This information is for guidance only and should not be considered legal advice. Always consult with legal counsel and refer to the official CDR Rules and Standards for authoritative guidance.
CDR Data Fundamentals
What is a Consumer data request?
What is a Consumer data request?
Consumer data requests are made by an accredited person to a primary data holder. The requests are made using the data holder’s consumer data request service. Consumer data is either required or voluntary.Accredited persons can request the CDR consumer’s required consumer data, voluntary consumer data, or both from the data holder. The data holder must disclose any requested required consumer data to the accredited person who made the request. The data holder may (but is not required to) disclose the voluntary consumer data that it is authorised to disclose.
What is a complex request?
What is a complex request?
If a consumer data request is made on behalf of a secondary user, or it relates to a joint or partnership account, as a nominated representative, or a large customer (in the case of Energy including commercial and industrial customers (C&I customers)) it will be considered a complex request.A large customer of an energy retailer is a customer that is ‘large’, i.e. a customer that is not a relevant customer, for the purposes of the Electricity Industry Act 2000 (Vic) (the Victorian Act) or the National Energy Retail Law (NERL).
What's the difference between the Consumer Data Right Rules and the Consumer Data Standards?
What's the difference between the Consumer Data Right Rules and the Consumer Data Standards?
The CDR is legislated through the CDR Rules, which define the elements for consent, outline the accreditation framework and elaborate on the privacy aspects of the scheme.The Standards set out the technical requirements for sharing data under CDR. Under the CDR Rules, data holders must comply with the Standards.
Getting Set Up with Fiskil
What obligations does Fiskil handle, and what obligations do data holders need to address?
What obligations does Fiskil handle, and what obligations do data holders need to address?
Fiskil helps with the following bank or energy retailer obligations:
- Disclosing consumer data
- Reporting at scheduled intervals (see ‘What are data holder reporting requirements?’)
- Keeping appropriate records (see ‘What are data holder record-keeping requirements?’)
- Complying with most of the relevant privacy safeguards
- Establishing dispute resolution arrangements (see ‘What are data holder Dispute Resolution requirements?’)
- Complying with some of the relevant privacy safeguards, like having a CDR policy (see ‘What are CDR Policy requirements?’)
What are CDR Policy requirements?
What are CDR Policy requirements?
Data holders must have a CDR policy that is separate from any existing privacy or information security policy. The policy needs to be available to consumers free of charge and in their preferred format (hard copy or digital).For more information on the required format and contents for a CDR policy, see the OAIC’s Guide to developing a CDR policy. Data holders must take reasonable steps to establish and maintain internal practices, procedures and systems to ensure they are complying with their obligations under CDR (Privacy Safeguard 1).
For more information, see Section 8 of the Compliance guide for data holders or Rule 7.2 in the CDR Rules. See also: Privacy Safeguard 1 - CCA, section 56ED.
What are data holder dispute resolution requirements?
What are data holder dispute resolution requirements?
Internal Dispute Resolution
Banks and Energy retailers must have an Internal Dispute Resolution (IDR) process. It must meet the banks or energy retailer’s standard complaints and dispute resolution rules, satisfying APRA, NERL or Energy Retail Code (Victoria). From November 2022, this entails creating, publishing, and updating procedures for handling small customer complaints, aligning with AS ISO 10002-2006.These rules apply only to complaints from CDR consumers, not other industry players. The complaint-handling process covers all CDR consumer complaints, including those about consumer data. While it doesn’t extend to industry player’s complaints, CDR participants should reasonably manage all complaints.The ACCC can review complaints from all other CDR participants.
External Dispute Resolution
An energy retailer data holder must be a member of the relevant state or territory energy and water Ombudsman scheme. The Ombudsman schemes are:- Energy and Water Ombudsman (NSW) Limited
- Energy and Water Ombudsman (Victoria) Limited
- Office of the Energy and Water Ombudsman (Queensland)
- Energy and Water Ombudsman (SA) Limited
For more information, see Section 7.1 of the Compliance guide for data holders or Rule 9.3 in the CDR Rules for internal dispute resolution, and Rule 6.2 and Schedule 4, clause 5.2 in the CDR Rules for external dispute resolution.
What are data holder record-keeping requirements?
What are data holder record-keeping requirements?
