Summary report of Consumer Data Right assessment 5

<!doctype html> <html lang="en"> <head> <title>Summary report of Consumer Data Right assessment 5 | OAIC</title>  <meta charset="utf-8"> <meta name="mobile-web-app-capable" content="yes"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0"> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">  <meta name="dcterms.title" content="Summary report of Consumer Data Right assessment 5"> <meta name="dcterms.creator" content="OAIC"> <meta name="dcterms.created" content="2024-06-19T13:54:46+10:00"> <meta name="dcterms.modified" content="2024-06-27T11:09:19+10:00"> <meta name="dcterms.issued" content="2024-06-26T11:53:49+10:00"> <meta name="dcterms.format" content="HTML"> <meta name="dcterms.identifier" content="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-assessments/summary-report-of-cdr-assessment-5">    <meta name="publishedDate" content="26 June 2024"> <meta name="publishedDate_ISO" content="2024-06-26T00:00:00+10:00"> <meta name="description" content="Assessment of accredited persons’ Consumer Data Right policies under Privacy Safeguard 1 at May 2023" /> <meta name="pdISO" content="2024-06-26T00:00:00+10:00" /> <meta name="robots" content="" />  <meta name="chapter-nav" content="no" /> <meta name="chapter-nav-prev" content="" /> <meta name="chapter-nav-next" content="" /> <meta name="chapter-nav-prev-btn-text" content="Previous chapter" /> <meta name="chapter-nav-next-btn-text" content="Next chapter" /> <meta name="background_color" content="chapter-navigation__wrapper--white" />  <meta name="show-related-articles" content="no" /> <meta name="topic" content="Consumer Data Right" /> <meta name="contentType" content="Publication" /> <meta name="featuredNews" content="no" /> <meta name="author-name" content="" /> <meta name="author-title" content="" /> <meta name="author-image" content="" />  <meta name="type" content="web" />  <meta name="showFeedbackWidget" content="yes" /> <meta name="showShareWidget" content="yes" />  <meta itemprop="name" content="Summary report of Consumer Data Right assessment 5" /> <meta itemprop="description" content="Assessment of accredited persons’ Consumer Data Right policies under Privacy Safeguard 1 at May 2023" /> <meta itemprop="image" content="" />  <meta name="twitter:card" content="summary" /> <meta name="twitter:site" content="@OAICgov" /> <meta name="twitter:title" content="Summary report of Consumer Data Right assessment 5" /> <meta name="twitter:description" content="Assessment of accredited persons’ Consumer Data Right policies under Privacy Safeguard 1 at May 2023" /> <meta name="twitter:image" content="" />  <script type="application/ld+json"> { "@context": "https://schema.org", "@type": "WebPage", "name": "Summary report of Consumer Data Right assessment 5", "description": "Assessment of accredited persons’ Consumer Data Right policies under Privacy Safeguard 1 at May 2023", "url": "https://www.oaic.gov.au/consumer-data-right/consumer-data-right-assessments/summary-report-of-cdr-assessment-5", "datePublished": "19pm30Australia/Sydney", "dateModified": "27am30Australia/Sydney", "publisher": { "@type": "Organization", "name": "OAIC", "logo": { "@type": "ImageObject", "url": "https://www.oaic.gov.au/__data/assets/image/0028/245845/OAIC-logo-inline-dark-1.png", "caption": "OAIC - Australian Government - Office of the Australian Information Commissioner" } }, "mainEntityOfPage": { "@type": "WebPage", "@id": "https://www.oaic.gov.au/consumer-data-right/consumer-data-right-assessments/summary-report-of-cdr-assessment-5" } } </script>  <meta property="og:title" content="Summary report of Consumer Data Right assessment 5" /> <meta property="og:type" content="website" /> <meta property="og:url" content="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-assessments/summary-report-of-cdr-assessment-5" /> <meta property="og:image" content="" /> <meta property="og:description" content="Assessment of accredited persons’ Consumer Data Right policies under Privacy Safeguard 1 at May 2023" /> <meta property="og:site_name" content="OAIC" /> <meta property="article:published_time" content="2024-06-26T11:53:49+10:00" /> <meta property="article:modified_time" content="2024-06-27T11:09:19+10:00" /> <meta property="article:tag" content="" /> <meta name="theme-color" content="#fafafa">  <script src="//cdn-oc.readspeaker.com/script/9755/webReader/webReader.js?pids=wr" type="text/javascript" id="rs_req_Init"></script>  <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-PTH9SP3B');</script>   <meta name="google-site-verification" content="sQVHBUKhjuCjBjithPialZYhGQ5SPKwjb1_rY8OqsjA" /> <script src="https://cdn.jsdelivr.net/npm/chart.js"></script> <link rel="stylesheet" href="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/main.css?h=06ed308"> <link rel="stylesheet" href="https://www.oaic.gov.au/__data/assets/css_file/0024/240585/custom.css?v=0.1.245">  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.11.3/font/bootstrap-icons.min.css"> <link rel="preconnect" href="https://fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link href="https://fonts.googleapis.com/css2?family=Source+Code+Pro:ital,wght@0,200;0,300;0,400;0,500;0,600;0,700;0,800;0,900;1,200;1,300;1,400;1,500;1,600;1,700;1,800;1,900&display=swap" rel="stylesheet">  <link rel="shortcut icon" href="https://www.oaic.gov.au/__data/assets/image/0016/14182/favicon-32x32.png"> <link rel="apple-touch-icon" href="https://www.oaic.gov.au/__data/assets/image/0015/14181/apple-touch-icon.png">  </head> <body class="inside">  <section class="cookie-banner" aria-labelledby="cookie-heading"> <h2 class="visuallyhidden" id="cookie-heading">We use cookies on this site</h2> <div class="cookie-banner__content"> <div> <p>We use cookies to analyse traffic and to improve your browsing experience on our website. To find out more, read our <a href="https://www.oaic.gov.au/about-the-OAIC/our-corporate-information/plans-policies-and-procedures/privacy-policy">privacy policy</a>.</p> </div> <button class="cookie-banner__close primary-button" id="close-cookie-banner" aria-label="Close and accept cookie policy">Close</button> </div> </section>   <div class="skip-to-content"> <a href="#main-content-area" class="skip-to-content__link visuallyhidden focusable">Skip to main content</a> </div>  <div class="page-wrapper">     <header class="site-header"> <div class="utility-nav"> <div class="utility-nav__wrapper"> <a href="/news" class="utility-nav__link ">News</a> <a href="/about-the-OAIC/join-our-team" class="utility-nav__link ">Join our team</a> <a href="/contact-us" class="utility-nav__link ">Contact us</a> </div> </div> <div class="header-content"> <a href="https://www.oaic.gov.au" class="header-logo"> <img src="https://www.oaic.gov.au/__data/assets/file/0020/13664/oaic-header-logo.svg" alt="Office of the Australian Information Commissioner (OAIC)"> </a> <button class="mobile-menu" aria-controls="header-nav" aria-expanded="false"> <img class="menu-icon menu-icon--burger" src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/hamburger-menu.svg" alt="open menu"> <img class="menu-icon menu-icon--close" src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/cancel-icon-white.svg" alt="close menu"> </button> <div class="search-container search-container--header"> <form class="input-form" action="https://www.oaic.gov.au/search" data-action="https://www.oaic.gov.au/search?SQ_ASSET_CONTENTS_RAW"> <input name="query" autocomplete="off" id="autoComplete" placeholder="Search…" class="search-box" aria-label="Search