Rule 5.14(1)(a) of the CDR Rules states that an accredited person must notify the Data Recipient Accreditor (the ACCC) within 5 business days if any material change in its circumstances occurs that might affect its ability to comply with its obligations under Subdivision 5.2.3.
In considering whether a notification is required an accredited person must assess whether a change is 1) material, and 2) whether that change might affect its ability to comply with its obligations under Subdivision 5.2.3 of the CDR Rules, taking into account its specific circumstances. For example, if an accredited person becomes insolvent, this would likely be a material change that may affect their ability to comply with the obligations of an accredited person. As such they would likely be required to report this material change in circumstances to the ACCC within 5 business days.
Whether a change is material and likely to affect compliance obligations will need to be considered on a case by case basis. For example, engaging a new outsourced service provider or CDR representative may not, on its own, constitute a material change such that the ACCC would need to be notified under rule 5.14(1). An accredited person must consider the effect that engaging a new outsourced service provider or CDR representative would have on their ability to comply with the obligations in Subdivision 5.2.3. If, for example, engaging a new outsourced service provider may affect the appropriateness of the existing level of insurance or an accredited person’s ability to comply with the Schedule 2 information security controls, then the accredited person would need to notify the ACCC under rule 5.14(1)(a). This notification requirement applies even if such information would be provided to the ACCC later through Schedule 1 reporting obligations.
This is because the ongoing reporting obligation in Schedule 1 to the CDR Rules and the notification obligations in rule 5.14(1) are distinct, i.e. neither obligation can substitute the other. We note that:
- Rule 5.14(1) concerns all obligations under Subdivision 5.2.3 of the CDR Rules and not just those relating to information security, for example a new outsourced service provider arrangement might also affect the accredited person’s ability to comply with the obligation to have adequate insurance or a comparable guarantee.
- There may be a long period between a material change and an accredited person’s reporting period under Schedule 1. Therefore, the fact that material changes may be captured in an accredited person’s attestation statements and assurance reports does not mean that rule 5.14(1) need not be complied with.
- Further, there may be changes relevant to the Schedule 1 reporting obligation that may not necessarily meet the threshold required to enliven the notification obligation under rule 5.14(1).