The CDR rules require data holders to provide information about authorisations associated with a joint account to joint account holders:
- R 4A.13(1)(c) requires the details of authorisations “that relate to joint account data” to be displayed in the consumer dashboards of joint account holders
- 14(1)(a) requires JAHs to be notified where a “requester has given, amended or withdrawn an authorisation, or that the authorisation has expired”.
These provisions only require data holders to provide information to joint accounts holders relevant to their joint account. They do not permit data holders to provide information about authorisations where that information relates to other accounts.
- Joint account holder 1 (JAH 1) is an account holder of 3 accounts: JA1, A1 and A2
- JAH 1 gives an authorisation that is associated with JA1 and A1 and then amends the authorisation so that A1 is disassociated from the authorisation and A2 is associated with the authorisation
- R 4A.13(1)(c) only requires details of the authorisation that relate to JA1 to be contained in the consumer dashboards of other joint account holders of JA1. Under r 4A.13(1)(c), data holders are not required or authorised to contain details of the authorisation that relate to A1 or A2 in the dashboards of other joint accounts holders of JA1.
- R 4A.14(1)(a) only requires DHs to notify the other joint account holders of JA1 that an authorisation was given in relation to JA1 and does not require DHs to notify the other joint accounts holders of matters that relate to A1 or A2.
- DHs likely would be in breach of their obligations under the Privacy Act 1988 if they were to disclose to other joint account holders details of matters that relate to A1 or A2 because there is no legal basis on which that information can be disclosed.
Language that can be used to provide the required information
While the rules refer to authorisations being given, amended, withdrawn or expired, data holders do not have to use this language when conveying the information required by the two provisions above. In addition to the example below, data holders may be assisted by the DSB’s CX guidelines on withdrawal when determining the appropriate language to use for notifications of this nature. Continuing on from the previous example:
- JAH 1 further amends their authorisation so that it is no longer associated with JA1 but continues to be associated with A2
- A data holder may fulfil its obligations under r 4A.14(1)(a) by giving the other joint account holders a notification that says something like “JAH 1 has stopped sharing data from this joint account under arrangement xyz”. The notification should not say something like “JAH1 has amended their authorisation so that it is no longer associated with this joint account”. The latter would reveal that JAH1’s authorisation is associated with other accounts which could amount to an unauthorised disclosure of JAH1’s personal information.