input" data-autocomplete-endpoint="https://dxp-au-search.funnelback.squiz.cloud/s/suggest.json?collection=113e9365-ffcc-4320-a995-5c1b98bea3bb~sp-oaic-web-new&profile=auto-completion-global&fmt=json%2B%2B&alpha=0.5&show=10"> <input type="hidden" name="form" value="result"> <button type="button" id="clear-text-btn" class="cancel-logo" aria-label="Clear text"> <img src="https://www.oaic.gov.au/__data/assets/file/0022/13666/cancel-icon.svg" alt="clear text cancel icon"> </button> <button type="submit" aria-label="Submit search"> <img class="search-icon" src="https://www.oaic.gov.au/__data/assets/file/0023/13667/search-outline.svg" alt="search icon thst submits form"> </button> </form> </div> <div id="header-nav" class="header-nav"> <nav class="header-nav__nav"> <div class="header-nav__item"> <a href="https://www.oaic.gov.au" class="header-nav__link " > Home </a> </div> <div class="header-nav__item"> <button class="header-nav__button " aria-expanded="false" > Privacy <div class="header-nav__mobile-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-plus" alt="expand menu"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-minus" alt="collapse menu"> </div> <div class="header-nav__desktop-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/chevron-down-white.svg" alt="expand menu"> </div> </button> <div class="header-nav__sub"> <div class="header-nav__sub-wrapper"> <div class="header-nav__sub-first"> <a href="https://www.oaic.gov.au/privacy" class="header-nav__sub-link"> Privacy </a> </div> <div class="header-nav__sub-grid"> <a href="https://www.oaic.gov.au/privacy/your-privacy-rights" class="header-nav__sub-link"> Your privacy rights </a> <a href="https://www.oaic.gov.au/privacy/privacy-complaints" class="header-nav__sub-link"> Privacy complaints </a> <a href="https://www.oaic.gov.au/privacy/australian-privacy-principles" class="header-nav__sub-link"> Australian Privacy Principles </a> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies" class="header-nav__sub-link"> Privacy guidance for organisations and government agencies </a> <a href="https://www.oaic.gov.au/privacy/notifiable-data-breaches" class="header-nav__sub-link"> Notifiable data breaches </a> <a href="https://www.oaic.gov.au/privacy/privacy-legislation" class="header-nav__sub-link"> Privacy legislation </a> <a href="https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions" class="header-nav__sub-link"> Privacy assessments and decisions </a> <a href="https://www.oaic.gov.au/privacy/privacy-registers" class="header-nav__sub-link"> Privacy registers </a> </div> </div> </div> </div> <div class="header-nav__item"> <button class="header-nav__button " aria-expanded="false" > Freedom of information <div class="header-nav__mobile-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-plus" alt="expand menu"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-minus" alt="collapse menu"> </div> <div class="header-nav__desktop-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/chevron-down-white.svg" alt="expand menu"> </div> </button> <div class="header-nav__sub"> <div class="header-nav__sub-wrapper"> <div class="header-nav__sub-first"> <a href="https://www.oaic.gov.au/freedom-of-information" class="header-nav__sub-link"> Freedom of information </a> </div> <div class="header-nav__sub-grid"> <a href="https://www.oaic.gov.au/freedom-of-information/your-freedom-of-information-rights" class="header-nav__sub-link"> Your freedom of information rights </a> <a href="https://www.oaic.gov.au/freedom-of-information/how-to-access-government-information" class="header-nav__sub-link"> How to access government information </a> <a href="https://www.oaic.gov.au/freedom-of-information/freedom-of-information-guidance-for-government-agencies" class="header-nav__sub-link"> Freedom of information guidance for government agencies </a> <a href="https://www.oaic.gov.au/freedom-of-information/freedom-of-information-legislation-and-determinations" class="header-nav__sub-link"> Freedom of information legislation and determinations </a> <a href="https://www.oaic.gov.au/freedom-of-information/information-commissioner-decisions-and-reports" class="header-nav__sub-link"> Information Commissioner decisions and reports </a> <a href="https://www.oaic.gov.au/freedom-of-information/freedom-of-information-statistics-for-the-oaic" class="header-nav__sub-link"> Freedom of information statistics for the OAIC </a> <a href="https://www.oaic.gov.au/freedom-of-information/australian-government-freedom-of-information-statistics" class="header-nav__sub-link"> Australian Government freedom of information statistics </a> </div> </div> </div> </div> <div class="header-nav__item"> <button class="header-nav__button current" aria-expanded="false" > Consumer Data Right <div class="header-nav__mobile-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-plus" alt="expand menu"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-minus" alt="collapse menu"> </div> <div class="header-nav__desktop-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/chevron-down-white.svg" alt="expand menu"> </div> </button> <div class="header-nav__sub"> <div class="header-nav__sub-wrapper"> <div class="header-nav__sub-first"> <a href="https://www.oaic.gov.au/consumer-data-right" class="header-nav__sub-link"> Consumer Data Right </a> </div> <div class="header-nav__sub-grid"> <a href="https://www.oaic.gov.au/consumer-data-right/information-for-consumers" class="header-nav__sub-link"> Information for consumers </a> <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-complaints" class="header-nav__sub-link"> Consumer Data Right complaints </a> <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-guidance-for-business" class="header-nav__sub-link"> Consumer Data Right guidance for business </a> <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-legislation,-regulation-and-definitions" class="header-nav__sub-link"> Consumer Data Right legislation, regulation and definitions </a> <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-assessments" class="header-nav__sub-link"> Consumer Data Right assessments </a> </div> </div> </div> </div> <div class="header-nav__item"> <a href="https://www.oaic.gov.au/digital-id" class="header-nav__link " > Digital ID </a> </div> <div class="header-nav__item"> <button class="header-nav__button " aria-expanded="false" > Engage with us <div class="header-nav__mobile-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-plus" alt="expand menu"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-minus" alt="collapse menu"> </div> <div class="header-nav__desktop-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/chevron-down-white.svg" alt="expand menu"> </div> </button> <div class="header-nav__sub"> <div class="header-nav__sub-wrapper"> <div class="header-nav__sub-first"> <a href="https://www.oaic.gov.au/engage-with-us" class="header-nav__sub-link"> Engage with us </a> </div> <div class="header-nav__sub-grid"> <a href="https://www.oaic.gov.au/engage-with-us/consultations" class="header-nav__sub-link"> Consultations </a> <a href="https://www.oaic.gov.au/engage-with-us/submissions" class="header-nav__sub-link"> Submissions </a> <a href="https://www.oaic.gov.au/engage-with-us/translations" class="header-nav__sub-link"> Translations </a> <a href="https://www.oaic.gov.au/engage-with-us/events" class="header-nav__sub-link"> Events </a> <a href="https://www.oaic.gov.au/engage-with-us/networks" class="header-nav__sub-link"> Networks </a> <a href="https://www.oaic.gov.au/engage-with-us/research-and-training-resources" class="header-nav__sub-link"> Research and training resources </a> </div> </div> </div> </div> <div class="header-nav__item"> <button class="header-nav__button " aria-expanded="false" > About