- The ACCC has revised its guidance on the notification obligation for data holders under rule 4.28.
- Treasury previously consulted on proposed changes to rule 4.28 as part of its consultation on exposure draft operational amendments to the CDR Rules.
- Treasury intends to consult further before progressing any changes, including on whether there should be a requirement to notify account holders when a secondary user provides a new authorisation for the account.
- The ACCC’s revised guidance on the current rule 4.28 requirement is described in the article below.
- Data holders with concerns about compliance with rule 4.28 can contact the CDR Compliance team at email@example.com.
- Further feedback on the operation of rule 4.28 can be provided to Treasury at firstname.lastname@example.org.
Do the notification requirements under rule 4.28 require data holders to notify an account holder every time an accredited person makes a consumer data request on behalf of a secondary user, or only when a secondary user provides consent for consumer data to be shared from that account?
Under rule 4.28 of the CDR Rules (and in line with the ACCC secondary user fact sheets found here), a data holder must notify an account holder as soon as practicable, through its ordinary means of contacting them, if an accredited person makes a consumer data request on behalf of a secondary user and one of the following occurs:
- a secondary user amends or withdraws an authorisation; or
- an authorisation given by the secondary user expires.
Under rules 4.3 and 4.4, a consumer data request by an accredited person on behalf of a CDR consumer is a request to collect the CDR consumer’s CDR data from a CDR participant and use it in order to provide goods or services to the CDR consumer.
‘Ordinary means of contacting’ is defined under rule 1.7(1) as either the particular means of contacting the account holder that the data holder has agreed with the account holder, or the default means by which the data holder contacts the account holder.