Website Notifications

Get notifications in real-time for staying up to date with content that matters to you.

Privacy issues raised regarding CDR extension

digital technology user digital technology user
Sam Nichols 5 minute read

The Treasury has published an analysis into the Consumer Data Right amendments, which warn of potential shortcomings in data security.

Following on from the announcement that the Consumer Data Right (CDR) will be expanded to give mortgage brokers and other “trusted advisers” access to Consumer Data Right (CDR) data, the Treasury has now released a Privacy Impact Assessment (PIA) on the matter.

The federal Treasury engaged Australian law firm Maddocks to conduct an “independent analysis and assessment” of the proposed rule amendments to identify privacy risks to individuals arising from the proposed amendments and set out recommendations for managing, minimising or eliminating these impacts.

The analysis, conducted in September, flagged concerns associated with sharing data with trusted advisers.   


The 83-page report, which was published by the Treasury on Thursday (7 October), notes a series of risks and recommendations designed to mitigate these concerns.

Present in the report were seven risks associated with consumers sharing their CDR data with trusted advisers, orbiting how secure this data will be once it is shared with someone outside the CDR regime; whether this data could be shared with someone who doesn’t align with the CDR regime or the trusted adviser class; and whether consumers could be unaware of the implications in sharing their data or if they may forget key details in their disclosure. 

In relation to these risks, Maddocks noted in its recommendations that the Treasury should: 

  • Only allow CDR data to be disclosed outside of the CDR regime to trusted advisers who are Australian Privacy Principles (APP) entities for the purposes of the Privacy Act 
  • Only allow CDR data to be disclosed outside of the CDR regime to trusted advisers who have agreed through a “contractual arrangement with the accredited data recipient” to comply with the APP (namely APP 1, APP 6 and APP 11) if the above is not possible or practical 
  • Require the accredited data recipient to tell the trusted adviser of the scope of the CDR consumer’s consent, and to remind the recipient, such as the trusted adviser, of their “fiduciary or regulatory obligations in relation to the CDR consumer” if the above is not possible or practical

In addition, the report recommended that the Treasury consider undertaking an analysis of whether each of the proposed classes of trusted adviser will at least “be subject to obligations that will require the recipient to use CDR data that it receives consistently with the consents provided by the CDR consumer”.

However, in its response, which was also published on Thursday (7 October), the Treasury stated that it did not accept the above recommendations, noting that the classes of trusted adviser include professions that are “regulated and subject to professional duties and oversight that provide an appropriate level of consumer protections”. 


The Treasury added that, while many trusted advisers will be APP entities under the Privacy Act, “requiring all trusted advisers to be subject to the Privacy Act may unduly impede consumer choice in circumstances where professional oversight and regulation exists”. 

Timeline of CDR changes roll-out released 

The Treasury has also now unveiled the planned framework for how these new CDR changes will come into effect, commencing with the updates to CDR representatives and outsourced services providers beginning from 19 October, two weeks after registration.

Consumers wishing to share their data with trusted advisers, or to disclose limited data insights outside the CDR regime may do so next year, with the changes related to trusted advisers and CDR insights commencing at the earlier of the data standards chair making new standards and 1 February 2022. 

The changes to sponsored level of accreditation are also expected to commence 1 February 2022, while the single consent model for joint accounts will be available from 1 July 2022. 

[Related: Brokers to access CDR data]

Privacy issues raised regarding CDR extension
digital technology user
TheAdviser logo

If you’re feeling overworked and overwhelmed in this fast-paced mortgage market, it’s time to make some changes, and the Business Accelerator Program can help! Work smarter, not harder, in 2022 and beyond, visit the website here to secure your ticket.

digital technology user

Sam Nichols

Sam Nichols is a journalist at The Adviser and Mortgage Business. His reporting has featured in a range of outlets including ABC News, SBS' The Feed, and VICE.


more from the adviser
Stephen Moore headshot

Breaking News

Brokers will dictate future of Choice, FAST, PLAN: White

After its management restructure, Loan Market Group will continue...

Peter Lock Kerry Betros Heritage

Breaking News

Heritage leaders address merger proposal concerns

The chairman and chief executive of Heritage Bank have addressed ...

uptick graph

Breaking News

Wisr reports 113% loan book growth

The non-bank lender originated a record $132 million over the las...