the OAIC <div class="header-nav__mobile-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-plus" alt="expand menu"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-minus" alt="collapse menu"> </div> <div class="header-nav__desktop-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/chevron-down-white.svg" alt="expand menu"> </div> </button> <div class="header-nav__sub"> <div class="header-nav__sub-wrapper"> <div class="header-nav__sub-first"> <a href="https://www.oaic.gov.au/about-the-OAIC" class="header-nav__sub-link"> About the OAIC </a> </div> <div class="header-nav__sub-grid"> <a href="https://www.oaic.gov.au/about-the-OAIC/what-we-do" class="header-nav__sub-link"> What we do </a> <a href="https://www.oaic.gov.au/about-the-OAIC/who-we-are" class="header-nav__sub-link"> Who we are </a> <a href="https://www.oaic.gov.au/about-the-OAIC/join-our-team" class="header-nav__sub-link"> Join our team </a> <a href="https://www.oaic.gov.au/about-the-OAIC/access-our-information" class="header-nav__sub-link"> Access our information </a> <a href="https://www.oaic.gov.au/about-the-OAIC/our-regulatory-approach" class="header-nav__sub-link"> Our regulatory approach </a> <a href="https://www.oaic.gov.au/about-the-OAIC/our-corporate-information" class="header-nav__sub-link"> Our corporate information </a> <a href="https://www.oaic.gov.au/about-the-OAIC/information-policy" class="header-nav__sub-link"> Information policy </a> <a href="https://www.oaic.gov.au/about-the-OAIC/serving-legal-documents-on-the-australian-information-commissioner" class="header-nav__sub-link"> Serving legal documents on the Australian Information Commissioner </a> </div> </div> </div> </div> <div class="header-nav__item header-nav__item--mobile-only"> <a href="/news" class="header-nav__link">News</a> </div> <div class="header-nav__item header-nav__item--mobile-only"> <a href="/about-the-OAIC/join-our-team" class="header-nav__link">Join our team</a> </div> <div class="header-nav__item header-nav__item--mobile-only"> <a href="/contact-us" class="header-nav__link">Contact us</a> </div> </nav> </div> </div> </header> <div class="nav-close-overlay"></div>   <main class="main"> <div class="breadcrumb__wrapper"> <div class="section "> <div class="section-item flex-box "> <div class="breadcrumb breadcrumb--separator-chevron"> <nav class="breadcrumb__nav" aria-label="Breadcrumb"> <ul class="breadcrumb__list"> <span class="breadcrumb__list-item"><a href="https://www.oaic.gov.au" class="breadcrumb__list-item-link" aria-label="Go to home page"><svg xmlns="http://www.w3.org/2000/svg" version="1.0" viewBox="0 0 50 50" height="24" width="24"><path d="M25 9.0937 7.281 25.3747h5.563v15.531h24.312v-15.531h5.563L25 9.0937z" fill="currentColor"></path></svg></a></span> <li class="breadcrumb__list-item"> <a class="breadcrumb__list-item-link" href="https://www.oaic.gov.au/consumer-data-right">Consumer Data Right</a> </li> <li class="breadcrumb__list-item"> <a class="breadcrumb__list-item-link" href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-assessments">Consumer Data Right assessments</a> </li> <li class="breadcrumb__list-item"> <a class="breadcrumb__list-item-link" href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-assessments/summary-report-of-cdr-assessment-5">Summary report of CDR assessment 5</a> </li> </ul> </nav> </div> </div> </div> </div>  <div id="main-content-area" class="page-content"> <div class="toc"> <ul class="toc__list"> <li class="toc__heading"> <h2 class="toc-exclude">On this page</h2> </li> </ul> </div> <section class="banner-grey-newsroom__wrapper"> <div class="banner-grey-newsroom__content"> <h1 class="banner-grey-newsroom__title">Summary report of Consumer Data Right assessment 5</h1> </div> </section>  <script> if(document.querySelector('.banner-grey-newsroom__wrapper .banner-grey-newsroom__content')) { document.querySelector('.breadcrumb__wrapper').insertAdjacentElement('afterend',document.querySelector('.banner-grey-newsroom__wrapper .banner-grey-newsroom__content').closest(' .banner-grey-newsroom__wrapper')) } </script> <div class="gov-numbered-paragraphs" id="component_222135"> <p>Published 26 June 2024</p><h2>Executive summary</h2><p>In May 2023, the Office of the Australian Information Commissioner (OAIC) commenced a Privacy Safeguard 1 assessment of 19 Consumer Data Right (CDR) entities. The cohort included all active accredited persons listed on the CDR register that the OAIC had not previously assessed.</p><p>CDR entities must have and maintain a clearly expressed and up-to-date CDR policy.<a href="#_ftn1" name="_ftnref1" title="">[1]</a> Privacy Safeguard 1<a href="#_ftn2" name="_ftnref2" title="">[2]</a> and Rule 7.2 of the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules) outline requirements about a CDR policy’s content, format, and availability.</p><p>In this assessment, we found that the 19 accredited persons demonstrated a sound level of compliance overall.</p><p>For each of the 19 accredited persons, we identified between 2 to 15 areas of non-compliance or partial non-compliance, where CDR policies did not sufficiently address certain required information. The most common areas of non-compliance related to CDR policies not containing sufficient information about:</p><ul><li>the purposes for which the accredited person may collect, hold, use or disclose CDR data</li><li>how a CDR consumer may seek correction of their CDR data</li><li>the events that CDR consumers will be notified about</li><li>how the entity deletes redundant CDR data</li><li>the accredited person’s process for managing CDR consumer complaints</li><li>options for review of CDR complaints</li><li>options for redress for CDR complaints.</li></ul><p>A total of 134 recommendations were made to the 19 accredited persons to address the non-compliance identified in this assessment. All 19 accredited persons have accepted our findings and recommendations. Fourteen of the accredited persons have advised that they have already taken steps to address the recommendations.</p><h2>Part 1: Introduction</h2><h3>Background</h3><p>The CDR gives consumers greater control over their data by allowing them to safely share the data that businesses hold about them. This can help consumers compare products and services to find offers that best match their needs.</p><p>The OAIC protects the privacy of individuals by regulating the privacy aspects of the CDR. The OAIC has the power to assess and audit the compliance of certain CDR entities with their CDR privacy and confidentiality obligations.<a href="#_ftn3" name="_ftnref3" title="">[3]</a></p><h4>Policy about managing CDR data</h4><p>The objective of Privacy Safeguard 1 is to ensure CDR entities handle CDR data in an open and transparent way. This requires CDR entities to embed privacy in their processes and encourages a ‘privacy-by-design’ approach.</p><p>Privacy Safeguard 1 requires CDR entities (including accredited persons) to have a clearly expressed and up-to-date policy (CDR policy) that:</p><ul><li>is available free of charge, including being readily available on each online service where the CDR entity ordinarily deals with CDR consumers<a href="#_ftn4" name="_ftnref4" title="">[4]</a></li><li>is distinct from the entity’s other privacy policies<a href="#_ftn5" name="_ftnref5" title="">[5]</a></li><li>contains required information about: <ul><li>how they manage CDR data<a href="#_ftn6" name="_ftnref6" title="">[6]</a></li><li>how consumers can access and correct CDR data<a href="#_ftn7" name="_ftnref7" title="">[7]</a></li><li>the consumer complaints process<a href="#_ftn8" name="_ftnref8" title="">[8]</a></li><li>any sponsorship, representative and outsourcing arrangements.