What is required in a company's CDR policy?

If your company wishes to participate in the Consumer Data Right and harness all the opportunities that the CDR offers, it must have a CDR policy. A CDR policy is a policy that contains information about how your company stores, uses and discloses CDR data. There are specific requirements for what a CDR policy must include. In this blog post, we set out a checklist of all the requirements that you must tick off in your company’s CDR policy.

What information must be included in a CDR policy?

If you are an accredited data recipient (ADR), your company’s CDR policy must include the following categories of information:

1. What CDR data is held by your company;
2. How the CDR data is held;
3. The consumer complaints process;
4. Information about access to and correction of CDR data;
5. What purposes the CDR data is used for;
6. Who the CDR data may be disclosed to;
7. If your company stores CDR data overseas, information about overseas storage practices;
8. When consumers will be notified about certain events;
9. What happens if a consumer withdraws consent in relation to the collection of their CDR data;
10. Deletion of CDR data; and
11. De-identification of CDR data.

Checklist of requirements for your company’s CDR policy

• Complaints process: Does the policy state where, how and when a complaint can be lodged?Does the policy state when a consumer should expect an acknowledgment of their complaint?Does the policy state the information that the consumer needs to provide when making a complaint?Does the policy outline the process for handling consumer complaints?Does the policy outline the time periods associated with various stages throughout the complaints process?Does the policy state the options for redress?Does the policy state the options for review (both internally, if available) and externally?
• Classes of data held: Does the policy state the classes of CDR data you hold or have held on behalf of the consumer?Does the policy state how CDR data is held?
• Purpose of data handling: Are the purposes for which you collect, hold, use or disclose the CDR with the consent of the consumer made clear?
• Disclosure: If your company discloses CDR data to outsourced service providers (OSP), does your CDR policy include a list of all the OSPs to which information may be disclosed?If you are likely to disclose CDR data to any accredited data recipients located overseas, does your CDR policy state this fact and include the countries where they are likely to be located?
• Access to data: Does the policy provide information about how a consumer may access their CDR data?
• Correction requests: Does the policy provide specific details about how a consumer may correct their CDR data?
• Voluntary Consumer Data: Does the policy state whether you accept requests for voluntary consumer or product data?If so, are details about how fees can be obtained also provided?
• Withdrawal of consent: Does your policy include a statement explaining the consequences to the consumer if they withdraw their consent to collect or use CDR data?
• Storage: Does your policy provide a list of countries where you intend to store CDR data other than in Australia or an external territory?
• Notification: Does your policy contain information about when and in which circumstances you will provide a notification to the consumer?
• Deletion of CDR data: Does your policy include information about the circumstances in which you delete redundant data?Does your policy include information about how a consumer may elect for their redundant data to be deleted, including how the election operates and the effect of an election?Does your policy include information about how you delete redundant data?
• De-identification of CDR data: Does your policy include information about the circumstances in which you must de-identify CDR data at a consumer’s request?If you have a general policy of de-identifying redundant data, does your CDR policy include information about the specified matters, including how de-identified redundant data is ordinarily used?If you intend to de-identify CDR data that is not redundant, does your CDR policy include information about the specified matters, including how you use de-identified CDR data to provide goods and services to consumers?

If you’d like to learn more about the accreditation process and how to get your company accredited, get in touch with us at Fiskil. Don't want to become accredited? Become a long term partner of Fiskil.