) was collected from a CDR participant in accordance with the arrangement; or
(b) was disclosed to the provider in the CDR outsourcing arrangement for the purposes of the arrangement; or
(c) directly or indirectly derives from such CDR data.
1.10AA Meaning of CDR representative and related terms
Note: From the point of view of a CDR consumer who is the customer of a CDR representative, the consumer deals with the CDR representative
,as if it were an accredited person, and may not deal with the principal at all. The consumer requests the goods or services from the CDR representative; the CDR representative identifies the CDR data that it needs in order to provide the goods and services; the consumer gives their consent to the CDR representative for the collection and use of the CDR data. The consumer is informed that the CDR principal will do the actual collecting, but as a background detail.
(1) For these rules, where two persons are the principal and the representative in a CDR representative arrangement, the representative is a CDR representative of the principal.
(2) For these rules, a CDR representative arrangement is a written contract between a person with unrestricted accreditation (the principal) and a person without accreditation (the representative) under which:
(a) where the representative has obtained the consent of a CDR consumer to the collection and use of CDR data in accordance with rule 4.3A:
(i) the principal will:
(A) make any appropriate consumer data request; and
(B) disclose the relevant CDR data to the representative; and
(ii) the representative will use the CDR data to provide the relevant goods or services to the CDR consumer; and
(iii) the representative may disclose the CDR data in accordance with a disclosure consent; and
(b) the representative must not enter into another CDR representative arrangement; and
(c) the representative must not engage a person as the provider in a CDR outsourcing arrangement; and
(d) the representative is required to comply with the following requirements in relation to any service data:
(i) in holding, using or disclosing the service data, the representative must comply with:
(A) section 52EE of the Act (privacy safeguard 2);
(B) section 52EG of the Act (privacy safeguard 4);
(C) subsection 56EN(2) of the Act (privacy safeguard 11);
(D) section 56EO of the Act (privacy safeguard 12); and
(E) subsection 56EP(2) of the Act (privacy safeguard 13);
as if it were the principal;
(ii) the representative must take the steps in Schedule 2 to protect the service data as if it were the principal; and
(iii) the representative must not use or disclose the service data other than in accordance with a contract with the principal;
(iv) the representative must, when so directed by the principal, do any of the following:
(A) delete any service data that it holds in accordance with the CDR data deletion process;
(B) provide, to the principal, records of any deletion that are required to be made under the CDR data deletion process; and
(e) the representative is required to adopt and comply with the principal’s CDR policy in relation to the service data; and
(f) the representative is required to comply with sections 56EK and 56EL of the Act (Privacy safeguards 8 and 9) as if it were an accredited data recipient; and
(g) the provisions of the arrangement for the purposes of paragraph (a) do not operate unless the details of the representative have been entered on the Register of Accredited Persons.
Note: See rule 1.18 for the definition of “CDR data deletion process”.
(3) For these rules, the service data in relation to a CDR representative arrangement consists of any CDR data that:
(a) was disclosed to the CDR representative for the purposes of the arrangement; or
(b) directly or indirectly derives from such CDR data.
1.10A Types of consents
(1) For these rules:
(a) a collection consent is a consent given by a CDR consumer under these rules for an accredited person to collect particular CDR data from a CDR participant for that CDR data; and
(b)a use consent is a consent given by a CDR consumer under these rules for an accredited data recipient of particular CDR data to use that CDR data in a particular way; and
(c) a disclosure consent is a consent given by a CDR consumer under these rules for an accredited data recipient of particular CDR data to disclose that CDR data:
(i) to an accredited person in response to a consumer data request (an AP disclosure consent); or
(ii) to an accredited person for the purposes of direct marketing; or
(iii) to a trusted adviser of the CDR consumer (a TA disclosure consent); or
(iv) to a specified person in accordance with an insight disclosure consent; and
(d) a direct marketing consent is a consent given by a CDR consumer under these rules for an accredited data recipient of particular CDR data to use or disclose the CDR data for the purposes of direct marketing; and
(e) a de‑identification consent is a consent given by a CDR consumer under these rules for an accredited data recipient of particular CDR data to de‑identify some or all of the collected CDR data and do either or both of the following:
(i) use the de‑identified data for general research;
(ii) disclose (including by selling) the de‑identified data.
(2) For these rules, each of the following is a category of consents:
(a) collection consents;
(b) use consents relating to the goods or services requested by the CDR consumer;
(c) direct marketing consents;
(d) de‑identification consents;
(e) AP disclosure consents;
(f) TA disclosure consents;
(g) insight disclosure consents.
(3) For these rules, an insight disclosure consent in relation to particular CDR data of a CDR consumer held by an accredited data recipient is a consent given by the CDR consumer under these rules that:
(a) authorises the accredited data recipient to disclose the CDR data to a specified person for one or more of the following purposes:
(i) verifying the consumer’s identity;
(ii) verifying the consumer’s account balance;
(iii) verifying the details of credits to or debits from the consumer’s accounts; but
(b) where the CDR data relates to more than one transaction—does not authorise the accredited data recipient to disclose an amount or date in relation to any individual transaction.
Consents in relation to CDR representatives
(4) For an accredited person with a CDR representative, a consent given by a CDR consumer under these rules to the CDR representative for the accredited person to collect particular CDR data from a CDR participant for that CDR data and disclose it to the CDR representative is also a collection consent.
(5) In this rule, a reference to an accredited data recipient of particular CDR data includes a reference to a CDR representative that holds the CDR data as service data.
1.10B Meaning of eligible
Note: Sector Schedules may add additional criteria for eligibility. See also:
· for the banking sector—clause 2.1 of Schedule 3;
· for the energy sector—clause 2.1 of Schedule 4.
(1) A CDR consumer is eligible, in relation to a particular data holder at a particular time, if, at that time:
(a) the CDR consumer is either:
(i) an individual who is 18 years of age or older; or
(ii) a person who is not an individual; and
(b) the CDR consumer is an account holder or a secondary user for an account with the data holder that is open; and
(c) any additional criteria set by the relevant sector Schedule for this subrule are met.
(2) A CDR consumer is also eligible, in relation to a particular data holder at a particular time, if, at that time:
(a) the CDR consumer is a partner in a partnership for which there is a partnership account with the data holder; and
(b) the account is open; and
(c) any additional criteria set by the relevant sector Schedule for this subrule are met.