<a href="#_ftn9" name="_ftnref9" title="">[9]</a></li></ul></li></ul><p>A CDR policy ensures CDR data is handled in an open and transparent way by allowing CDR consumers to understand how their CDR data will be managed throughout the CDR data lifecycle from collection to deletion. The CDR policy also empowers CDR consumers to actively engage with their CDR data by outlining how they can access and correct their CDR data, and how they can access the complaints handling process.</p><p>For more information, please see the <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-guidance-for-business/privacy-obligations/guide-to-developing-a-consumer-data-right-policy">Guide to developing a Consumer Data Right policy</a> and <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-guidance-for-business/consumer-data-right-privacy-safeguard-guidelines/chapter-1-privacy-safeguard-1-open-and-transparent-management-of-cdr-data">Chapter 1 of the Consumer Data Right Privacy Safeguard Guidelines</a> on the OAIC website.</p><h2>Part 2: Summary of findings</h2><h3>Areas of good privacy practice</h3><p>Overall, we found that the 19 accredited persons demonstrated a sound level of compliance and addressed most of the mandatory requirements in their CDR policies.</p><p>The 3 main areas of good privacy practice identified during this assessment are outlined below.</p><h4>Distinct CDR policy</h4><p>An accredited person’s CDR policy must be in the form of a document that is distinct from any of the CDR entity’s privacy policies.<a href="#_ftn10" name="_ftnref10" title="">[10]</a></p><p>Almost all the accredited persons’ CDR policies were distinct policies that met most of the mandatory requirements for a CDR policy.  A distinct CDR policy provides clarity to the consumer by detailing CDR specific information in one location.</p><h4>Classes of CDR data held</h4><p>The 19 CDR policies that were assessed generally referred to the different classes of CDR data that each accredited person may hold with adequate detail.<a href="#_ftn11" name="_ftnref11" title="">[11]</a> This included CDR data that another entity (for example, an outsourced service provider) may hold on the accredited person’s behalf.</p><p>The classes of CDR data that must be referred to in a CDR policy vary by sector and are set out in the relevant designation instrument. For example, the designation instrument for the banking sector sets out 3 classes of information: customer information, product use information and information about the product.<a href="#_ftn12" name="_ftnref12" title="">[12]</a></p><h4>Disclosure of CDR data to a non-accredited person</h4><p>The 19 CDR policies assessed generally outlined the circumstances in which the assessed accredited persons may disclose CDR data to a non-accredited person.<a href="#_ftn13" name="_ftnref13" title="">[13]</a> This allows consumers to understand how their CDR data is handled, and who may have access to it.</p><p>Six of the 19 accredited persons indicated that they will not disclose any CDR data to a non-accredited person.</p><div class="callout"><p>CDR policy tip:</p><p>CDR policies must contain information about the circumstances in which the CDR entity may disclose CDR data to an unaccredited person.</p><p>As best practice, the CDR policy ought to identify if the CDR entity does <em>not</em> disclose CDR data to an unaccredited person. This is a transparent approach that can also demonstrate a potentially reduced risk to the consumer as limiting the disclosure of CDR data reduces the opportunity for CDR data to be accessed or handled improperly.</p></div><h3>Areas for improvement</h3><p>The 7 major findings identified during this assessment are outlined below.</p><h4>Purposes of CDR data</h4><p>An accredited person’s CDR policy must address the purposes for which they may collect, hold, use or disclose CDR data.<a href="#_ftn14" name="_ftnref14" title="">[14]</a> Collecting, holding, using and disclosing data are distinct concepts,<a href="#_ftn15" name="_ftnref15" title="">[15]</a> and the Competition and Consumer Act requires accredited persons to address each of them separately.</p><p>In this assessment, we recommended that 9 accredited persons update their CDR policies to address each of the purposes for which they collect, hold, use or disclose CDR data to better inform the consumer of the purposes for which their data will be used.</p><p>This assessment found that these accredited persons’ CDR policies generally failed to address one of the 4 relevant purposes. For example, a CDR policy addressed the purposes for which CDR data is collected, used or disclosed but not the purpose for which the accredited person may hold the CDR data.</p><h4>Seeking correction</h4><p>CDR policies must explain how a CDR consumer may seek correction of their CDR data.<a href="#_ftn16" name="_ftnref16" title="">[16]</a> <a href="https://www.oaic.gov.au/consumer-data-right/cdr-privacy-safeguard-guidelines/chapter-13-privacy-safeguard-13-correction-of-cdr-data#when-must-an-entity-correct-cdr-data">Chapter 13 of the OAIC’s Privacy Safeguard Guidelines</a> sets out the obligations for accredited persons when they receive correction requests from CDR consumers.</p><p>Five accredited persons were found to be non-compliant or partially compliant with this requirement.  These CDR policies identified that CDR consumers could seek to correct their CDR data but did not provide enough detail about how they could make such a request.</p><p>Allowing CDR consumers to correct their CDR data ensures that they can effectively use the CDR to view their information and compare products and services. This is also a reasonable step accredited persons must take to ensure that CDR data is sufficiently accurate, up to date and complete.<a href="#_ftn17" name="_ftnref17" title="">[17]</a></p><h4>Notification events</h4><p>Accredited persons have obligations to notify CDR consumers when certain events occur (notifiable events).<a href="#_ftn18" name="_ftnref18" title="">[18]</a> These events include when the:</p><ul><li>consumer gives consent to collect, use or disclose data<a href="#_ftn19" name="_ftnref19" title="">[19]</a></li><li>consumer amends<a href="#_ftn20" name="_ftnref20" title="">[20]</a> or withdraws consent<a href="#_ftn21" name="_ftnref21" title="">[21]</a></li><li>accredited person collects the consumer’s CDR data<a href="#_ftn22" name="_ftnref22" title="">[22]</a></li><li>accredited person discloses the consumer’s CDR data to another accredited person<a href="#_ftn23" name="_ftnref23" title="">[23]</a></li><li>accredited person has ongoing notification requirements regarding the consumer’s consent<a href="#_ftn24" name="_ftnref24" title="">[24]</a></li><li>consumer’s consent expires<a href="#_ftn25" name="_ftnref25" title="">[25]</a></li><li>accredited person responds to a correction request<a href="#_ftn26" name="_ftnref26" title="">[26]</a></li><li>accredited person has an eligible data breach affecting the consumer under the Notifiable Data Breaches scheme.<a href="#_ftn27" name="_ftnref27" title="">[27]</a></li></ul><p>These notification events are aimed at ensuring consumers are aware of, and have control over, how their CDR data is being handled.</p><p>Generally, the CDR policies assessed contained most of the required notification events. However, only 4 of the 19 CDR policies addressed every required notification event, and 4 other accredited persons addressed only 1 or none of the required notification events.