Questions

1. If an applicant already has an information security policy and a privacy policy is a separate Consumer Data Right policy required?
2. What format should the Consumer Data Right policy be in? Does it have to be a document or can it be another format?
3. Does the Consumer Data Right policy need to be accessible via all online channels or just those channels that Consumer Data Right consumers will be using for Consumer Data Right activities?

Answers

1. Applicants must have a CDR policy distinct from any existing privacy or information security policy (as per rule 7.2(2) of the CDR Rules). Any document prepared for the purpose of an accreditation application must specifically address CDR requirements as set out in the CDR Rules and guidelines, including the OAIC’s guidance on Privacy Safeguard 1.
2. Rule 7.2(2) of the CDR Rules states that a CDR policy must be in the form of a ‘document’. Applicants must, however, be able to provide hard copies of their CDR policies if requested to do so (see clauses 7.2(2), 7.2(8) and 7.2(9) of the CDR Rules). Please consult section 5.4 of the Accreditation Guidelines for more information on CDR policy requirements.
3. Access to the CDR policy must be provided via each online service through which a CDR participant deals with CDR consumers (see clause 7.2(8) of the CDR Rules). If a CDR participant deals with CDR consumers through a particular channel, such as internet banking, then the CDR policy must be available through that channel.