What is privacy safeguard 11 and what does it require of data holders?

Privacy safeguard 11 (section 56EN of the Competition and Consumer Act) relates to the quality of data and the steps data holders and ADRs must take to ensure the CDR data disclosed is accurate, up to date and complete (‘correct’, for the purposes of this note). 

Under the safeguard, if data holders become aware that CDR data disclosed was incorrect, they must advise the consumer via a written notice. Rule 7.10 requires the written notice to identify the ADR/s to whom the incorrect data was disclosed, the date of the disclosure/s, and the data that was incorrect. The notice must also advise the consumer that they can request data holders to disclose corrected data to ADRs. Data holders must provide this notice as soon as practicable, and it must be within five days after they become aware the data disclosed is incorrect.

Data holders must disclose the corrected CDR data to the ADR/s if the consumer requests.

If a consumer’s authorisation was for a single occasion only, the re-disclosure of corrected data from a data holder to an ADR would not be permitted without an additional consumer request. However, a data holder would be authorised to re-disclose corrected data to an ADR without a correction request from the consumer where an authorisation was still active, provided the data holder complies with the usual authorisation requirements under Division 4.4 of the Rules.

The OAIC has published guidance on privacy safeguard 11 which provides further detail.

Approach to compliance – how to comply with privacy safeguard 11

The requirement for data holders to disclose corrected data to an ADR if a consumer requests is facilitated by the standards but only if the data holder is responding to a request from an ADR. Otherwise, in applying the standards, a data holder is technically unable to disclose data without first receiving a request from an ADR to do so.

Therefore, as an interim measure, if seeking to re-disclose the data via the standards, we recommend that data holders inform consumers that if the consumer wants the corrected data to be resent to an ADR, the consumer will need to ask the ADR to make a new request to the data holder to collect the corrected data.

Compliance and proposed legislative amendment to privacy safeguard 11

The approach to data holder compliance with privacy safeguard 11 above raises compliance issues, as data holders are obliged to disclose corrected data when requested to do so by consumers. The above interim measure means that a data holder may not be able to meet this obligation under section 56EN(4), in the absence of cooperation of the relevant ADR (and the consumer).

To resolve this issue, Treasury introduced legislation which was passed on 10 December 2020, whereby if a CDR consumer requests corrected data be disclosed, a CDR participant will need to comply with the request by disclosing the corrected data in accordance with the rules. However, no such Rules have been made as at August 2024.

In developing the applicable rules, the intention is to determine an appropriate and optimum process for how these re-disclosures should occur. For example, to determine whether technical data standards that would enable data holders to disclose data without a request are warranted, or whether less time consuming/costly solutions are available.