Welcome to the Consumer Data Right Support Portal

Check out our guides, browse through our FAQs, and post your own questions for Support.

New to the Consumer Data Right? Learn more

Rule 4.28 Notification requirements | Frequency of notifications to account holders in relation to secondary users Follow

Avatar
ACCC Regulatory Guidance
  • Created:
  • Last edited:
  • Updated
  • The ACCC has revised its guidance on the notification obligation for data holders under rule 4.28.
  • Treasury previously consulted on proposed changes to rule 4.28 as part of its consultation on exposure draft operational amendments to the CDR Rules.
  • Treasury intends to consult further before progressing any changes, including on whether there should be a requirement to notify account holders when a secondary user provides a new authorisation for the account.
  • The ACCC’s revised guidance on the current rule 4.28 requirement is described in the article below.
  • Data holders with concerns about compliance with rule 4.28 can contact the CDR Compliance team at accc-cdr@accc.gov.au.
  • Further feedback on the operation of rule 4.28 can be provided to Treasury at data@treasury.gov.au. 

Question

Do the notification requirements under rule 4.28 require data holders to notify an account holder every time an accredited person makes a consumer data request on behalf of a secondary user, or only when a secondary user provides consent for consumer data to be shared from that account?

Answer

Under rule 4.28 of the CDR Rules (and in line with the ACCC secondary user fact sheets found here), a data holder must notify an account holder as soon as practicable, through its ordinary means of contacting them, if an accredited person makes a consumer data request on behalf of a secondary user and one of the following occurs:

  • a secondary user amends or withdraws an authorisation; or
  • an authorisation given by the secondary user expires.

Under rules 4.3 and 4.4, a consumer data request by an accredited person on behalf of a CDR consumer is a request to collect the CDR consumer’s CDR data from a CDR participant and use it in order to provide goods or services to the CDR consumer.

‘Ordinary means of contacting’ is defined under rule 1.7(1) as either the particular means of contacting the account holder that the data holder has agreed with the account holder, or the default means by which the data holder contacts the account holder.

Comments

0 comments

Article is closed for comments.