The Office of the Australian Information Commissioner found 17 instances of non-compliance and 35 instances of partial compliance when it reviewed the privacy safeguards of seven accredited entities active on the Consumer Data Right register. The OAIC said it did not identify any “high privacy risks” but found 14 medium risks and five low risks. None of the instances of partial or non-compliance were serious enough to warrant further regulatory action. The OAIC has used the findings to update its CDR privacy safeguard guidelines. It should be noted that although the OAIC released the summary of its assessment recently, the assessment was “as at” February last year. The entities subject to assessment were Adatree, Commonwealth Bank, Envestnet Yodlee, Frollo Australia, Illion Open Data Solutions, Intuit and Regional Australia Bank. The CDR policies of three of them did not fully specify the classes of CDR data they held or may hold in future. Five only partially addressed the requirement to outline the purposes for which they may collect, hold, use or disclose data. Three did not explain how a consumer may access their CDR data and seek corrections. None of the CDR policies the OAIC assessed contained every event about which accredited entities are required to notify consumers, such as information about giving, amending or withdrawing consent, or notification of data breaches. The OAIC said all the policies it assessed needed more information about how the entity deletes redundant CDR data, and all but one had insufficient information about how complaints are handled and the scope of potential remedies. It found that five of the entities assessed had deficiencies in their internal practices, procedures and systems for dealing with consumer complaints.