The term consumer data request is defined in rules 3.3, 4.4 and 4.7A of the CDR Rules as a request to disclose some or all of the CDR data that is the subject of a relevant consent and can be collected and used in compliance with the data minimisation principle. Therefore, a consumer data request is made each time an accredited data recipient seeks to collect consumer data from a data holder.
To make a consumer data request an accredited data recipient makes an API call to the data holder to collect the relevant consumer data. The Consumer Data Standards require data holders to provide a range of API endpoints, which can be invoked to obtain a range of consumer data.
The ACCC’s view is that each individual API call made with the intention of receiving consumer data is a consumer data request. While accredited data recipients may automate the making of such requests (for example, to progress multiple API calls at once), this does not change the nature of the underlying action.
For example, if the accredited data recipient needs to call basic transaction information from ‘Get Transactions for Account’ and balance information from ‘Get Account Balance’, this constitutes two consumer data requests. For the purposes of rule 9.4, accredited data recipients are expected to report on both “successful” consumer data requests (for example, requests that resulted in the requested CDR data being shared) and “unsuccessful” consumer data requests (for example, requests that did not result in the requested CDR data being shared).
For information about when data holders may refuse to share data, and how to report a refusal, see What constitutes a refusal to disclose required data?