Australia’s privacy watchdog, the Office of the Australian Information Commissioner, has released a draft document outlining the privacy guidelines for the upcoming Consumer Data Right (CDR).
The guidelines cover consent, notifications, data use, data quality, and security, among other privacy issues raised by Australia’s new data portability scheme. The guidelines are not legally binding but supplement the privacy safeguards laid out in CDR legislation, which are binding.
The public and industry have been invited to provide input on the rules, known as the Privacy Safeguard Guidelines, and can file submissions until the 20th of November. A final report will be delivered to the Treasure and published on December 16.
CDR mandates organisations share consumers’ data in a machine readable way when they are requested to by consumers. The scheme is currently being piloted in the banking sector with a select group of participants but will eventually include the energy and telecommunications sectors.
Notwithstanding the consent requirement, sharing consumer data raises several security and privacy challenges. The OAIC says it wants to know whether its draft guidelines are “clear, relevant and practical” and if entities are confident they can understand their obligations.
“We are looking for business to engage with the draft guidelines, including small business as they will be subject to privacy obligations when they are accredited,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.
“This may be a new experience for them, given many small businesses are not subject to the Privacy Act, and we want to provide guidance and practical tips to all CDR participants to help them to comply with the scheme’s privacy safeguards.”
According to the new draft, the guidelines are not legally binding but do set out “how an entity should comply with the privacy safeguards and Consumer Data Rules in particular circumstances”.
CDR’s underlying legislation includes enforceable privacy safeguards, although they apply mainly to accredited data recipients. The safeguards apply to an entity’s handling of CDR data instead of Australia’s main privacy laws, set out in the Privacy Act 1988 and the Australian Privacy Principles.
Those existing privacy laws have been widely criticised by privacy advocates for being unfit for a digital economy.