The OAIC has released new guidance explaining the key privacy obligations relating to how CDR disclosures should be given to “trusted advisers”, including mortgage brokers.
Following on from the changes to the Consumer Data Right (CDR) system that will allow consumers to use the CDR to share their data with “trusted advisers” in order to receive advice or a service, the Office of the Australian Information Commission (OAIC) has now released further guidance on how this should be handled.
To continue reading the rest of this article, please log in.
Looking for more benefits? Become a Premium Member.
Create free account to get unlimited news articles and more!
Looking for more benefits? Become a Premium Member.
Trusted advisers include people such as lawyers, accountants, financial advisers, tax agents and mortgage brokers (within the meaning of the National Consumer Credit Protection Act 2009).
As per the updated rules, the disclosure of CDR data to a trusted adviser will not be permitted until the earlier of 1 February 2022, or the day the Data Standards Chair makes a consumer experience data standard for the disclosure of CDR data to trusted advisers.
The OAIC guide outlines that a consumer can nominate certain people as their “trusted advisers” and provide consent for an accredited data recipient (ADR) to share data with that adviser, so that they can receive advice or a service.
It specifies that an ADR cannot make the nomination of a trusted adviser, the nomination of a particular person as a trusted adviser, or the giving of consent to disclose data to a trusted adviser, a condition for the supply of the goods or services.
What an ADR needs to do when sharing data
According to the guide, once the ADR receives consent from the consumer (known as a TA disclosure consent), the data recipient must take “reasonable steps” to confirm that the person was, and remains, a member of the class and keep records of the steps it took to do so. This may include checking a public register, asking them to provide proof of membership or requesting a contractual warranty, attestation, representation or statutory declaration from the trusted adviser that they belong to the relevant class.
The guide outlines that while the “reasonable” test is objective, it may vary depending on the nature of the data being disclosed. For example, the OAIC outlines that more rigorous steps may be required as the amount and/or sensitivity of CDR data to be disclosed increase, and if the consumer has only known the trusted adviser for a short time.
The OAIC guide outlines that it would also be “good practice” for ADRs to verify the trusted adviser’s status at regular intervals, for example once every 12 months, in order to ensure they are still a member of the relevant class.
Further, it said it would be “prudent” for ADRs to take steps to verify the trusted adviser’s status before any further disclosures of CDR data are made should they become aware that they may no longer be operating in that profession.
Once the ADR has the consent of the consumer to share their data with their trusted adviser, and information has been shared, the ADR will then be required to update the consumer dashboard, according to the guide.
The consumer dashboard must be updated “as soon as practicable” and outline:
- What CDR data was disclosed
- When it was disclosed
- Who the trusted adviser was
Information should also be listed in the consumer’s dashboard detailing that the consumer can request copies of these records and how to do so.
The ADR is also obliged to keep and maintain records when it discloses CDR data to a trusted adviser that explain:
- Disclosures of CDR data to the trusted adviser
- Who the trusted adviser is
- Any steps it took to confirm that the adviser is a member of a class of professions listed as a trusted adviser
Regular reports will also need to be submitted to the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC), which include information about the number of TA disclosure consents received and the number of trusted advisers in each class to whom they disclosed CDR data.
What brokers should do
While trusted advisers are not CDR participants (and therefore not subject to the privacy safeguards or other obligations that apply under the CDR system), the OAIC suggests that trusted advisers should “still consider their professional obligations” (such as best interests duties) in relation to their handling of a consumer’s data.
“As a matter of best practice, trusted advisers who receive CDR data should ensure that they handle that data transparently and in a way that the consumer would expect,” the OAIC guide read.
[Related: Brokers to access CDR data]
JOIN THE DISCUSSION