1.10C Trusted advisers
(1) An accredited person may invite a CDR consumer to nominate one or more persons as trusted advisers of the CDR consumer for the purposes of this rule.
(2) A trusted adviser must belong to one of the following classes:
(a) qualified accountants within the meaning of the Corporations Act 2001;
(b) persons who are admitted to the legal profession (however described) and hold a current practising certificate under a law of a State or Territory that regulates the legal profession;
(c) registered tax agents, BAS agents and tax (financial) advisers within the meaning of the Tax Agent Services Act 2009;
(d) financial counselling agencies within the meaning of the ASIC Corporations (Financial Counselling Agencies) Instrument 2017/792;
(e) relevant providers within the meaning of the Corporations Act 2001 other than:
(i) provisional relevant providers under section 910A of that Act; and
(ii) limited‑service time‑sharing advisers under section 910A of that Act;
(f) mortgage brokers within the meaning of the National Consumer Credit Protection Act 2009.
(3) Where the accredited person has taken reasonable steps to confirm that a person nominated as a trusted adviser was, and remains, a member of a class mentioned in subrule (2), the person is taken to be a member of that class for the purposes of this rule.
(4) The accredited person must not make:
(a) the nomination of a trusted adviser; or
(b) the nomination of a particular person as a trusted adviser; or
(c) the giving of a TA disclosure consent;
a condition for supply of the goods or services requested by the CDR consumer.
1.10D Meaning of sponsorship arrangement, sponsor and affiliate
(1) A sponsorship arrangement is a written contract between a person with unrestricted accreditation (the sponsor) and another person (the affiliate), under which:
(a) the sponsor agrees to disclose to the affiliate, in response to a consumer data request made by the affiliate in accordance with rule 5.1B(2), CDR data that it holds as an accredited data recipient; and
(b) the affiliate undertakes to provide the sponsor with such information and access to its operations as is needed for the sponsor to fulfil its obligations as a sponsor.
Note: A person does not need to have sponsored accreditation to enter into a sponsorship arrangement as an affiliate, but will need it to make the consumer data requests mentioned in paragraph (a)
(2) A sponsorship arrangement may also provide for the sponsor to:
(a) make consumer data requests at the request of the affiliate; or
(b) use or disclose CDR data at the request of the affiliate.
Division 1.4—General provisions relating to data holders and to accredited persons
Subdivision 1.4.1—Preliminary
1.11 Simplified outline of Division
This Division sets out:
• general obligations of data holders which relate to product data requests and consumer data requests; and
• general obligations for data holders and accredited persons to provide CDR consumers with consumer dashboards, which contain information relating to consumer data requests, and a functionality for amending or withdrawing consents, and for withdrawing authorisations, under these rules.
Subdivision 1.4.2—Services for making requests under these rules
1.12 Product data request service
(1) A data holder must provide an online service that:
(a) can be used to make product data requests; and
(b) enables requested data to be disclosed in machine‑readable form; and
(c) conforms with the data standards.
Note 1: See rule 2.3 for the meaning of “product data request”.
Note 2: This subrule is a civil penalty provision (see rule 9.8).
Note 3: For the energy sector, this rule is modified by clause 4.2 of Schedule 4.
(2) Such a service is a product data request service.
1.13 Consumer data request service
(1) A data holder must provide:
(a) an online service that:
(i) can be used by eligible CDR consumers to make consumer data requests directly to the data holder; and
(ii) allows a request to be made in a manner that is no less timely, efficient and convenient than any of the online services that are ordinarily used by customers of the data holder to deal with it; and
(iii) enables requested data to be disclosed in human‑readable form; and
(iv)sets out any fees for disclosure of voluntary consumer data; and
(v) conforms with the data standards; and
(b) an online service that:
(i) can be used by accredited persons to make consumer data requests, on behalf of eligible CDR consumers, to the data holder; and
(ii) enables requested data to be disclosed in machine‑readable form; and
(iii) conforms with the data standards; and
(c) for each eligible CDR consumer that is not an individual—a service that can be used to:
(i) nominate one or more individuals 18 years of age or older (nominated representatives) who are able to give, amend and manage authorisations to disclose CDR data for the purposes of these rules on behalf of the CDR consumer; and
(ii) revoke such a nomination; and
(d) for each partnership that relates to a partnership account with the data holder—a service that can be used to:
(i) nominate one or more individuals 18 years of age or older (nominated representatives) who are able to give, amend and manage authorisations to disclose CDR data that relate to the partnership accounts of that partnership for the purposes of these rules on behalf of the CDR consumers who are its partners; and
(ii) revoke such a nomination; and
(e) in relation to each account in relation to which a person has account privileges―a service that can be used by the account holder to:
(i) make a secondary user instruction; and
(ii) withdraw the instruction.
Note 1: See rule 3.3 for the meaning of “consumer data request” in relation to a request made by a CDR consumer directly to a data holder.
Note 2: See rule 4.4 for the meaning of “consumer data request” in relation to a request made by an accredited person to a data holder on behalf of a CDR consumer.
Note 3: In the circumstances of paragraphs (1)(c) and (d), a person or partnership that does not have a nominated representative will not able to give or amend authorisations, or use the dashboard to manage authorisations (see subrule 1.15(2A)), and accordingly, the data holder will be neither required nor permitted to disclose the requested CDR data under these rules.
Note 4: The services of paragraphs (c), (d) and (e) may, but need not, be online.
Note 5: This subrule is a civil penalty provision (see rule 9.8).
(2) The service referred to in paragraph (1)(a) is the data holder’s direct request service.
(3) The service referred to in paragraph (1)(b) is the data holder’s accredited person request service.
(4) A data holder does not contravene subrule (1) in relation to subparagraph (1)(a)(ii) so long as it takes reasonable steps to ensure that the online service complies with that subparagraph.
Subdivision 1.4.3—Services for managing consumer data requests made by accredited persons
1.14 Consumer dashboard—accredited person
(1) Subject to subrule (5), an accredited person must provide each eligible CDR consumer on whose behalf the accredited person makes a consumer data request with an online service that:
(a) can be used by the CDR consumer to manage:
(i) such requests; and
(ii) associated consents; and
(b) contains the details of each consent specified in subrule (3) and the information specified in subrule (3A); and
(c) has a functionality that:
(i) allows the CDR consumer, at any time, to:
(A) withdraw current consents; and
(B) elect that redundant data be deleted in accordance with these rules and withdraw such an election; and
(ii) is simple and straightforward to use; and
(iii) is prominently displayed.