</p><h4>Deleting redundant data</h4><p>Accredited persons must include information about how they delete redundant CDR data in their CDR policy.<a href="#_ftn28" name="_ftnref28" title="">[28]</a> Of the 19 CDR policies assessed, 11 contained insufficient information about how the accredited person deletes redundant CDR data.</p><p>Providing CDR consumers with information about how redundant CDR data is deleted allows consumers to make informed decisions and understand how their CDR data is handled. The CDR policy should describe the deletion process in a way that is helpful and meaningful to the consumer.</p><div class="callout"><p>CDR policy tip:</p><p>When outlining how redundant CDR data is deleted in its CDR policy, an accredited person could include:</p><ul><li>whether deleted data is irretrievably destroyed</li><li>references to applicable standards</li><li>how hard copy information is managed</li><li>how deletion is confirmed with third-parties such as CDR representatives and Outsourced Service Providers</li><li>whether back-ups are destroyed.</li></ul></div><h4>Handling CDR complaints</h4><p>The CDR rules require accredited persons to include certain information about handling CDR consumer complaints in their CDR policies.<a href="#_ftn29" name="_ftnref29" title="">[29]</a> For accredited persons in the banking sector, CDR policies should include the key steps for dealing with CDR consumer complaints, including: <a href="#_ftn30" name="_ftnref30" title="">[30]</a></p><ul><li>acknowledgement</li><li>assessment and investigation, and</li><li>providing a response.</li></ul><p>Of the 19 CDR policies assessed, 6 required further information about the process for handling CDR consumer complaints to ensure that CDR consumers had sufficient understanding.</p><h4>Options for redress</h4><p>Accredited persons are required to include options for redress in their CDR policies to ensure consumers are aware of the available remedies when making a CDR consumer complaint.<a href="#_ftn31" name="_ftnref31" title="">[31]</a></p><p>Seventeen of the 19 accredited persons’ CDR policies did not include sufficient information about options for redress of complaints made through their dispute resolution processes.</p><div class="callout"><p>CDR policy tip:</p><p>CDR policies should contain all foreseeable options for redress.</p><p>Paragraph RG 271.161 of <a href="https://asic.gov.au/regulatory-resources/find-a-document/regulatory-guides/rg-271-internal-dispute-resolution">ASIC’s Internal Dispute Resolution Regulatory Guide 271</a> outlines examples of options for redress such as correcting records or providing an explanation, refund, fee waiver, apology or compensation payment.</p></div><h4>Options for review</h4><p>Where a consumer is dissatisfied with an accredited person’s internal dispute resolution process, they may, in some circumstances, seek to have their matter reviewed. CDR policies must include information about these options for review, both internally (if available) and externally.<a href="#_ftn32" name="_ftnref32" title="">[32]</a></p><p>Only three of the 19 accredited persons’ CDR policies gave consumers the option to request an internal review of the outcome of their CDR consumer complaint.</p><div class="callout"><p>CDR policy tip:</p><p>CDR policies must outline any options to review CDR consumer complaints internally (if available) and externally.</p><p>As best practice, if a CDR entity does not offer a means of reviewing the outcome of CDR consumer complaints internally, this ought to be stated in the CDR policy.</p></div><p>Most of the CDR policies assessed stated that CDR consumers could seek external review by the Australian Financial Complaints Authority (AFCA). <a href="#_ftn33" name="_ftnref33" title="">[33]</a> However, 7 of the CDR policies did not state that a consumer also has the option to seek external review by the OAIC.</p><div class="callout"><p>CDR policy tip:</p><p>Accredited persons should outline all relevant options for consumers seeking review for their dispute:</p><ul><li>The <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-complaints/what-you-can-complain-to-us-about">OAIC</a> can review matters relevant to privacy, including   the handling of CDR data and privacy obligations under CDR legislation.</li><li><a href="https://www.oaic.gov.au/privacy/privacy-complaints/external-dispute-resolution-schemes">External dispute resolution schemes</a> can review privacy matters, as with the OAIC, but   can also handle other issues such as complaints about products and services.</li></ul><p>CDR policies should include information about how consumers can request a review from each relevant entity, such as contact details.</p></div><h2>Part 3: About the assessment</h2><h3>Conduct of assessment</h3><h4>Objective and scope</h4><p>The object of this assessment was to examine the compliance of 19 accredited persons’ CDR policies against the requirements of Privacy Safeguard 1 and the CDR Rules.</p><p>Where non-compliance was identified, recommendations and best practice suggestions were made to help the accredited persons achieve good practice with their CDR policies.</p><h4>Methodology</h4><p>This compliance-based assessment examined a sample of 19 active accredited persons that had not been previously assessed by the OAIC. While these CDR entities may hold more than one role within the CDR system, they were assessed in their capacity as accredited data recipients or as accredited persons who may become accredited data recipients.</p><p>The 19 accredited persons that were assessed are listed in <a href="#_Attachment_A">Attachment A</a> of this report.</p><p>The assessment consisted of a desktop review of:</p><ul><li>the entities’ published CDR policies as at 8 May 2023</li><li>any additional information the entities provided.</li></ul><p>Each of the 19 accredited persons were offered an opportunity to confirm the currency of their published CDR policy. Where necessary, we also requested additional information or clarification from the accredited persons.</p><p>This was a point-in-time assessment that examined the accredited persons’ CDR policies and related obligations at the time of the assessment.</p><div class="callout"><p>CDR policy tip:</p><div><p>CDR entities should review their CDR policies on a regular scheduled basis and following certain events to ensure currency and accuracy for CDR consumers.<a href="#_ftn34" name="_ftnref34" title="">[34]</a></p><p>CDR policies should be reviewed when:</p></div><ul><li>a review is scheduled (at least annually)</li><li>CDR legislation, guidance, or policies change</li><li>the entity’s organisational structure or processes change</li><li>relevant risks are identified or change.</li></ul></div><h3>Recommendations and next steps</h3><p>In total, we made 134 recommendations to address areas of non-compliance identified in this assessment.</p><p>At the conclusion of this assessment, we provided each accredited person with an individual assessment report with specific findings. Where non‑compliance was identified, we recommended action that should or must be taken to rectify the relevant issues.</p><p>All the accredited persons have accepted our findings and recommendations. At the time of publishing this report, 14 of the 19 accredited persons have advised that they have taken steps to address the recommendations.