Consumers will have greater control of their data and what it is used for under Australia’s new consumer data right, according to new privacy guidelines released today.
“Data can only be shared at the consumer’s request, for a specific purpose and for a limited time period. Consumers also have the right to ask for their data to be deleted if the business no longer needs it,” explained Angelene Falk, Australian Information Commissioner and Privacy Commissioner.
Falk’s office, the OAIC, has today released guidelines for business on how to safeguard consumers’ privacy under the Consumer Data Right.
The Consumer Data Right will first be implemented in the banking sector from July 2020 and will allow consumers to safely transfer their data to accredited recipients so they can compare services. It will then be extended to other sectors of the economy, starting with energy and telco.
The OAIC will regulate and enforce the privacy aspects of the CDR system and handle consumer complaints.
The CDR Privacy Safeguard Guidelines have been finalised following consultation with industry, the Australian Competition and Consumer Commission (ACCC) and other stakeholders. They complement the ACCC’s CDR Rules which came into force on 6 February 2020.
“The CDR Privacy Safeguard Guidelines set out how businesses must protect consumers’ data under the new Consumer Data Right,” Falk said. “They build on Australia’s existing privacy framework and provide detailed guidance for businesses handling consumers’ data in the new system to ensure it is protected.”
Speaking last week during a panel at Gartner’s Data & Analytics Summit, Lisa Schutz the managing director of Verifier, one of the initial open banking data recipients, made the point that CDR’s privacy rules differ from the Privacy Act.
“One of the challenges of a consumer data right is that it runs its own privacy settings,” Schutz said.
Consumers must consent to their data being used for a specific purpose and organisations will have to report back to the ACCC about which data they obtained and what they used it for, she said.
At the same event Chair of the CDR standards body, Andrew Stevens urged attendees to revisit their consent frameworks in preparation for changes. While Jamie Twiss, Chief Data Officer, Westpac highlighted the need for tighter privacy rules as the data portability mechanisms improve.
“Historically, we’ve had relatively weak privacy and consent frameworks across the economy, because we used friction as a proxy for privacy. We didn’t worry too much about what people could do with other people’s data because the answer was you couldn’t do very much,” Twiss said.
“As the technology has improved, obviously, we see the need to actually lock that stuff down. Now, the interesting thing about the CDR is that obviously it puts in place a clear framework for how we move forward with consent. But also as we re-architect our systems and as we get better at data sharing, it will increase the need to lock that down even further. So I think we’re at the very beginning of quite a long journey of privacy.”