OAIC publishes CDR privacy guidelines

The Office of the Australian Information Commissioner (OAIC) has published new guidelines for businesses on how to safeguard consumers’ privacy under the new Consumer Data Right (CDR) regime.

The guidelines aim to help companies participating in the CDR system understand their privacy obligations to consumers.

They include detailed information on the privacy safeguards baked into the regime, including the requirements for anonymity and pseudonymity in some circumstances, for open and transparent management of consumer data, and mechanisms for dealing with unsolicited data.

In addition, the guidelines provide chapters on correction of CDR data, destruction or de-identification of redundant data, and the use or disclosure of data by accredited data recipients or designated gateways.

The CDR, which will be first rolled out to the banking sector from July, will allow consumers to direct companies holding data on them to securely transfer it to accredited recipients including comparison service providers.

Following its introduction to the banking sector, the government plans to expand the regime to other areas of the economy, starting with energy and telecommunications.

The OAIC has been tasked with regulating and enforcing the privacy aspects of the CDR system and handling consumer complaints.

“The CDR Privacy Safeguard Guidelines set out how businesses must protect consumers’ data under the new Consumer Data Right,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“They build on Australia’s existing privacy framework and provide detailed guidance for businesses handling consumers’ data in the new system to ensure it is protected.”

Image credit: ©stock.adobe.com/au/steuccio79