</p><h2>Attachment A</h2><p>The following accredited persons were assessed in this assessment:</p><ul><li>Beyond Bank Australia Limited</li><li>Bud APAC Pty Limited<a href="#_ftn35" name="_ftnref35" title="">[35]</a></li><li>Cuscal Limited</li><li>Fiskil Pty Ltd</li><li>Greenr Global Pty Ltd Limited</li><li>Hive Empire Pty Ltd (Finder)</li><li>Idux Pty Ltd</li><li>Liberty Financial Pty Ltd</li><li>NextGen.Net Pty Ltd</li><li>Payble Pty Ltd<a href="#_ftn36" name="_ftnref36" title="">[36]</a></li><li>PayOK Holdings Pty Ltd<a href="#_ftn37" name="_ftnref37" title="">[37]</a></li><li>Savings.com.au Pty Ltd</li><li>SISS Data Services Pty Limited</li><li>Skript Pty Ltd</li><li>Suncorp-Metway Limited</li><li>Verifier Australia Pty Ltd</li><li>Waave Technologies Pty Ltd</li><li>Wych Australia Pty Ltd</li><li>Zepto Payments Pty Ltd</li></ul> </div> <div class="gov-numbered-paragraphs" id="component_222140"> <p><sup id="_ftn1">[1]</sup> Subsection 56ED(3) of the <em>Competition and Consumer Act 2010</em></p><p><sup><span id="_ftn2">[2]</span> </sup>Section 56ED of the Competition and Consumer Act</p><p><sup id="_ftn3">[3]</sup> Section 56ER of the Competition and Consumer Act; Rule 9.6(2) of the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules). While assessments and audits are similar compliance functions, we refer to ‘assessments’ and ‘audits’ separately to be consistent with the terminology used respectively in the Competition and Consumer Act and the CDR Rules.</p><p><sup id="_ftn4">[4]</sup> Subsection 56ED(7) of the Competition and Consumer Act</p><p><span id="_ftn5"><sup>[5] </sup></span>Paragraph 56ED(3)(b) of the Competition and Consumer Act; Rule 7.2(2) of the CDR Rules</p><p><sup id="_ftn6">[6]</sup> Paragraph 56ED(3)(a) of the Competition and Consumer Act</p><p><sup id="_ftn7">[7]</sup> Paragraphs 56ED(5)(c) and 56ED(4)(a) of the Competition and Consumer Act</p><p><sup id="_ftn8">[8]</sup> Paragraphs 56ED(4)(b) and (5)(d) of the Competition and Consumer Act</p><p><span id="_ftn9"><sup>[9]</sup></span>Paragraphs 7.2 (4) (b) (d) and (g) of the CDR Rules</p><p><sup><span id="_ftn10">[10]</span> </sup>Subrule 7.2(2) of the CDR Rules</p><p><span id="_ftn11"><sup>[11]</sup></span>Paragraph 56ED(5)(a) of the Competition and Consumer Act; Paragraph 1.53 of <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-guidance-for-business/consumer-data-right-privacy-safeguard-guidelines/chapter-1-privacy-safeguard-1-open-and-transparent-management-of-cdr-data">Chapter 1 of the OAIC’s CDR Privacy Safeguard guidelines</a>.</p><p><sup id="_ftn12">[12] </sup>Sections 6-8 of the <a href="https://www.legislation.gov.au/Details/F2019L01153" target="_blank">Consumer Data Right (Authorised Deposit‑Taking Institutions) Designation 2019</a></p><p><span id="_ftn13"><sup>[13]</sup></span>Paragraph 56ED(5)(g) of the Competition and Consumer Act</p><p style="text-align:justify"><sup id="_ftn14">[14]</sup> Paragraph 56ED(5)(b) of the Competition and Consumer Act; Paragraph 1.53 of <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-guidance-for-business/consumer-data-right-privacy-safeguard-guidelines/chapter-1-privacy-safeguard-1-open-and-transparent-management-of-cdr-data">Chapter 1 of the OAIC’s CDR Privacy Safeguard guidelines</a></p><p style="text-align:justify"><span id="_ftn15"><sup>[15]</sup></span>‘Collect’, ‘hold’, ‘use’ and ‘disclosure’ are defined in <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-guidance-for-business/consumer-data-right-privacy-safeguard-guidelines/chapter-b-key-concepts">Chapter B (Key concepts) of the Privacy Safeguard Guidelines</a>.</p><p style="text-align:justify"><sup id="_ftn16">[16]</sup> Paragraph 56ED(5)(c) of the Competition and Consumer Act; Paragraph 1.53 of <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-guidance-for-business/consumer-data-right-privacy-safeguard-guidelines/chapter-1-privacy-safeguard-1-open-and-transparent-management-of-cdr-data">Chapter 1 of the OAIC’s CDR Privacy Safeguard Guidelines</a></p><p><span id="_ftn17"><sup>[17]</sup></span>Section 56EN of the Competition and Consumer Act</p><p style="text-align:justify"><sup><span id="_ftn18">[18]</span> </sup>Paragraph 56ED(5)(h) of the Competition and Consumer Act; Paragraph 1.53 of <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-guidance-for-business/consumer-data-right-privacy-safeguard-guidelines/chapter-1-privacy-safeguard-1-open-and-transparent-management-of-cdr-data">Chapter 1 of the OAIC’s CDR Privacy Safeguard Guidelines</a></p><p><sup id="_ftn19">[19]</sup> Paragraph 4.18 (1)(a) of the CDR Rules</p><p><span id="_ftn20"><sup>[20]</sup></span>Paragraph 4.18 (1)(aa) of the CDR Rules</p><p><span id="_ftn21"><sup>[21]</sup></span>Paragraph 4.18 (1)(b) of the CDR Rules</p><p><sup><span id="_ftn22">[22]</span> </sup>Rule 7.4 of the CDR Rules</p><p><sup id="_ftn23">[23] </sup>Subrule 7.9(2) of the CDR Rules</p><p><sup id="_ftn24">[24]</sup> Rule 4.20 of the CDR Rules</p><p><sup><span id="_ftn25">[25]</span> </sup>Rule 4.18A of the CDR Rules</p><p><span id="_ftn26"><sup>[26]</sup></span>Rule 7.15 of the CDR Rules</p><p><sup id="_ftn27">[27]</sup> Section 56ES of the Competition and Consumer Act</p><p style="text-align:justify"><span id="_ftn28"><sup>[28]</sup></span>Subparagraph 7.2(4)(k)(iii) of the CDR Rules; Paragraph 1.54 of <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-guidance-for-business/consumer-data-right-privacy-safeguard-guidelines/chapter-1-privacy-safeguard-1-open-and-transparent-management-of-cdr-data">Chapter 1 of the OAIC’s CDR Privacy Safeguard Guidelines</a></p><p style="text-align:justify"><span id="_ftn29"><sup>[29]</sup></span>Paragraph 7.2(6)(f) of the CDR Rules; Paragraph 1.54 of <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-guidance-for-business/consumer-data-right-privacy-safeguard-guidelines/chapter-1-privacy-safeguard-1-open-and-transparent-management-of-cdr-data">Chapter 1 of the OAIC’s CDR Privacy Safeguard Guidelines</a>.</p><p><sup><span id="_ftn30">[30]</span> </sup>This is consistent with paragraph RG 271.173(c) of Australian Securities & Investments Commission’s (ASIC’s) <a href="https://asic.gov.au/regulatory-resources/find-a-document/regulatory-guides/rg-271-internal-dispute-resolution">Regulatory Guide 271 Internal Dispute Resolution</a> (RG 271). Under rule 5.12 and clause 5.1 of Schedule 3 of the CDR Rules, accredited persons must comply with the provisions of RG 271 regarding certain aspects of their internal dispute resolution procedures or processes.</p><p style="text-align:justify"><sup id="_ftn31">[31] </sup>Paragraph 7.2(6)(h) of the CDR Rules and paragraph 1.54 of <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-guidance-for-business/consumer-data-right-privacy-safeguard-guidelines/chapter-1-privacy-safeguard-1-open-and-transparent-management-of-cdr-data">Chapter 1 of the OAIC’s CDR Privacy Safeguard Guidelines</a>.</p><p style="text-align:justify"><span id="_ftn32"><sup>[32]</sup></span>Paragraph 7.2(6)(i) of the CDR Rules; Paragraph 1.54 of <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-guidance-for-business/consumer-data-right-privacy-safeguard-guidelines/chapter-1-privacy-safeguard-1-open-and-transparent-management-of-cdr-data">Chapter 1 of the OAIC’s CDR Privacy Safeguard Guidelines</a>.</p><p><sup id="_ftn33">[33]</sup> Accredited persons in the banking sector must be a member of the Australian Financial Complaints Authority (AFCA) external dispute resolution scheme.</p><p><sup id="_ftn34">[34]</sup> Subsection 56ED(2) of the Competition and Consumer Act</p><p style="text-align:justify"><span id="_ftn35"><sup id="_ftn35">[35]</sup></span>Bud APAC surrendered its accreditation on 1 December 2023.</p><p><sup id="_ftn36">[36]</sup> Payble surrendered its accreditation on 5 March 2024</p><p style="text-align:justify"><span id="_ftn37"><sup>[37]</sup></span>PayOK surrendered its accreditation on 31 January 2024.