Questions

1. If an applicant already has an information security policy and a privacy policy is a separate Consumer Data Right policy required?
2. What format should the Consumer Data Right policy be in? Does it have to be a document or can it be another format?
3. Does the Consumer Data Right policy need to be accessible via all online channels or just those channels that Consumer Data Right consumers will be using for Consumer Data Right activities?

Answers

1. Applicants must have a CDR policy in the form of a document that is distinct from any existing privacy or information security policy (as per rule 7.2(2) of the CDR Rules). Any document prepared for the purpose of an accreditation application must specifically address CDR requirements as set out in the CDR Rules and Accreditation Guidelines, including the OAIC’s guidance on Privacy Safeguard 1.
2. Rule 7.2(2) of the CDR Rules states that a CDR policy must be in the form of a ‘document’. Applicants must, however, be able to provide hard copies of their CDR policies if requested to do so (see clauses 7.2(2), 7.2(8) and 7.2(9) of the CDR Rules). Please see section 4.3.1 of the Accreditation Guidelines and the OAIC's Guide to developing a CDR policy for more information on CDR policy requirements.
3. A CDR participant must make its CDR policy readily available through each online service which a CDR participant ordinarily deals with CDR consumers (see clause 7.2(8) of the CDR Rules). For example, if a CDR participant ordinarily deals with CDR consumers through internet banking as a channel, then the CDR policy must be available through that channel.