Note: This subrule is a civil penalty provision (see rule 9.8).
(2) Such a service is the accredited person’s consumer dashboard for that consumer.
(2A) The consumer dashboard may, on and after 1 July 2021, also include a functionality that allows a CDR consumer to amend a current consent.
(3) For paragraph (1)(b), the information is the following for each consent:
(a) details of the CDR data to which the consent relates;
(b) for a use consent―details of the specific use or uses for which the CDR consumer has given their consent;
(c) when the CDR consumer gave the consent;
(d) whether the consent applies:
(i) on a single occasion; or
(ii) over a period of time;
(e) if a collection consent or disclosure consent applies over a period of time:
(i) what that period is; and
(ii) how often data has been, and is expected to be, collected or disclosed over that period;
(ea) for an insight disclosure consent—a description of the CDR insight and to whom it was disclosed;
(f) if the consent is current—when it is scheduled to expire;
(g) if the consent is not current—when it expired;
(h) information relating to CDR data that was collected or disclosed pursuant to the consent (see rule 7.4 and rule 7.9);
(ha) if the accredited person is an affiliate and the CDR data will be collected by a sponsor at its request:
(i) the sponsor’s name; and
(ii) the sponsor’s accreditation number;
(i) details of each amendment (if any) that has been made to the consent.
Note 1: For paragraph (f), consents expire at the latest 12 months after they are given or, in some circumstances, amended: see paragraph 4.14(1)(d).
Note 2: For the specific uses that are possible, see the data minimisation principle (rule 1.8).
Note 3: The consumer dashboard could contain other information too, for example, the written notices referred to in rule 7.15 (which deals with correction requests under privacy safeguard 13, section 56EP of the Act).
(3A) For paragraph (1)(b), the other information is:
(a) a statement that the CDR consumer is entitled to request further records in accordance with rule 9.5; and
(b) information about how to make such a request.
(4) An accredited person does not contravene subrule (1) in relation to subparagraph (1)(c)(ii) so long as it takes reasonable steps to ensure that the functionality complies with that subparagraph.
Dashboard in relation to CDR representative
(5) Where a CDR principal makes a consumer data request at the request of a CDR representative, it may arrange for the CDR representative to provide the consumer dashboard on its behalf.
1.15 Consumer dashboard—data holder
(b) is, in relation to the CDR consumer:
(i) customer data that is held in relation to a relevant account; or
(ii) account data for a relevant account that is open; or
(iii) billing data from a relevant account for a time:
(A) at which that or another relevant account was open; and
(B) that is not more than 2 years before the day of the request; or
(iv) AEMO data in relation to a relevant account; or
(v) tailored tariff data for a relevant account that is open; and
(c) relates to a time at which an account holder for the relevant account was associated with the premises to which the request relates; and
(d) is held by the data holder or holders in a digital form.
Note 1: For subparagraph (b)(v), for a consumer data request, tailored tariff data could include the following:
· any rates or charges under the plan that were negotiated individually with a CDR consumer;
· any features and benefits negotiated individually with a CDR consumer.
Note 2: So long as the CDR consumer is eligible to make a consumer data request in relation to a particular data holder, they will be able to make or cause to be made a consumer data request that relates to any account they have with the data holder, including closed accounts (subject to subclauses (4) and (5)).
Note 3: A person is not a data holder of CDR data that was held by or on behalf of them before the earliest holding day (see paragraph 56AJ(1)(b) of the Act). Accordingly, such data cannot be requested under these rules.
(3) For these rules, subject to this clause, voluntary consumer data, in relation to the energy sector, means CDR data for which there are one or more CDR consumers that:
(a) is energy sector data; and
(b) relates to a time at which an account holder for the account was associated with the premises to which the request relates; and
(c) is not required consumer data.
(4) For this clause:
(a) CDR data is neither required consumer data nor voluntary consumer data at a particular time if the data is:
(i) account data, billing data or tailored tariff data in relation to an account that is not any of the following:
(A) an account held in the name of a single person;
(B) a joint account;
(C) a partnership account; or
(ii) account data, billing data or tailored tariff data in relation to a joint account or partnership account for which any of the individuals who are account holders is less than 18 years of age at that time; or
(iii) AEMO data in relation to any such account; and
(b) CDR data is neither required consumer data nor voluntary consumer data in relation to a consumer data request made by or on behalf of a particular person if the data is:
(i) customer data in relation to any account holder or secondary user other than that person; or
(ii) AEMO data in relation to premises other than premises covered by the relevant arrangement at the time to which the data relates.
(5) For this clause, energy sector data is neither required consumer data nor voluntary consumer data in relation to a data holder that is not a retailer or AEMO.
Note: The effect of this provision is that an accredited person who becomes a data holder in relation to energy sector CDR data by the operation of subsection 56AJ(3) of the Act is not required to respond to a consumer data request for the data.
Exception to required consumer data―open accounts
(6) Despite subclause (2), for an account that is open at a particular time, CDR data that relates to a transaction or event that occurred more than 2 years before that time is not required consumer data.
Note: As a result, such CDR data would be voluntary consumer data.
Exception to required consumer data―closed accounts
(7) Despite subclause (2), for an account that is closed at a particular time, each of the following is not required consumer data:
(a) CDR data held by AEMO, other than metering data;
(b) CDR data held by a retailer, other than billing data; and
(c) CDR data that is not excluded by paragraph (a) or (b), but relates to a transaction or event that occurred more than 2 years before that time.
Part 4—Roles of AEMO and the energy sector agencies
4.1 AER and the Victorian agency may act on each other’s behalf
(1) Where these rules require or permit one of the energy sector agencies to do any thing in relation to receiving or responding to product data requests (including the provision of a product data request service), the other agency may, at the first agency’s request, do the thing on behalf of the first agency.
(2) For this clause, the energy sector agencies are the AER and the Victorian agency.
4.2 Product data request service
(1) Despite rule 1.12, a data holder of energy sector data, other than the AER and the Victorian agency, is not required to provide a product data request service.
(2) However, if such a data holder chooses to provide an online service that can be used to make product data requests, the service must comply with rule 1.12.
4.3 Meaning of SR data and primary data holder—energy sector
For these rules:
(a) SR data, in relation to the energy sector, means AEMO data in relation to a CDR consumer; and
(b) the primary data holder for the SR data is the relevant retailer.
