The Office of the Australian Information Commissioner has begun consulting on the privacy rules surrounding the government’s controversial Consumer Data Right, with plans to reach out to FinTechs and SMEs that may never have dealt with such regulations before.
The OAIC has been tasked by government with developing guidelines to help companies working under the new data-sharing regime to not breach the associated privacy safeguards.
The Consumer Data Right, which paves the way for open banking and other data-sharing schemes across different sectors, was passed by Parliament with bipartisan support in August, despite concerns about privacy, security and sectoral coverage.
The government has developed a new set of privacy safeguards which would override the Australian Privacy Principles when dealing with the CDR.
The CDR is to launch February next year through the open banking scheme, with testing currently underway.
The OAIC has now launched its own consultation on its draft privacy safeguard guidelines, which it said would assist industry in understanding their new obligations under the CDR, and ensure that consumers were able to easily access and transfer their own data with their consent.
Australian Information Commissioner Angelene Falk said the office has an important role to play as many of the businesses interacting with the CDR may not have previously had obligations under the Australian Privacy Act.
“We are looking for business to engage with the draft guidelines, including small business as they will be subject to privacy obligations when they are accredited,” Australian Information Commissioner Angelene Falk said.
“This may be a new experience for them, given many small businesses are not subject to the Privacy Act, and we want to provide guidance and practical tips to all CDR participants to help them to comply with the scheme’s privacy safeguards.”
The data body aims to better understand how it can achieve its role of helping entities comply with their privacy obligations under the CDR, and to identify knowledge gaps where it needs to provide further guidance.
The OAIC is accepting submissions until 20 November, and will report to the Treasurer and release the final privacy safeguard guidelines on 16 December.
The OAIC wants feedback on whether its draft guidelines are clear, relevant and practical, and whether there are any further topics that need to be covered.
The draft privacy safeguard guidelines are set out in 13 chapters, covering the standards, rights and obligations relating to collecting, using, disclosing and correcting CDR data for which there are one or more consumers.
The guidelines are legally binding statutory provisions which apply to all entities authorised or required under the CDR to collect, use or disclose CDR data.
They outline that a company must have the express consent of a consumer before they release their data, and this must be voluntary, informed, specific to a purpose, time limited and easily withdrawn.
“Consumer consent for the collection and use of their data is the bedrock of the CDR regime. Consent enables consumers to be the decision makers in the CDR regime, ensuring that they can direct where their data goes in order to obtain the most value from it,” the guidelines state.
The companies will also be responsible for ensuring the CDR data is protected from “misuse, interference and loss”, as well as from “unauthorised access, modification or disclosure”.
To take part in the CDR scheme, a data holder or receive must define and implement security governance, set out the boundaries of the CDR data environment, have and maintain an information security capability, implement a formal controls assessment program and manage and report security incidents.
The guidelines also address anonymity and pseudonymity, notifications, disclosure and corrections to the data.
The Coalition last month introduced an amendment to the CDR legislation introducing a right to delete clause for data caught up in the scheme.
The 10 FinTechs to help test the open banking scheme along with the big four banks were also revealed in September, ahead of the formal launch in February.