OAIC seeks feedback on draft CDR privacy safeguard guidelines

Submissions from industry and the public are being accepted until November 20.

The Office of the Australian Information Commission (OAIC) wants to hear from industry and the public on the draft privacy safeguard guidelines for the upcoming Consumer Data Right (CDR).

The guidelines have been set out by the OAIC to help industry understand and interpret their obligations under the CDR framework, which will come into effect from February 2020.

"We are looking for business to engage with the draft guidelines, including small business as they will be subject to privacy obligations when they are accredited," Australian Information Commissioner and Privacy commissioner Angelene Falk said.

See also: Biometrics, CDR, broadband tax: All the Bills Canberra wants to reheat in 2019

"This may be a new experience for them, given many small businesses are not subject to the Privacy Act, and we want to provide guidance and practical tips to all CDR participants to help them to comply with the scheme's privacy safeguards."

As part of consulting on these guidelines, the OAIC is seeking feedback specifically on: Whether the guidelines are clear, relevant, and practical; if the guidelines meet the needs of entities in understanding their privacy safeguard obligations; whether there are topics the guidelines should cover that have not been covered or should be covered in greater detail; any topics that would benefit from visual aids; and any other ways the draft guide could be improved.

With submissions closing on November 20, the OAIC, which has been charged with regulating and enforcing the privacy aspects of the CDR, expects to report to the Treasurer and publish its final guidelines on December 16.

Read more: Rules drafted on how to access data under Consumer Data Right

Under the CDR scheme -- through the passage of the Treasury Laws Amendment (Consumer Data Right) Bill -- individuals will be able to "own" their data by granting them open access to their banking, energy, phone, and internet transactions, in addition to gaining the right to control who can have it and who can use it.

The first sector to which the CDR will apply is finance, through an open banking regime. Under this mandate, ANZ, Commonwealth Bank, National Australia Bank, and Westpac will be required to give consumers greater access to the information they hold on consumers as well as the power to require those banks to provide safe and secure access to that information to trusted third parties.

In August, the Australian government officially extended the CDR to include energy services to give consumers the chance to compare and easily switch energy providers. This was after the Australian Consumer and Competition Commission (ACCC), which was tasked with implementing the CDR, announced in February that energy data would join the CDR mandate in early 2020.  

The CDR for energy will initially apply only to the National Electricity Market, which excludes Western Australia and the Northern Territory, before it is expanded to other energy markets over time.

The ACCC is currently developing rules to accommodate energy-specific arrangements, including appropriate authorisation and authentication models, while continuing to consult with stakeholders on the next stages of the development of the CDR.

In March, ACCC released a draft document detailing the rules that would guide the implementation of the CDR.

Prior to the release of the guidelines, the Australian Privacy Foundation said the CDR privacy safeguards were not sufficient, and that the government had "severely" underestimated the need for more thought across the entire legislative change.

Meanwhile, Communications Alliance has been concerned that the legislation will not be overly applicable to industries other than banking, and that the rushed process will result in a disjointed framework that is not well thought out.

Related Coverage