Note: Paragraph (a) also makes AEMO the secondary data holder for the SR data.
4.4 SR data must be obtained from AEMO
On receiving an SR data request under Part 3 or Part 4 of these rules, a retailer must request from AEMO, using the service mentioned in subrule 1.20(2), any SR data to be used in responding to the request
Note: AEMO is the secondary data holder for the SR data. This provision requires a retailer that happens to be the direct holder of any AEMO data that is subject to a consumer data request to ignore its data holding in responding to the request, and obtain the data from AEMO for that purpose.
4.5 Civil penalties do not apply
A civil penalty imposed by these rules for a breach of a provision of these rules, including one imposed by rule 9.8 by declaring the relevant provision to be a civil penalty provision, does not apply in relation to AEMO, the AER or the Victorian agency in relation to energy sector data.
Part 5—Dispute resolution―energy sector
Note:See the definition of “meets the internal dispute resolution requirements” in subrule 1.7(1), paragraph 5.12(b) of these rules, and rule 6.1.
5.1 Meeting internal dispute resolution requirements—energy sector
Accredited persons
(1) For the energy sector, an accredited person, other than an accredited person that is also a retailer, meets the internal dispute resolution requirements if its internal dispute resolution processes comply with provisions of Regulatory Guide 271 that deal with the following:
(a) standards that its internal dispute resolution procedures or processes must meet regarding the following:
(i) commitment and culture;
(ii) the enabling of complaints;
(iii) resourcing;
(iv) responsiveness;
(v) objectivity and fairness;
(vi) policy and procedures;
(vii) data collection, analysis and internal reporting;
(viii) continuous improvement;
(b) outsourcing internal dispute resolution processes;
(c) acknowledgement of complaint;
(d) what an internal dispute resolution response must contain;
(e) maximum timeframes for an internal dispute resolution response;
(f) internal dispute resolution response requirements for multi‑tier internal dispute resolution processes;
(g) the role of customer advocates;
(h) establishing links between internal dispute resolution processes and external dispute resolution;
(i) systemic issues.
Data holders
(2) For the energy sector, a retailer (including a retailer that is also an accredited person) meets the internal dispute resolution requirements if its internal dispute resolution processes satisfy the applicable requirements for the retailer’s standard complaints and dispute resolution procedures under the National Energy Retail Law or the Energy Retail Code (Victoria).
(3) Part 6 does not apply in relation to the AER, the Victorian agency or AEMO, in their capacity as data holders in the energy sector.
Definition
(4) In this clause:
Regulatory Guide 271 means Regulatory Guide 271 published by the Australian Securities & Investments Commission, as in force from time to time and applied as if:
(a) references to complaints were references to CDR consumer complaints; and
(b) references to financial firms and financial service providers were references to CDR participants.
Note: Regulatory Guide 271 could in 2021 be accessed from the Australian Securities & Investments Commission’s website ( External dispute resolution requirements—energy sector
Note: The Australian Financial Complaints Authority and the energy and water ombudsman of each State and Territory are recognised as external dispute resolution schemes for section 56DA of the Act.
Accredited persons
(1) For the purposes of paragraph 5.12(1)(c) of these rules, an accredited person, other than an accredited person to which subclause (3) applies, must be a member of the Australian Financial Complaints Authority in relation to CDR consumer complaints.
Data holders
(2) For the purposes of rule 6.2 (Requirement for data holders—external dispute resolution), a retailer must, in each relevant jurisdiction:
(a) if the jurisdiction has an energy and water ombudsman recognised in accordance with section 56DA of the Act—be a member of that ombudsman in relation to CDR consumer complaints; and
(b) otherwise—take the necessary steps to participate in the dispute resolution process provided by the jurisdiction that is appropriate for CDR consumer complaints.
Certain accredited persons that are also retailers
(3) For the purposes of paragraph 5.12(1)(c) of these rules, a retailer that:
(a) is, or becomes, an accredited person; and
(b) does not use any energy sector CDR data that it collects in order to provide services outside the energy sector;
must, in each relevant jurisdiction:
(c) if the jurisdiction has an energy and water ombudsman recognised in accordance with section 56DA of the Act—be a member of the that ombudsman in relation to CDR consumer complaints; and
(d) otherwise—take the necessary steps to participate in the dispute resolution process provided by the jurisdiction that is appropriate for such CDR consumer complaints.
Part 6—Privacy safeguards―energy sector
6.1 Responding to correction request (rule 7.15)
(1) This clause applies to a retailer that receives a request under subsection 56EP(1) or (2) of the Act that relates to AEMO data.
(2) In relation to the AEMO data, rule 7.15 applies as if paragraphs (b) and (c) were replaced by the following:
“ (b) as soon as practicable:
(i) initiate the relevant correction procedures under the National Electricity Rules in relation to any NMI standing data or metering data for which correction is requested; and
(ii) if the request relates to DER register data, provide the requester with information about how the requester can contact the distributor to have the data corrected.”.
Part 7—Reporting and record keeping―energy sector
7.1 Reporting requirements (rule 9.4)
Rule 9.4 applies to AER and the Victorian agency as if subrule 9.4(1) were replaced by the following, referring to either as “the Agency”:
“(1) The Agency must prepare a report for each reporting period that:
(a) is in the form approved by the Commission for the purposes of this rule; and
(b) sets out the number (if any) of product data requests received by the Agency during the reporting period; and
(c) sets out:
(i) the number of times the Agency refused to disclose CDR data; and
(ii) the rule or data standard relied upon to refuse to disclose that data; and
(iii) the number of times the Agency has relied on each of those rules or data standards as a ground of refusal.”.
Part 8—Staged application of these rules to the energy sector
8.1 Interpretation
In this Part:
complex request means a consumer data request that:
(a) is made on behalf of a large customer; or
(b) is made on behalf of a secondary user; or
(c) relates to a joint account or a partnership account.
initial retailer has the meaning given by clause 8.2.
large customer means a CDR consumer that is:
(a) in relation to a retailer that is subject to the Electricity Industry Act2000 (Vic)—a relevant customer for the purposes of that Act; or
(b) otherwise—a large customer for the purposes of the National Energy Retail Law.
larger retailer has the meaning given by clause 8.3.
small retailer means a retailer that is not either an initial retailer or a larger retailer.
tranche 1 date means 15 November 2022.
tranche 1 (VA) date means a date specified by the Minister in a notifiable instrument made for the purposes of this definition.
tranche 2 date means 15 May 2023.
tranche 3 date means 1 November 2023.
tranche 4 date means 1 May 2024.