CDR Rule 9.3 mandates data holders to maintain records of:
- Consumer data sharing authorisations, amendments, and withdrawals
- Notifications of consent withdrawals
- Primary data holder’s requests for Shared Responsibility (SR) data from secondary data holders, with responses
- Secondary data holder’s SR data requests from primary data holders, with responses or reasons for refusal
- Disclosures of CDR data in response to consumer requests
- White labelled product data disclosure agreements
- Instances of refusing CDR data disclosure with relevant grounds
- CDR complaint data including received, resolved complaints and resolution times
- Processes for obtaining consumer data authorisation, recorded via videos or alternative visuals
For more information, see Section 9 of the Compliance guide for data holders or Rule 9.3 in the CDR Rules.
Customer Consents
How can a customer remove a consent?
How can a customer remove a consent?
One of the key elements of consent in the CDR is that it can be easily withdrawn (see rule 4.9). Data holders must allow consumers to withdraw their authorisation at any time by:Using the consumer dashboard; orUsing an alternative method of communication, which must be simple. In addition, it:
- Should be accessible and straightforward for a consumer to understand and use, and
- May be written or verbal (such as through a telephone helpline). Where it is written, the communication may be sent by electronic means (such as email) or non-electronic means (such as by post).
When a consumer withdraws consent
When a consumer withdraws their consent by an alternative method of communication, the data holder must:- Stop sharing the consumer’s data as soon as possible — at most within 2 business days of receiving the communication.
Fiskil’s approach
If for any reason the customer cannot access the consumer dashboard, the data holder can revoke the consent on the customer’s behalf via lodging a support ticket on Fiskil’s Jira Service desk. Support to revoke consent on the Administration Console is coming soon.Fiskil will notify any relevant accredited data recipient of the withdrawal in accordance with the Standards.Reporting Requirements
What are data holder reporting requirements?
What are data holder reporting requirements?
Biannual Reporting
Data holders must submit CDR reports twice a year to the ACCC and OAIC.| Reporting Period | Report Due By |
|---|---|
| 1 January - 30 June | 30 July |
| 1 July - 31 December | 30 January |
Key Points
- Data holders’ reporting begins when sharing consumer data under CDR Rules starts. Earlier sharing leads to earlier reporting, with Pilot phases also counted.
- The report required by rule 9.4 is submitted to the ACCC and the OAIC via the CDR Participant Portal.
- These online reports provide specific data, excluding plan data requests for energy retailers. Information must be current at the last day of the relevant reporting period.
- Data holders that have multiple brands must submit a single report containing aggregated data that covers all their brands.
Reporting Form Sections
| Section | Summary | Provided by |
|---|---|---|
| CDR complaint data summary | CDR complaint data for a data holder includes: • Total CDR consumer complaints received • Categorisation of CDR complaints (per data holder’s systems) • Total resolved CDR consumer complaints • Average days for internal dispute resolution • CDR complaints referred to external resolution • CDR complaints resolved externally • CDR product data complaints received, reported individually | Data Holder |
| CDR data requests received | The report mandates separate counts for: • Product data requests • Direct consumer data requests • Accredited persons’ consumer data requests on behalf of consumers ’Received’ means requests reached the data holder’s system with potential responses. The report should cover ‘successful’ and ‘unsuccessful’ CDR data requests, including rejected ones due to exceeded traffic thresholds. | Fiskil |
| Refusals to disclose CDR data | Data holders typically share required data upon valid requests, though refusals are possible in certain cases. Refusals must be communicated to the requester, using data standards error codes. Permissible refusal cases are identified via HTTP error codes. For example, requests that may cause physical, psychological, or financial harm or abuse, shown by HTTP error code ‘403 Forbidden’. | Fiskil |
For more information on complaint data, see Section 10.1.2 of the Compliance guide for data holders.
Report Submission
A primary business contact, authorised business contact, primary IT contact or an authorised IT contact, can submit the report form by logging in to the Participant Portal at https://portal.cdr.gov.au. Select ‘Organisation’ from the top navigation menu, then ‘Reports’ from the left side navigation pane.For more information, see Section 11 of the Participant Portal User Guide.
Additional Resources
For comprehensive guidance on CDR compliance, refer to:- CDR Rules
- Consumer Data Standards
- ACCC CDR Compliance Guide for Data Holders
- OAIC CDR Privacy Safeguard Guidelines
- CDR Participant Portal
This FAQ is regularly updated to reflect changes in CDR requirements. For the most current information, always refer to the official CDR Rules and Standards.