This question relates to Part 7 – Rules relating to privacy safeguards, section 7.2.1.
According to this rule, a Data Holder (DH) will need to include details of the complaints process on the Consumer Data Right (CDR) policy. We are already required by RG165 to provide details of our complaints process online.
Wanted to clarify if the following details need to be explicitly stated on the CDR policy OR whether we can refer customers to our generic complaints process that include the details below?
(6) In addition to the information referred to in paragraphs 56ED(4)(b) and (5)(d) of the Act, a CDR participant’s CDR policy must include the following information in relation to the participant’s internal dispute resolution processes:
(a) where a CDR consumer complaint can be made;
(b) how a CDR consumer complaint can be made;
(c) when a CDR consumer complaint can be made;
(d) when acknowledgement of a CDR consumer complaint can be expected;
(e) what information is required to be provided by the complainant;
(f) the participant’s process for handling CDR consumer complaints;
(g) time periods associated with various stages in the CDR consumer complaint process;
(h) options for redress;
(i) options for review, both internally (if available) and externally.
Note: This sub-rule is a civil penalty provision (see rule 9.8).
Thank you for your question about the level of detail required in a CDR Policy in relation to internal dispute resolution processes under Privacy Safeguard 1. The CDR Policy must detail each of the matters set out under CDR Rule 7.2(6) regarding the internal dispute resolution process (including specific details on where, how and when a complaint can be made, the complaint process, expected time-frames and options for redress and review).
The aim of setting out each of these matters within the CDR Policy is so that it functions as a stand-alone document for consumers on how their CDR data is managed and how they can make an inquiry or complaint. While there may be other generic complaints processes in place which you may wish to refer to, the CDR Policy must still provide specific and centralised information on how you will handle complaints about CDR data. This will assist consumers in the event they think you may not have met your CDR-related obligations. There is further guidance on what is required in a CDR Policy in the OAIC’s Guide to developing a CDR policy and Chapter 1 of the Privacy Safeguard Guidelines.