Privacy issues raised regarding CDR extension

The federal Treasury engaged Australian law firm Maddocks to conduct an “independent analysis and assessment” of the proposed rule amendments to identify privacy risks to individuals arising from the proposed amendments and set out recommendations for managing, minimising or eliminating these impacts.

The analysis, conducted in September, flagged concerns associated with sharing data with trusted advisers.   

The 83-page report, which was published by the Treasury on Thursday (7 October), notes a series of risks and recommendations designed to mitigate these concerns.

Present in the report were seven risks associated with consumers sharing their CDR data with trusted advisers, orbiting how secure this data will be once it is shared with someone outside the CDR regime; whether this data could be shared with someone who doesn’t align with the CDR regime or the trusted adviser class; and whether consumers could be unaware of the implications in sharing their data or if they may forget key details in their disclosure. 

In relation to these risks, Maddocks noted in its recommendations that the Treasury should: 

• Only allow CDR data to be disclosed outside of the CDR regime to trusted advisers who are Australian Privacy Principles (APP) entities for the purposes of the Privacy Act 
• Only allow CDR data to be disclosed outside of the CDR regime to trusted advisers who have agreed through a “contractual arrangement with the accredited data recipient” to comply with the APP (namely APP 1, APP 6 and APP 11) if the above is not possible or practical 
• Require the accredited data recipient to tell the trusted adviser of the scope of the CDR consumer’s consent, and to remind the recipient, such as the trusted adviser, of their “fiduciary or regulatory obligations in relation to the CDR consumer” if the above is not possible or practical

In addition, the report recommended that the Treasury consider undertaking an analysis of whether each of the proposed classes of trusted adviser will at least “be subject to obligations that will require the recipient to use CDR data that it receives consistently with the consents provided by the CDR consumer”.

However, in its response, which was also published on Thursday (7 October), the Treasury stated that it did not accept the above recommendations, noting that the classes of trusted adviser include professions that are “regulated and subject to professional duties and oversight that provide an appropriate level of consumer protections”. 

The Treasury added that, while many trusted advisers will be APP entities under the Privacy Act, “requiring all trusted advisers to be subject to the Privacy Act may unduly impede consumer choice in circumstances where professional oversight and regulation exists”. 

Timeline of CDR changes roll-out released 

The Treasury has also now unveiled the planned framework for how these new CDR changes will come into effect, commencing with the updates to CDR representatives and outsourced services providers beginning from 19 October, two weeks after registration.

Consumers wishing to share their data with trusted advisers, or to disclose limited data insights outside the CDR regime may do so next year, with the changes related to trusted advisers and CDR insights commencing at the earlier of the data standards chair making new standards and 1 February 2022. 

The changes to sponsored level of accreditation are also expected to commence 1 February 2022, while the single consent model for joint accounts will be available from 1 July 2022. 

[Related: Brokers to access CDR data]