Under the CDR Rules, certain categories of consents are given by consumers to accredited persons (including affiliates) or CDR representatives. The CDR Rules do not provide for these consents to be transferred to a different accredited person. The CDR Rules also do not provide for consents given to a CDR representative in the course of one representative arrangement to be transferred to a new representative arrangement, or to be relied upon after the arrangement ceases.
As a result, when a person changes their participation model, the person may need to seek new consents from relevant consumers. For example:
- A CDR representative’s ability to participate in CDR is dependent on their representative arrangement with their CDR principal. This means that when a CDR representative changes its CDR principal (therefore entering into a new representative arrangement), or ceases its representative arrangement and moves to sponsored or unrestricted accreditation, the current consents will expire. As such, they will need to seek new consents from the relevant consumers.
- Where an affiliate changes its sponsor. This is because the affiliate is required to identify the sponsor that will collect CDR data on the affiliate's behalf. If that sponsor changes, the affiliate will need to expire affected consents and seek a new consent from consumers providing details of the new sponsor. However, other use or disclosure consents given to the affiliate can continue in accordance with rule 5.1B(6) of the CDR Rules.
Please note that such changes will also trigger requirements to de-identify and/or delete relevant consumer data.
The Consumer Data Standards provide that ADRs must register a Data Recipient Software Product (DRSP) in order to interact with the CDR Register, and subsequently, CDR Data Holders.
DRSPs are the means by which accredited data recipients identify themselves to data holders. The DRSP details are used by data holders to provide details of the data sharing arrangement (i.e. the authorisation) to the consumer via the data holder’s consumer dashboard. Consents are also managed through the DRSP. Therefore, if a DRSP registered by one entity could be used by a different legal entity, this could enable the new legal entity to use the existing consents given to other entity and managed by that DRSP, despite the transfer of consents in this way not being provided for under the CDR Rules.
In order to give effect to the CDR Rules, the ACCC will not permit the use of a DRSP by a legal entity other than the legal entity that first registered the DRSP. In addition, the ACCC will not allow the same DRSP to be used by an entity that changes from a representative arrangement to restricted or unrestricted accreditation. Entities that wish to change these arrangements will need to seek deactivation of their original DRSP (triggering the de-identification or deletion of collected data and insights drawn from it), and activation of a new DRSP. The ACCC Technology Operations, On-Boarding and Accreditation Teams are available to discuss managing these occurrences. Please contact accc-cdr@accc.gov.au to discuss.
To try to ensure optimal outcomes for consumers, the ACCC is also developing guidance for the naming of software products and will be actively monitoring the list of existing DRSPs to ensure that the registered information meets the relevant requirements of the Register.
Comments
0 comments
Please sign in to leave a comment.