Question
When an Authorised Deposit-Taking Institution receives CDR data from an external source it becomes a data holder of that data (Sec 56AJ(4), and explanatory notes 1.88).
- Must this external data be included in the data provided to the CDR Consumer (when answering a direct request from the consumer)?
- Must this external data be included in the data provided to an Accredited Person (when answering a third party data request)?
Answer
This question has two elements to address:
- If an Authorised Deposit-Taking Institution receives designated CDR data, through any means other than the CDR, the Authorised Deposit-Taking Institution is a data holder of that data (‘first case’ reciprocity 56AJ(1)).
- If an Authorised Deposit-Taking Institution is accredited, and receives CDR data via the CDR regime, the Authorised Deposit-Taking Institution will become a data holder only if the conditions in 56AJ(4) and Clause 7.2 of Schedule 3 are met (‘third case’ reciprocity 56AJ(4)).
Once the Authorised Deposit-Taking Institution is a data holder in respect of the data, the Authorised Deposit-Taking Institution is required to share that data in response to a valid request (whether under the direct to consumer mechanism or with an Accredited Data Recipient).
In response to question 1, there is currently no requirement for data holders to provide functionality that facilitates consumer data requests made by CDR consumers.
What are the correction obligations where 3rd case reciprocity has occurred? For example, if Data Holder 1 has become a data holder under third case reciprocity with respect to data originally received from Data Holder 2, what are their obligations for corrections (e.g., how can they correct data they weren’t responsible for creating)?
It is necessary to consider if Privacy Safeguard 13 (correction at the request of a consumer) applies. If Privacy Safeguard 13 applies, it is necessary to consider rule 7.15 of the CDR Rules, which outlines the steps to be taken when responding to correction requests.
If Privacy Safeguard 13 does apply because Data Holder 1 has previously disclosed that data previously received from Data Holder 2, then in response to a request to correct from a consumer, Data Holder 1 must either:
- Correct the data if Data Holder 1 has the necessary information to correct or include a statement with the data, even though they were not the originating source of the data. For example, if data received from Data Holder 2 had an incorrect address for a consumer, and the consumer asks Data Holder 1 to correct that data, Data Holder 1 may be able to correct if the consumer presents them with a proof of address.
- Give notice to the consumer why a correction or amending statement is not necessary or appropriate in the circumstances. For example, this may include if Data Holder 1 is unable to interrogate the data because they are not privy to why the record was made in the first place. In these circumstances, it is recommended that Data Holder 1 advise the consumer to contact Data Holder 2 to make that correction.
Comments
0 comments
Please sign in to leave a comment.