Question

Who needs accreditation?

Answer

Any person, in Australia or overseas, who wishes to collect and/or use CDR data to provide products or services to consumers under the CDR regime must be accredited as a data recipient. Accredited persons may both collect a CDR consumer’s data from a data holder and use the collected CDR data to provide products or services. Accredited persons can only act at the request and consent of the consumer.

The CDR Rules currently require any person collecting CDR data from a data holder to be accredited even if they are only collecting this data on behalf of another accredited person. Therefore, if an accredited person plans to use a vendor to collect data the vendor must be accredited. This may necessitate accreditation of more than one entity in a corporate group. Accredited persons can use a non-accredited third party (an outsourced service provider) under a CDR outsourcing arrangement. Such an arrangement allows an ADR to disclose to the outsourced service provider CDR data for the purposes of providing to the ADR goods or services using the CDR data. Rule 1.10 of the CDR Rules sets out what a CDR outsourcing arrangement is, and the obligations that an outsourced service provider must comply with.

The Consumer Data Right Rules set out the criteria that the ACCC, as Data Recipient Accreditor, will apply when considering an application for accreditation. Once accredited, an accredited person must comply with ongoing obligations to maintain accreditation. Further details about accreditation criteria and how to apply for accreditation are available in our Accreditation Guidelines.