</p> </div> </div>   <div class="feedback"> <form id="form_email_240614" enctype="multipart/form-data" action="https://www.oaic.gov.au/_design/includes/feedback-form" method="post" ><input type="hidden" name="SQ_FORM_240614_PAGE" value="1" class="sq-form-field" id="SQ_FORM_240614_PAGE" /><input type="hidden" name="form_email_240614_referral_url" value="" /> <input type="hidden" name="q240616:q4" value="222133"> <input type="hidden" name="q240616:q3" value="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-assessments/summary-report-of-cdr-assessment-5"> <input type="hidden" name="form_email_240614_submit" value="Submit" id="form_email_240614_submit"> <div class="feedback__section-1"> <fieldset class="feedback__fieldset"> <legend class="feedback__title">Did you find this helpful?</legend> <div class="feedback__radios-wrapper"> <div class="feedback__radio"> <input class="visuallyhidden" type="radio" name="q240616:q2" id="q240616_q2_0" value="0"> <img class="feedback__radio-icon" src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/thumbsup.svg" alt=""/> <label class="feedback__radio-label" for="q240616_q2_0">Yes</label> </div> <div class="feedback__radio"> <input class="visuallyhidden" type="radio" name="q240616:q2" id="q240616_q2_1" value="1"> <img class="feedback__radio-icon" src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/thumbsdown.svg" alt=""/> <label class="feedback__radio-label" for="q240616_q2_1">No</label> </div> </div> </fieldset> <div class="feedback__radio-response" id="yes"> <img class="feedback__radio-icon" src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/thumbsup.svg" alt=""/> <span>We'd love to hear more!</span> </div> <div class="feedback__radio-response" id="no"> <img class="feedback__radio-icon" src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/thumbsdown.svg" alt=""/> <span>Please tell us more</span> </div> </div> <div class="feedback__section-2"> <div class="feedback__section-2-content"> <span class="feedback__title">Rate your experience</span> <p>We'd love to hear more about your rating</p> <div class="feedback__textarea-group"> <label class="feedback__textarea-label" for="q240633_q1"><label class="sq-form-question-title" for="q240633_q1">What did you come here to do?</label></label> <textarea class="feedback__textarea-input" name="q240633:q1" id="q240633_q1" placeholder="Leave your feedback here"></textarea> </div> <div class="feedback__textarea-group"> <label class="feedback__textarea-label" for="q240633_q2"><label class="sq-form-question-title" for="q240633_q2">How can we improve this information?</label></label> <textarea class="feedback__textarea-input" name="q240633:q2" id="q240633_q2" placeholder="Leave your feedback here"></textarea> </div> <div class="feedback__recaptcha"> <script src="https://www.google.com/recaptcha/api.js" async defer></script> <div class="g-recaptcha" data-theme="light" data-size="normal" data-sitekey="6LcuGgUqAAAAAE0QfPrz025qaXiUh0HhlrNuHTWk" data-callback="feedbackGrepCallback" data-expired-callback="feedbackGrepExpiredCallback" ></div> </div> <div class="feedback__submit"> <input type="submit" name="form_email_240614_submit" value="Submit feedback" class="sq-form-submit" id="form_email_240614_submit" /> </div> <button type="button" tabindex="0" class="feedback__close-modal">&Cross;</button> </div> </div> </form>  <div class="feedback__share"> <div class="feedback__title">Share</div> <div class="feedback__share-links"> <a href="https://www.facebook.com/share.php?u=https://www.oaic.gov.au/consumer-data-right/consumer-data-right-assessments/summary-report-of-cdr-assessment-5" class="feedback__social-link"> <svg width="10" height="18" viewBox="0 0 10 18" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M9.17485 10.0485L9.68366 6.81553H6.50063V4.71845C6.50063 3.83376 6.94445 2.97087 8.37013 2.97087H9.81818V0.218447C9.81818 0.218447 8.5046 0 7.24931 0C4.62669 0 2.91409 1.54877 2.91409 4.35146V6.81553H0V10.0485H2.91409V17.8646C3.49913 17.9541 4.09765 18 4.70736 18C5.31707 18 5.91559 17.9541 6.50063 17.8646V10.0485H9.17485Z" fill="currentColor"/></svg> Facebook </a> <a href="https://twitter.com/intent/tweet?url=https://www.oaic.gov.au/consumer-data-right/consumer-data-right-assessments/summary-report-of-cdr-assessment-5" class="feedback__social-link"> <svg width="19" height="15" viewBox="0 0 1200 1227" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M714.163 519.284 1160.89 0h-105.86L667.137 450.887 357.328 0H0l468.492 681.821L0 1226.37h105.866l409.625-476.152 327.181 476.152H1200L714.137 519.284h.026ZM569.165 687.828l-47.468-67.894-377.686-540.24h162.604l304.797 435.991 47.468 67.894 396.2 566.721H892.476L569.165 687.854v-.026Z" fill="currentColor"></path></svg> Twitter </a> <a href="https://www.linkedin.com/sharing/share-offsite?url=https://www.oaic.gov.au/consumer-data-right/consumer-data-right-assessments/summary-report-of-cdr-assessment-5" class="feedback__social-link"> <svg width="16" height="18" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M3.60001 16H0.199997V5.3H3.60001V16ZM1.9 3.8C0.800002 3.8 0 3 0 1.9C0 0.8 0.900002 0 1.9 0C3 0 3.8 0.8 3.8 1.9C3.8 3 3 3.8 1.9 3.8ZM16 16H12.6V10.2C12.6 8.5 11.9 8 10.9 8C9.89999 8 8.89999 8.8 8.89999 10.3V16H5.5V5.3H8.7V6.8C9 6.1 10.2 5 11.9 5C13.8 5 15.8 6.1 15.8 9.4V16H16Z" fill="currentColor"/></svg> Linkedin </a> </div> </div>  </div> </main>   <div class="footer"> <div class="footer__upper"> <div class="footer__upper--wrapper"> <div class="back-to-top__wrapper"> <button class="back-to-top" aria-label="Back to top"> <svg class="back-to-top__icon" aria-hidden="true" focusable="false" width="28" height="47" viewBox="0 0 28 47" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M6 8.82715L14 1.00106" stroke="white" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/><path d="M22 8.82715L14 1.00106" stroke="white" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/><path d="M14 21L14 1" stroke="white" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/><path d="M2.94 41V33.41H0.36V31.25H8.1V33.41H5.52V41H2.94ZM13.2027 41.18C12.5227 41.18 11.9027 41.065 11.3427 40.835C10.7927 40.605 10.3177 40.275 9.9177 39.845C9.5277 39.405 9.2227 38.87 9.0027 38.24C8.7827 37.6 8.6727 36.88 8.6727 36.08C8.6727 35.28 8.7827 34.57 9.0027 33.95C9.2227 33.32 9.5277 32.795 9.9177 32.375C10.3177 31.945 10.7927 31.62 11.3427 31.4C11.9027 31.18 12.5227 31.07 13.2027 31.07C13.8727 31.07 14.4877 31.18 15.0477 31.4C15.6077 31.62 16.0827 31.945 16.4727 32.375C16.8727 32.805 17.1827 33.33 17.4027 33.95C17.6227 34.57 17.7327 35.28 17.7327 36.08C17.7327 36.88 17.6227 37.6 17.4027 38.24C17.1827 38.87 16.8727 39.405 16.4727 39.845C16.0827 40.275 15.6077 40.605 15.0477 40.835C14.4877 41.065 13.8727 41.18 13.2027 41.18ZM13.2027 38.96C13.7927 38.96 14.2527 38.705 14.5827 38.195C14.9227 37.675 15.0927 36.97 15.0927 36.08C15.0927 35.19 14.9227 34.505 14.5827 34.025C14.2527 33.535 13.7927 33.29 13.2027 33.29C12.6127 33.29 12.1477 33.535 11.8077 34.025C11.4777 34.505 11.3127 35.19 11.3127 36.08C11.3127 36.97 11.4777 37.675 11.8077 38.195C12.1477 38.705 12.6127 38.96 13.2027 38.96ZM19.4784 41V31.25H23.0484C23.5784 31.25 24.0834 31.305 24.5634 31.415C25.0434 31.515 25.4634 31.695 25.8234 31.955C26.1834 32.205 26.4684 32.54 26.6784 32.96C26.8984 33.37 27.0084 33.88 27.0084 34.49C27.0084 35.09 26.8984 35.605 26.6784 36.035C26.4684 36.465 26.1834 36.82 25.8234 37.1C25.4634 37.37 25.0484 37.575 24.5784 37.715C24.1084 37.845 23.6184 37.91 23.1084 37.91H22.0584V41H19.4784ZM22.0584 35.87H22.9884C23.4984 35.87 23.8734 35.75 24.1134 35.51C24.3634 35.27 24.4884 34.93 24.4884 34.49C24.4884 34.05 24.3534 33.74 24.0834 33.56C23.8134 33.38 23.4284 33.29 22.9284 