8.2 Meaning of initial retailer
In this Schedule, initial retailer means any of the following:
The AGL Energy Group
(a) AGL Sales (Queensland Electricity) Pty Limited – ABN 66 078 875 902;
(b) AGL South Australia Pty Ltd ‑ ABN 49 091 105 092;
(c) AGL Sales Pty Limited ‑ ABN 88 090 538 337;
The Origin Energy Group
(d) Origin Energy Electricity Limited ‑ ABN 33 071 052 287;
(e) any other subsidiary of Origin Energy Limited authorised or licensed to sell electricity in the National Electricity Market;
The Energy Australia Group
(f) EnergyAustralia Pty Ltd ‑ ABN 99 086 014 968;
(g) EnergyAustralia Yallourn Pty Ltd ‑ ABN 47 065 325 224.
8.3 Meaning of larger retailer
(1) For this Part:
(a) a retailer that had 10,000 or more small customers on the amendment day is a larger retailer; and
(b) a retailer that had 10,000 or more small customers at all times during a financial year that begins on or after the amendment day is also a larger retailer on and from the day 12 months after the end of that financial year.
(2) For this clause:
(a) a person is a small customer of a retailer if the person is:
(i) a domestic or small business customer of the retailer within the meaning given in section 3 of the Electricity Industry Act 2000 (Vic); or
(ii) a small customer of the retailer within the meaning of section 5 of the National Energy Retail Law; and
(b) the amendment day is the day on which Schedule 1 to the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2021 commenced.
8.4 Product data requests under Part 2 of these rules
(1) Part 2 of these rules (Part 2) does not apply in relation to energy sector data except as provided in this clause.
(2) Part 2 applies to the AER on and from 1 October 2022.
(3) Part 2 applies to the Victorian agency on and from the tranche 1 (VA) date.
8.5 Consumer data requests under Part 3 of these rules
Part 3 of these rules does not apply in relation to energy sector data.
8.6 Consumer data requests under Part 4 of these rules
(1) Part 4 of these rules (Part 4) does not apply in relation to energy sector data except as provided in this clause.
Tranche 1 — 15 November 2022
(2) Part 4 applies in relation to an initial retailer, except in relation to a complex request, on and from the tranche 1 date.
(3) Part 4 applies to AEMO on and from the tranche 1 date.
Tranche 2 — 15 May 2023
(4) Part 4 applies in relation to an initial retailer in relation to a complex request on and from the tranche 2 date.
Tranche 3 — 1 November 2023
(5) Part 4 applies to a larger retailer, except in relation to a complex request, on and from the later of the tranche 3 date and the date that it becomes a larger retailer.
Tranche 4 — 1 May 2024
(6) Part 4 applies to a larger retailer in relation to a complex request on and from the later of the tranche 4 date and the date that it becomes a larger retailer.
Application of Part 4 to small retailers that are accredited persons
(7) Part 4 applies to a small retailer that is an accredited person, except in relation to a complex request, on and from the later of:
(a) the day 12 months after the tranche 1 date; and
(b) the day 12 months after the day that it became an accredited person.
(8) Part 4 applies to a small retailer that is an accredited person in relation to a complex request on and from the later of:
(a) the day 18 months after the tranche 1 date; and
(b) the day 18 months after the day that it became an accredited person.
Voluntary application of Part 4 to small retailers
(9) A small retailer may notify the Commission that it wishes Part 4 to apply to it:
(a) except in relation to a complex request—on and from a specified date that is no earlier than the tranche 1 date; and
(b) in relation to a complex request—on and from a specified date that is no earlier than the tranche 2 date.
(10) Subject to subclauses (7) and (8), Part 4 applies in relation to the small retailer, in accordance with the request, on and from the dates so specified.
8.7 Authorisation to disclose CDR data before being required to do so
(1) This clause applies in relation to a request for disclosure of CDR data that has been made to a retailer in accordance with Part 2, Part 3 or Part 4 of these rules (the relevant data request Part) if:
(a) the request was made on or after the tranche 1 day; and
(b) the requested CDR data is any of the following:
(i) required product data;
(ii) voluntary product data;
(iii) required consumer data;
(iv) voluntary consumer data; and
(c) the requested CDR data includes some pre‑application CDR data.
(2) For these rules, the retailer may disclose any or all of the pre‑application CDR data in response to the request in accordance with the relevant data request Part.
(3) In this clause, pre‑application CDR data means CDR data that, but for the operation of this Part, the data holder would be required or authorised by the relevant data request Part to disclose in response to the request.
Part 9—Other rules, and modifications of these rules, for the energy sector
9.1 Laws relevant to the management of CDR data—energy sector
For paragraph (f) of the definition of “law relevant to the management of CDR data” in rule 1.7 of these rules:
(a) the National Electricity Law; and
(b) the National Energy Retail Law; and
(c) the Electricity Industry Act 2000 (Vic);
are laws relevant to the management of CDR data in relation to the energy sector.
9.2 Conditions for accredited person to be data holder
(1) For paragraph 56AJ(4)(c) of the Act, this clause sets out conditions for a person that has collected CDR data in accordance with a consumer data request under Part 4 of these rules to be a data holder (rather than an accredited data recipient) of that CDR data and any CDR data that it directly or indirectly derived from that CDR data (together, the relevant CDR data).
(2) The conditions are that:
(a) the person is a retailer; and
(b) the CDR data is information covered by item 1, 3 or 5 of the table in section 12 of the of the energy sector designation instrument; and
Note: These are the types of information for which a retailer is designated as a data holder under the designation instrument.
(c) the CDR consumer is a customer of the person; and
(d) the person:
(i) reasonably believes that the relevant CDR data is relevant to the arrangement with the CDR consumer; and
(ii) has asked the CDR consumer to agree to the person being a data holder, rather than an accredited data recipient, of the relevant CDR data; and
(iii) has explained to the CDR consumer:
(A) that, as a result, the privacy safeguards, to the extent that they apply to an accredited data recipient of CDR data, would no longer apply to the person in relation to the relevant CDR data; and
(B) the manner in which it proposes to treat the relevant CDR data; and
(C) why it is entitled to provide the CDR consumer with this option; and
(iv) has outlined the consequences, to the CDR consumer, of not agreeing to this; and
(e) the CDR consumer has agreed to the person being a data holder, rather than an accredited data recipient, of the relevant CDR data.
