Question
For the purposes of protecting consumers, and in cases where an accredited data recipient (ADR) is known to be behaving inconsistently with the CDR Rules, is it appropriate to blacklist the ADR? Is this approach consistent with rule 4.7(1)(b)(ii)?
Answer
Rule 4.7(1) allows a data holder to refuse to ask for authorisation in relation to relevant CDR data, or to refuse to disclose that data.
There are three cases in which a data holder can do this, namely where:
- it (1) considers it necessary to prevent physical or financial harm or abuse; or
- it has reasonable grounds to believe that disclosure of some or all of the data would adversely impact the security, integrity or stability of either (2) the Register or (3) the data holder's information and communication technology systems.
We consider that if a data holder was satisfied that one or more of the three cases outlined above was persistent in relation to a request for disclosure to a particular ADR, taking account of all the circumstances, it may have grounds to refuse to ask for authorisation or to disclose for a period of time.
However, it is important to note that data holders should not go beyond the provisions outlined in the rules. We therefore would not expect a data holder to consider factors beyond those set out under the rules, and we would not generally expect a data holder to pre-empt a decision from the Data Recipient Accreditor as to the status of an ADR.
Additionally, a data holder’s reporting obligations may still apply in respect of the ADR’s requests, even if the data holder considers the request may be refused in accordance with the rules, and we would expect these obligations to be met.
Finally, if you are concerned that a CDR participant is behaving contrary to the rules, you may wish to use the 'make a report' link at the following link: https://www.cdr.gov.au/contact-us or alternatively, email your concerns to ACCC-CDR@accc.gov.au
Comments
0 comments
Please sign in to leave a comment.