33.29H22.0584V35.87Z" fill="white"/></svg> </button> </div> <div class="footer__logo-group"> <img src="https://www.oaic.gov.au/__data/assets/file/0020/12962/logo.svg" class="logo--main" alt="OAIC logo"> <a href="https://www.oaic.gov.au/about-the-OAIC/access-our-information/freedom-of-information-requests-to-the-oaic" class="footer-logo" aria-label="OAIC sub-logo"> <img src="https://www.oaic.gov.au/__data/assets/file/0021/12963/logo2.svg" class="logo--sub" alt="OAIC sub logo"> </a> <a href="https://www.oaic.gov.au/about-the-OAIC/access-our-information/our-information-publication-scheme" class="footer-logo" aria-label="OAIC Information Publication Scheme"> <img src="https://www.oaic.gov.au/__data/assets/image/0026/91385/ips_white_text.png" class="logo--sub" width="120px" alt="Information Publication Scheme"> </a> </div><div class="footer__link-group"> <ul class="link-list"> <li><a href="https://www.oaic.gov.au/sitemap" class="footer-link" aria-label="Site map">Site map</a></li><li><a href="https://www.oaic.gov.au/about-the-OAIC/copyright" class="footer-link" aria-label="Copyright">Copyright</a></li><li><a href="https://www.oaic.gov.au/about-the-OAIC/terms-and-conditions" class="footer-link" aria-label="Terms and conditions">Terms and conditions</a></li><li><a href="https://www.oaic.gov.au/about-the-OAIC/our-corporate-information/plans-policies-and-procedures/privacy-policy" class="footer-link" aria-label="Privacy policy">Privacy policy</a></li><li><a href="https://www.oaic.gov.au/about-the-OAIC/accessibility" class="footer-link" aria-label="Accessibility">Accessibility</a></li> </ul> </div> </div> </div> <div class="footer__lower"> <div class="footer__util-group"> <div class="footer__contact"> <a href="https://www.oaic.gov.au/contact-us" class="contact--link" aria-label="Contact us">Contact us</a> <a href="tel:1300 363 992" class="contact--phone" aria-label="Call 1300 363 992">1300 363 992</a> <p class="contact--hours">Monday to Thursday 10 am to 4 pm (AEST/AEDT)</p> </div> <div id="footer_language_listing_13517"> <div class="footer__language-list"> <label for="languages">Translations</label> <select name="languages" id="languages" onChange="if (this.value.startsWith('https://www.oaic.gov.au')) window.location = this.value;"> <option value="">Please select…</option> <option lang="ar" value="https://www.oaic.gov.au/engage-with-us/translations/arabic">العربية</option><option lang="zh" value="https://www.oaic.gov.au/engage-with-us/translations/chinese">中文</option><option lang="el" value="https://www.oaic.gov.au/engage-with-us/translations/greek">ελληνικός</option><option lang="it" value="https://www.oaic.gov.au/engage-with-us/translations/italian">Italiano</option><option lang="es" value="https://www.oaic.gov.au/engage-with-us/translations/spanish">Español</option><option lang="th" value="https://www.oaic.gov.au/engage-with-us/translations/thai">ไทย</option><option lang="vi" value="https://www.oaic.gov.au/engage-with-us/translations/vietnamese">Tiếng Việt</option><option lang="pa-IN" value="https://www.oaic.gov.au/engage-with-us/translations/about-the-oaic-punjabi">ਪੰਜਾਬੀ</option><option lang="" value="https://www.oaic.gov.au/engage-with-us/translations/about-the-oaic-karen"></option><option lang="EN" value="https://www.oaic.gov.au/engage-with-us/translations/easy-english">Easy English</option> </select> </div> </div> <div class="footer__social"> <p class="social--header">Follow us</p> <ul class="social-list"> <li> <a href="https://www.facebook.com/OAICgov" class="social-link social-link--facebook" aria-label="OAIC on Facebook"> <img class="social-icon" src="https://www.oaic.gov.au/__data/assets/file/0025/12958/facebook.svg" alt="OAIC on Facebook"> </a> </li> <li> <a href="https://twitter.com/OAICgov" class="social-link social-link--twitter" aria-label="OAIC on Twitter" > <img class="social-icon" src="https://www.oaic.gov.au/__data/assets/file/0026/12959/x-logo.svg" alt="OAIC on Twitter"> </a> </li> <li> <a href="https://www.youtube.com/user/oaicgov" class="social-link social-link--youtube" aria-label="OAIC on Youtube" > <img class="social-icon" src="https://www.oaic.gov.au/__data/assets/file/0018/12960/youtube.svg" alt="OAIC on Youtube"> </a> </li> <li> <a href="https://au.linkedin.com/company/office-of-the-australian-information-commissioner" class="social-link social-link--linkedin" aria-label="OAIC on Linkedin"> <img class="social-icon" src="https://www.oaic.gov.au/__data/assets/file/0019/12961/linkedin.svg" alt="OAIC on Linkedin"> </a> </li> <li> <a href="https://www.instagram.com/oaicgov/" class="social-link social-link--Instagram" aria-label="OAIC on Instagram" > <img class="social-icon" src="https://www.oaic.gov.au/__data/assets/file/0023/91364/Instagram_Glyph_White.svg" alt="OAIC on Instagram"> </a> </li> </ul> </div> </div> <div class="footer__content-group"> <p class="footer__content-header">Acknowledgement of Country</p> <p class="footer__content-text">The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.</p> <p class="footer__content-copyright">© Commonwealth of Australia</p> </div> </div> </div>   </div>   <div id="footer_js" style="display: none !important;"> <script src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/js/runtime.js?h=06ed308"></script> <script src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/js/main.js?h=06ed308"></script> <script src="https://www.oaic.gov.au/__data/assets/js_file/0025/242791/custom.js"></script> <script> var lhsWrapper = document.querySelector('.lhs-wrapper'); if(lhsWrapper) { lhsWrapper.innerHTML.trim() === '' ? lhsWrapper.style.display='none' : ''; } //Readpeaker function readSpeaker() { var readButtonContent = ` <div id="readspeaker_button1" class="rs_skip rsbtn rs_preserve"> <a rel="nofollow" class="rsbtn_play" accesskey="L" title="Listen to this page using ReadSpeaker webReader" href="//app-oc.readspeaker.com/cgi-bin/rsent?customerid=9755&lang=en_au&readclass=page-content&url=https%3A%2F%2Fwww.oaic.gov.au%2Fconsumer-data-right%2Fconsumer-data-right-assessments%2Fsummary-report-of-cdr-assessment-5"> <span class="rsbtn_left rsimg rspart"><span class="rsbtn_text"><span>Listen</span></span></span> <span class="rsbtn_right rsimg rsplay rspart"></span> </a> </div>`; var readButtonSearch = ` <div id="readspeaker_button2" class="rs_skip rsbtn rs_preserve"> <a rel="nofollow" class="rsbtn_play" accesskey="L" title="Listen to this page using ReadSpeaker webReader" href="//app-oc.readspeaker.com/cgi-bin/rsent?customerid=9755&lang=en_au&readclass=search-content&url=https%3A%2F%2Fwww.oaic.gov.au%2Fconsumer-data-right%2Fconsumer-data-right-assessments%2Fsummary-report-of-cdr-assessment-5"> <span class="rsbtn_left rsimg rspart"><span class="rsbtn_text"><span>Listen</span></span></span> <span class="rsbtn_right rsimg rsplay rspart"></span> </a> </div>`; //for content pages var pageContent = document.querySelector('.page-content'); //for search pages var pageSearch = document.querySelector('.search-content'); if(pageContent) pageContent.insertAdjacentHTML('afterbegin', readButtonContent); if(pageSearch) pageSearch.insertAdjacentHTML('afterbegin', readButtonSearch); } readSpeaker(); </script> <script> function feedbackGrepCallback(response) { if (response.length > 0) { document.querySelector(".feedback__submit input").disabled = false } } function feedbackGrepExpiredCallback(response) { if (!response) { document.querySelector(".feedback__submit input").disabled = true } } </script> </div> <style> .page-content section.banner-grey-newsroom__wrapper, .page-content section.landing-page { display: none; } </style>   </body> </html>

CINXE.COM

Summary report of Consumer Data Right assessment 5 | OAIC