Time to draw up CDR management plan
Businesses that plan to be accredited entities under the Consumer Data Right regime will be expected to develop a CDR management plan and establish good data and information governance.Businesses should also implement risk management processes that allow identification, assessment and management of privacy risks and CDR security risks.These are among the recommendations included in privacy safeguard guidelines issued by the Office of the Australian Information Commissioner in the lead-up to the introduction of CDR.CDR kicks off in July, with the implementation of open banking first cab off the rank.There are 13 legally binding privacy safeguards in the Competition and Consumer Act's section on CDR. They cover the collection and management of data, notification and disclosure, use of data for marketing, data quality standards, the right to anonymity, data correction and destruction or de-identification of redundant data.The privacy safeguards apply to: accredited persons who have been granted accreditation by the ACCC to receive CDR data; accredited data recipients who have collected CDR data from a data holder or another accredited data recipient; data holders who hold the original data; and designated gateways, which are entities designated as responsible for facilitating the transfer of information between data holders and accredited persons.The OAIC's guidelines explain how the Information Commissioner will interpret and apply the privacy safeguards, and include good privacy practice. The guidelines are not legally binding.The guidelines have been designed to help businesses avoid practices that may breach the privacy safeguards. They complement a set of rules issued by the Australian Competition and Consumer Commission last month.The guidelines also explain the interaction between CDR privacy safeguards and the Australian Privacy Principles.A key element of CDR is that accredited persons may only collect and use consumer data covered by CDR with the consent of the consumer. Control of the data is always in the hands of the consumer.One of the privacy safeguards prohibits an accredited person from seeking to collect data under the CDR regime unless it is in response to a "valid request" from the consumer.The OAIC guidelines include a number of tips for designing internal systems for handling CDR data.Businesses that plan to be accredited entities under the Consumer Data Right regime will be expected to develop a CDR management plan and establish good data and information governance.CDR privacy processes should be monitored and evaluated regularly.One of the privacy safeguards says that if an accredited person collects CDR data they must notify the consumer that they have collected the data.The OAIC guideline says notification should be automated and real-time. It says the notification should be as simple and easy to understand as possible.An important element of the CDR rules is a data minimisation principle. Accredited persons must not seek to collect more data than is reasonably needed.The OAIC guideline says an accredited person should set up systems and processes so that it can identify the minimum CDR data needed for a particular good or service, to reduce the risk of "over-collection".Another guideline is that consumers should be able to easily opt