Welcome to the Consumer Data Right Support Portal

Check out our guides, browse through our FAQs, and post your own questions for Support.

New to the Consumer Data Right? Learn more

WAF records Follow

Avatar
ACCC Regulatory Guidance
  • Created:
  • Last edited:
  • Updated

Question

Based on rules 9.3(1)(e), 9.3(3) and 9.3(5) highlighted below a data holder would be required to keep logs of instances where CDR data has not been disclosed in reliance of an exemption from the obligation to disclose for 6 years.

It is understood that this exemption would include where the data holder protects its system from malicious behaviour or high volumes (aligned to the NFRs) which would risk its platforms. Given these controls are generally performed at the first entry point to a data holder like a web application firewall (WAF), the data within these logs would be subject to the security controls of the regime. Does keeping the full log detail of these requests hold any value? At the point of capture the detail in this log cannot be tied back to a particular customer as the only thing that is present is a short lived access token which won’t have relevance to the customer until exchanged in the data holder's IDP.

These records are valuable in assisting construct counts for the reports and metrics endpoints, but is the whole record mandatory or could the data holder just keep a collection of the aggregated count information?

There is also some concern from security teams over the nature of the data in these logs which may indicate attack information or potential threat vectors and this information should only be kept for a period of time (12-18 months) and then purged from the records.

CDR Rule 9.3 - Records to be kept and maintained

(1)A data holder must keep and maintain records that record and explain the following:

(d) disclosures of CDR data made in response to consumer data requests;

(e) instances where CDR data has not been disclosed in reliance on an exemption from the obligation to disclose CDR data;

Specificity of records

(3) Each record referred to in this rule must include the date and time when the record was made and, if applicable, the date and time when the event described by the record occurred.

Period for retention of records

(5) Each record referred to in this rule must be kept for a period of 6 years beginning on the day the record was created.

Answer

Rule 9.3(1)(e) requires data holders to maintain records that record and explain instances where CDR data has not been disclosed in reliance on an exemption from the obligation to disclose CDR data.

In terms of maintaining the necessary records for rule 9.3(1)(e), we expect that the record log will contain the following minimum information for each instance where a data holder has not disclosed CDR data in reliance on an exemption from the obligation to disclose: the relevant exemption relied upon to refuse to disclose, as well as the date and time the relevant exemption was relied upon. We do not expect such record logs to contain information that would compromise the security of a data holder’s systems.

Rule 9.3(5) requires each record required to be kept under rule 9.3 for a period of 6 years beginning on the day the record was created.

Comments

0 comments

Please sign in to leave a comment.