Question
As a Data Holder is it valid to block requests from outside Australia or to block requests from specific countries flagged as high risk? If valid, do these blocked requests need to be included in "refusal to disclose" statistics?
Answer
There is nothing in the rules or standards that prohibit requests from outside of Australia so it would not be valid for a data holder to universally block traffic from non-Australian IPs that are otherwise compliant with the Information Security Profile. This is also applicable to scenarios where the customer IP address (passed as a header in attended scenario) is non-Australian.
That said, it is understood that traffic originating from certain locations may be an indicator of risk for a specific session or API call. Combined with other risk factors this may result in the need to block traffic. This is the purpose of the rules and standards accommodations for refusal of otherwise valid CDR requests. All such refusals are, however, required to be included in the refusal statistics.
Comments
1 comment
This guidance is incorrect. If a provider blocks a request at it's border the request is not received and therefore is not reportable. Sanctioned countries for instance are typically blocked at the edge, well before it is identified as a CDR request.
This is clarified in the ACCC compliance guide: https://www.cdr.gov.au/sites/default/files/2024-06/Compliance-guide-for-data-holders-in-the-banking-sector-published-25-06-2024.pdf
"‘Received’ means the request for CDR data reached the data holder’s system and the data holder can provide a response to the request."
Please sign in to leave a comment.