Related modifications of these rules
(3) If a person becomes a data holder, rather than an accredited data recipient, of CDR data as a result of subsection 56AJ(4) of the Act and this clause:
(b) for paragraph 4.26(1)(h) of these rules, any authorisations to disclose CDR data in relation to the consumer data request expire; and
(c) if the person’s accreditation has been surrendered or revoked, the following do not apply to the person in relation to that CDR data:
(i) subrule 5.23(2);
(ii) paragraph 5.23(3)(b).
9.3 Consultation by Data Recipient Accreditor (rule 5.4)
For paragraph 5.4(1)(c), the AER and the Essential Services Commission of Victoria are specified as authorities that the Data Recipient Accreditor may consult with.
9.4 AEMO not to appear on Registrar’s database (rule 5.25)
For the purposes of subrule 5.25(1), AEMO is not to be treated as a data holder.
Note: The function of the database to be maintained under subrule 5.25(1) is to provide information for the making of consumer data requests to data holders. Since requests for AEMO data will be made to the relevant retailer, the database will not require details relating to AEMO.
9.5 Grounds for revocation, suspension and surrender of accreditation—energy sector
For item 5 of the table in rule 5.17:
(a) the relevant condition is that the accredited person was, at the time of the accreditation, a retailer; and
(b) the accredited person ceases to satisfy the condition if its authorisation or licence to sell electricity in the National Electricity Market has been suspended or revoked.
Endnotes
Endnote 1—About the endnotes
The endnotes provide information about this compilation and the compiled law.
The following endnotes are included in every compilation:
Endnote 1—About the endnotes
Endnote 2—Abbreviation key
Endnote 3—Legislation history
Endnote 4—Amendment history
Abbreviation key—Endnote 2
The abbreviation key sets out abbreviations that may be used in the endnotes.
Legislation history and amendment history—Endnotes 3 and 4
Amending laws are annotated in the legislation history and amendment history.
The legislation history in endnote 3 provides information about each law that has amended (or will amend) the compiled law. The information includes commencement details for amending laws and details of any application, saving or transitional provisions that are not included in this compilation.
The amendment history in endnote 4 provides information about amendments at the provision (generally section or equivalent) level. It also includes information about any provision of the compiled law that has been repealed in accordance with a provision of the law.
Editorial changes
The Legislation Act 2003 authorises First Parliamentary Counsel to make editorial and presentational changes to a compiled law in preparing a compilation of the law for registration. The changes must not change the effect of the law. Editorial changes take effect from the compilation registration date.
If the compilation includes editorial changes, the endnotes include a brief outline of the changes in general terms. Full details of any changes can be obtained from the Office of Parliamentary Counsel.
Misdescribed amendments
A misdescribed amendment is an amendment that does not accurately describe the amendment to be made. If, despite the misdescription, the amendment can be given effect as intended, the amendment is incorporated into the compiled law and the abbreviation “(md)” added to the details of the amendment included in the amendment history.
If a misdescribed amendment cannot be given effect as intended, the abbreviation “(md not incorp)” is added to the details of the amendment included in the amendment history.
Endnote 2—Abbreviation key
| ad = added or inserted | o = order(s) |
| am = amended | Ord = Ordinance |
| amdt = amendment | orig = original |
| c = clause(s) | par = paragraph(s)/subparagraph(s) |
| C[x] = Compilation No. x | /sub‑subparagraph(s) |
| Ch = Chapter(s) | pres = present |
| def = definition(s) | prev = previous |
| Dict = Dictionary | (prev…) = previously |
| disallowed = disallowed by Parliament | Pt = Part(s) |
| Div = Division(s) | r = regulation(s)/rule(s) |
| ed = editorial change | reloc = relocated |
| exp = expires/expired or ceases/ceased to have | renum = renumbered |
| effect | rep = repealed |
| F = Federal Register of Legislation | rs = repealed and substituted |
| gaz = gazette | s = section(s)/subsection(s) |
| LA = Legislation Act 2003 | Sch = Schedule(s) |
| LIA = Legislative Instruments Act 2003 | Sdiv = Subdivision(s) |
| (md) = misdescribed amendment can be given | SLI = Select Legislative Instrument |
| effect | SR = Statutory Rules |
| (md not incorp) = misdescribed amendment | Sub‑Ch = Sub‑Chapter(s) |
| cannot be given effect | SubPt = Subpart(s) |
| mod = modified/modification | underlining = whole or part not |
| No. = Number(s) | commenced or to be commenced |
