Schedule 2 to the CDR Rules sets out the steps to be taken for the purpose of privacy safeguard 12 (security of CDR data). These steps are intended to protect CDR data from, amongst other things, misuse and unauthorised access.
Clause 2.2, item 3(a), subitem (c) of Schedule 2 requires the following:
“Data loss and leakage prevention mechanisms are implemented to prevent data leaving the CDR data environment, including, but not limited to:
(c) email filtering and blocking methods that block emails with CDR data in text and attachments”
This clause applies in relation to data loss or leakage and does not apply in relation to authorised disclosures made to consumers. For example, a CDR consumer receiving a service from an ADR may consent to receive their CDR data directly via email. Disclosure of CDR data by the ADR via email or SMS may be permissible under the Rules (see rules 7.7 and 7.5(1)(c)) where appropriate consumer consents have been sought (please see Part 4 of the Rules, in particular Division 4.3). The ADR may also need to consider whether it requires a direct marketing consent (see rules 7.8 and 7.5(3)).
However, the other requirements in Schedule 2 (such as the encryption in transit requirement at clause 2.2, item 1(i)) will continue to apply. We note the encryption in transit requirement may prevent ADRs from disclosing CDR data through unencrypted services such as the short message services (SMS) provided by traditional cellular networks, or unencrypted email services.
For clarification on the types of filtering and blocking requirements that apply, see our article: Filtering and blocking methods are not restricted to emails.