Endnote 3—Legislation history
| Name | Registration | Commencement | Application, saving and transitional provisions |
| Competition and Consumer (Consumer Data Right) Rules 2020 | 5 February 2020 (F2020L00094) | 6 February 2020 | — |
| Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2020 | 18 June 2020 (F2020L00757) | 19 June 2020 | — |
| Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2020 | 1 October 2020 (F2020L01278) | 2 October 2020 | — |
| Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020 | 22 December 2020 (F2020L01688) | 23 December 2020 | Schedule 1, item 105 |
| Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2021 | 5 October 2021 (F2021L01392) | Sch 1: 1 February 2022 (s 2(1) item 2) Sch 2 and Sch 6 (items 1–3, 15, 18, 19): 19 October 2021 (s 2(1) items 3, 5) Remainder: 6 October 2021 (s 2(1) items 1, 4, 6, 7) | Schedule 7 |
| Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2021 | 15 November 2021 (F2021L01561) | 16 November 2021 (s 2(1)) | — |
Endnote 4—Amendment history
| Provision affected | How affected |
| Part 1 | |
| Division 1.1 | |
| r 1.2 | rep LA s 48D |
| Division 1.2 | |
| r 1.4 | am F2020L01688; F2021L01561 |
| r 1.6 | am F2020L01278, F2020L01688; F2021L01392; F2021L01561 |
| Division 1.3 | |
| r 1.7 | am F2020L00757, F2020L01278, F2020L01688; F2021L01392; F2021L01561 |
| r 1.8 | am F2020L01688 |
| r 1.9 | am F2020L01688 |
| r 1.10 | rs F2020L01278 |
| am F2021L01392 | |
| r 1.10AA | ad F2021L01392 |
| r 1.10A | ad F2020L01688 |
| am F2021L01392 | |
| r 1.10B | ad F2021L01561 |
| r 1.10C | ad F2021L01392 |
| r 1.10D | ad F2021L01392 |
| Division 1.4 | |
| Subdivision 1.4.1 | |
| r 1.11 | am F2020L01688 |
| Subdivision 1.4.2 | |
| r 1.12 | am F2021L01561 |
| r 1.13 | am F2020L00757, F2020L01688; F2021L01561 |
| Subdivision 1.4.3 | |
| r 1.14 | am F2020L01688; F2021L01392 |
| r 1.15 | rs F2020L01688 |
| am F2021L01392; F2021L01561 | |
| Subdivision 1.4.4 | |
| Subdivision 1.4.4 heading | am F2020L01688 |
| r 1.16 | rs F2020L01278 |
| am F2021L01392 | |
| ed C4 | |
| r 1.16A | ad F2021L01392 |
| Subdivision 1.4.5 | |
| r 1.17 | am F2021L01392 |
| r 1.18 | am F2020L01278, F2020L01688; F2021L01561 |
| Division 1.5 | |
| Division 1.5 | ad F2021L01561 |
| r 1.19 | ad F2021L01561 |
| r 1.20 | ad F2021L01561 |
| r 1.21 | ad F2021L01561 |
| r 1.22 | ad F2021L01561 |
| r 1.23 | ad F2021L01561 |
| r 1.24 | ad F2021L01561 |
| r 1.25 | ad F2021L01561 |
| r 1.26 | ad F2021L01561 |
| Part 2 | |
| r 2.1 | am F2021L01561 |
| r 2.3 | am F2020L01688; F2021L01561 |
| r 2.4 | am F2020L01688; F2021L01561 |
| Part 3 | |
| Division 3.1 | |
| r 3.1 | am F2021L01392 |
| Division 3.2 | |
| r 3.3 | am F2021L01561 |
| r 3.4 | am F2021L01392; F2021L01561 |
| r 3.5 | am F2020L00757; F2021L01392 |
| Part 4 | |
| Division 4.1 | |
| Division 4.1 | rs F2020L01688 |
| r 4.1 | am F2021L01392 |
| Division 4.2 | |
| Division 4.2 heading | am F2020L01688 |
| Subdivision 4.2.1 | |
| Subdivision 4.2.1 | ad F2020L01688 |
| Subdivision 4.2.2 | |
| Subdivision 4.2.2 heading | ad F2020L01688 |
| r 4.3 | rs F2020L01688 |
| am F2021L01392 | |
| r 4.3A | ad F2021L01392 |
| r 4.3B | ad F2021L01392 |
| r 4.3C | ad F2021L01392 |
| am F2021L01561 | |
| Subdivision 4.2.3 | |
| Subdivision 4.2.3 heading | ad F2020L01688 |
| r 4.4 | rs F2020L01688 |
| am F2021L01392 | |
| r 4.5 | am F2020L01688; F2021L01561 |
| r 4.6 | am F2020L01688; F2021L01392; F2021L01561 |
| r 4.6A | ad F2020L01688 |
| r 4.7 | am F2020L00757; F2021L01392; F2021L01561 |
| Subdivision 4.2.4 | |
| Subdivision 4.2.4 | ad F2020L01688 |
| r 4.7A | am F2021L01392 |
| r 4.7B | am F2021L01561 |
| Division 4.3 | |
| Division 4.3 | rs F2020L01688 |
| Subdivision 4.3.2 | |
| r 4.10 | am F2021L01392 |
| r 4.11 | am F2021L01392 |
| Subdivision 4.3.4 | |
| r 4.16 | am F2021L01392 |
| Subdivision 4.3.5 | |
| r 4.20A | ad F2021L01392 |
| Division 4.4 | |
| Division 4.4 | rs F2020L01688 |
| Part 4A | |
| Part 4A | ad F2021L01392 |
| Division 4A.1 | |
| r 4A.1 | ad F2021L01392 |
| r 4A.2 | ad F2021L01392 |
| r 4A.3 | ad F2021L01392 |
| Division 4A.2 | |
| r 4A.4 | ad F2021L01392 |
| r 4A.5 | ad F2021L01392 |
| r 4A.6 | ad F2021L01392 |
| r 4A.7 | ad F2021L01392 |
| r 4A.8 | ad F2021L01392 |
| Division 4A.3 | |
| Subdivision 4A.3.1 | |
| r 4A.9 | ad F2021L01392 |
| Subdivision 4A.3.2 | |
| r 4A.10 | ad F2021L01392 |
| r 4A.11 | ad F2021L01392 |
| r 4A.12 | ad F2021L01392 |
| r 4A.13 | ad F2021L01392 |
| r 4A.14 | ad F2021L01392 |
| r 4A.15 | ad F2021L01392 |
| Part 5 | |
| Division 5.2 | |
| Subdivision 5.2.1A | |
| Subdivision 5.2.1A | ad F2021L01392 |
| r 5.1A | ad F2021L01392 |
| r 5.1B | ad F2021L01392 |
| Subdivision 5.2.1 | |
| r 5.2 | am F2021L01392 |
| Subdivision 5.2.2 | |
| r 5.4 | am F2021L01561 |
| r 5.5 | am F2021L01392; F2021L01561 |
| r 5.10 | am F2020L01688 |
| Subdivision 5.2.3 | |
| r 5.12 | am F2020L01688; F2021L01392; F2021L01561 |
| r 5.14 | am F2021L01392 |
| r 5.15 | am F2021L01392 |
| Subdivision 5.2.4 | |
| r 5.17 | am F2020L00757; F2021L01392; F2021L01561 |
| ed C7 | |
| r 5.18 | am F2020L00757; F2021L01392 |
| Division 5.3 | |
| r 5.24 | am F2020L00757; F2021L01392 |
| r 5.25 | am F2021L01561 |
| r 5.30 | am F2020L00757 |
| r 5.33 | ad F2020L01688 |
| r 5.34 | ad F2020L01688 |
| Part 6 | |
| r 6.1 | am F2021L01561 |
| r 6.2 | am F2021L01561 |
| Part 7 | |
| Division 7.2 | |
| Subdivision 7.2.1 | |
| r 7.2 | am F2020L01278, F2020L01688; F2021L01392 |
| rs F2021L01561 | |
| am F2021L01392 | |
| r 7.3 | am F2021L01392; F2021L01561 |
| r 7.3A | ad F2021L01392 |
| Subdivision 7.2.2 | |
| r 7.4 | am F2020L01278, F2020L01688 |
| rs F2021L01392 | |
| Subdivision 7.2.3 | |
| r 7.5 | am F2020L01278, F2020L01688; F2021L01392 |
| ed C4 | |
| am F2021L01561 | |
| r 7.5A | ad F2020L01688 |
| am F2021L01392 | |
| r 7.6 | am F2020L01278; F2021L01392 |
| r 7.8A | ad F2021L01392 |
| r 7.9 | am F2020L01278, F2020L01688; F2021L01392 |
| Subdivision 7.2.4 | |
| r 7.10 | am F2020L01278, F2020L01688 |
| r 7.10A | ad F2021L01392 |
| r 7.11 | am F2021L01392 |
| r 7.12 | am F2020L01278; F2021L01392 |
| ed C5 | |
| Subdivision 7.2.5 | |
| r 7.15 | am F2021L01561 |
| r 7.16 | ad F2021L01392 |
| Part 8 | |
| Division 8.1 | |
| r 8.1 | am F2021L01561 |
| Division 8.2 | |
| Division 8.2 heading | am F2021L01561 |
| r 8.2 | rs F2021L01561 |
| r 8.3 | am F2021L01561 |
| r 8.4 | am F2021L01561 |
| r 8.5 | am F2021L01561 |
| r 8.6 | am F2021L01561 |
| r 8.7 | am F2021L01561 |
| Division 8.4 | |
| r 8.11 | am F2020L01688; F2021L01392; F2021L01561 |
| Part 9 | |
| Division 9.3 | |
| Subdivision 9.3.1 | |
| r 9.3 | am F2020L01278, F2020L01688; F2021L01392; F2021L01561 |
| r 9.4 | am F2020L01688; F2021L01392 |
| ed C5 | |
| am F2021L01561 | |
| r 9.5 | am F2020L01688; F2021L01392 |
| Subdivision 9.3.2 | |
| r 9.7 | am F2020L01688 |
| Division 9.4 | |
| r 9.8 | am F2020L01278, F2020L01688 |
| rs F2021L01392; F2021L01561 | |
| Schedule 1 | |
| Part 2 | |
| c 2.1 | am F2020L01688; F2021L01392; F2021L01561 |
| c 2.2 | ad F2021L01392 |
| Schedule 2 | |
| Part 1 | |
| c 1.5 | am F2021L01392 |
| Part 2 | |
| c 2.2 | am F2020L00757, F2020L01278; F2021L01392 |
| Schedule 3 | |
| Part 1 | |
| c 1.1 | am F2021L01392 |
| c 1.2 | am F2020L01688; F2021L01392; F2021L01561 |
| c 1.3 | am F2020L00757 |
| Part 2 | |
| c 2.1 | am F2020L00757, F2020L01688 |
| rs F2021L01561 | |
| c 2.2 | ad F2020L01688 |
| c 2.3 | ad F2021L01561 |
| Part 3 | |
| c 3.1 | am F2021L01561 |
| c 3.2 | am F2020L00757, F2020L01688; F2021L01561 |
| Part 4 | rs F2020L01688 |
| rep F2021L01392 | |
| Part 5 | |
| c 5.1 | rs F2021L01561 |
| Part 6 | |
| Division 6.1 | |
| c 6.1 | am F2020L01688 |
| c 6.2 | am F2020L01688; F2021L01561 |
| c 6.3 | rep F2020L01688 |
| Division 6.2 | |
| c 6.4 | am F2020L01688; F2021L01392 |
| c 6.5 | rs F2020L01688 |
| c 6.6 | rs F2020L01688; F2021L01392 |
| c 6.7 | ad F2020L01688 |
| Part 7 | |
| c 7.2 | am F2020L01688 |
| c 7.5 | ad F2021L01561 |
| Schedule 4 | |
| Schedule 4 | ad F2021L01561 |
| Part 1 | |
| c 1.1 | ad F2021L01561 |
| c 1.2 | ad F2021L01561 |
| c 1.3 | ad F2021L01561 |
| c 1.4 | ad F2021L01561 |
| Part 2 | |
| c 2.1 | ad F2021L01561 |
| c 2.2 | ad F2021L01561 |
| c 2.3 | ad F2021L01561 |
| Part 3 | |
| c 3.1 | ad F2021L01561 |
| c 3.2 | ad F2021L01561 |
| Part 4 | |
| c 4.1 | ad F2021L01561 |
| c 4.2 | ad F2021L01561 |
| c 4.3 | ad F2021L01561 |
| c 4.4 | ad F2021L01561 |
| c 4.5 | ad F2021L01561 |
| Part 5 | |
| c 5.1 | ad F2021L01561 |
| c 5.2 | ad F2021L01561 |
| Part 6 | |
| c 6.1 | ad F2021L01561 |
| Part 7 | |
| c 7.1 | ad F2021L01561 |
| Part 8 | |
| c 8.1 | ad F2021L01561 |
| c 8.2 | ad F2021L01561 |
| c 8.3 | ad F2021L01561 |
| c 8.4 | ad F2021L01561 |
| c 8.5 | ad F2021L01561 |
| c 8.6 | ad F2021L01561 |
| c 8.7 | ad F2021L01561 |
| Part 9 | |
| c 9.1 | ad F2021L01561 |
| c 9.2 | ad F2021L01561 |
| c 9.3 | ad F2021L01561 |
| c 9.4 | ad F2021L01561 |
| c 9.5 | ad F2021L01561 |
Endnote 5—Editorial changes
In preparing this compilation for registration, the following kinds of editorial change(s) were made under the Legislation Act 2003.
Subrule 5.17(1) (table item 11)
Kind of editorial change
Renumbering of provisions
Details of editorial change
Schedule 1 item 18 of the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2021 provides as follows:
18 Table in subrule 5.17(1)
Add at the end:
| 11 | for a person with sponsored accreditation: (a) a sponsorship arrangement expires or terminates; or (b) the accreditation of a sponsor is suspended or revoked; or (a) the person has had a sponsor but now has none; | may, in writing: (a) suspend; or (b) revoke; the person’s accreditation, as appropriate. |
Column 2 of table item 11 of subrule 5.17(1) contains two paragraph (a)s.
This compilation was editorially changed by renumbering the second occurring paragraph (a) as paragraph (c).
0
0
0