As an Accredited Data Recipient (“ADR”) in the consumer data right (“CDR”) environment illion Open Data Solutions Pty Ltd (“illion”) [accreditation number ADRBNK000017] recognises the importance of protecting CDR information.

illion provides a means for individuals to share their information from a nominated organisation (the “Data Holder”) with an accredited data recipient (the “Data Recipient”) or a Trusted Adviser at no cost to the individual. There are many reasons why an individual may want to share their information held by one organisation with another, this includes:

  • assisting them to provide relevant information to a mortgage broker for the purpose of considering mortgage or credit options (where the mortgage broker is named as the individual’s Trusted Adviser); or
  • assessing a credit application where the Data Holder is the individual’s financial service provider and the Data Recipient is the potential lender, or
  • supplying information to a Mobile App that may provide budgeting or money management service.

In providing this service illion assists in classifying the information to make it more meaningful for the Data Recipient/Trusted Adviser. illion may then retain CDR information in a deidentified form after it has been shared with the correct party (when it becomes redundant) but if only if authorised by the individual.

The type of information that may be shared includes:

  • information about the individual such as their name, address and contact details;
  • information about the use of a product by an individual such as banking transaction data;
  • information about the use of a product by an individual such as the terms and conditions or type of product being used.

The most important requirement under CDR is that the individual is able to choose the type of information to be shared and is able to withdraw their consent when they no longer want the data to be shared with, or held by the Data Recipient.

This Policy outlines illion’s practices in relation to CDR.

 

Access, Correction or Deletion

As noted above illion does not retain CDR information in an identifiable form. If individuals need to access, correct or delete their CDR information they will need to make this request to either the Data Holder,  the Data Recipient or the Trusted Adviser (depending on who holds the information requiring access/correction/deletion). If an access, correction or deletion request about CDR information is made to illion then illion may need to direct the individual to the organisation that is best able to assist with the request.

illion invests heavily in data and information security controls that allow it to monitor and protect the information it holds, while this is the case if a data breach were to occur illion will enact its Data Breach Response Plan and notify relevant parties in accordance with its notification obligations.

illion will retain records that allow it to track activities such as consents, consent withdrawal and data sharing in accordance with its obligations. These are referred to as service logs and record various actions but do not contain the actual CDR information.

 

Complaint management

While we aim to address matters quickly and efficiently we understand there are times when things may go wrong and there may be a need to raise a complaint. As noted above it is important to be aware that the CDR services provided by illion may involve a number of parties being:

  1. the Data Holder – this is the organisation that holds the information and who is being requested to share with another party (example the financial service provider);
  2. illion Open Data Solutions – illion facilitates the transfer of information from the Data Holder to a Data Recipient or Trusted Adviser in accordance with the individual’s instructions and consent;
  3. Trusted Adviser is a party that is permitted under CDR rules to receive information to provide advice or services to an individual (this includes the likes of mortgage brokers, accountants, solicitors, tax agents and financial counsellors)
  4. the Data Recipient – this is an organisation permitted under CDR rules to receive the requested information from the Data Holder (example a lender assessing a loan application).

While illion is located in Australia we note that it is possible that a Data Recipient or Trusted Adviser may use service providers located overseas or allow data they receive to be used or held overseas (please refer to the CDR or Privacy Policy of the Data Recipient/Trusted Adviser for details on this).

It is important to ensure that any complaint is directed to the correct party and all relevant information is supplied to ensure it is able to be fully addressed.

If a complaint relates to the service provided by illion such as the manner in which illion has classified the data it may be beneficial to complete the Online Form to ensure all relevant information is provided, this should include the name, contact details, the nature of the information shared and who it was shared by (Data Holder) and shared with (Data Recipient or Trusted Adviser).

If a complaint relates to the nature or content of CDR information then illion may need to refer the matter to either the Data Holder / Data Recipient / Trusted Adviser (as relevant) as illion may not be able to respond to the substance of the complaint, if this is the case illion will advise of this.

If the complaint relates to illion’s actions directly please contact us using these contact details:

Attention to: Complaints
Company: illion Open Data Solutions
Postal Address: PO Box 7405
St Kilda Rd Melbourne VIC 3004
Email: complaints@illion.com.au
Phone: 13 23 33

As per illion’s complaint handling policy we will address complaints as quickly and efficiently as possible. We encourage any concerns to be raised to us as soon as they are identified in order for us to be able to respond appropriately and avoid a matter escalating unnecessarily. We will endeavour to acknowledge receipt of a complaint within two business days and then provide a written response within 30 days (provided we have all necessary information). In cases where further information, assessment or investigation is required, we will seek to agree on an acceptable alternative time frame.

The outcome of a complaint is highly reliant on the nature of the issue and how/when it arose but may include an apology for a disruption or shortcoming in the service provided by illion or resupplying the service.   If a complaint relating to illion’s actions continues to be unresolved or is not resolved satisfactorily there may be the option to refer the matter to:

  • the Australian Financial Complaints Authority (AFCA). AFCA is a free and independent complaint resolution service that may be available to individuals and small businesses using iODS; or
  • the Office of the Australian Information Commissioner (OAIC).

Please note all organisations in the CDR process (Data Holders / Data Recipients and Trusted Advisers) will be members of AFCA or a similar external dispute resolution scheme.

 

Third Party Service Providers

illion uses services from third parties in order to provide its services. The services provided by these third parties include:

  • Network infrastructure providers – who provide computing hardware and services that allow us to develop and provide our products;
  • Data Centre providers who store large volumes of data in a safe and secure manner in order to protect the information illion is responsible for;
  • Cloud Service Providers that allow information to be stored safely and allow for secure access.

These service providers are located in Australia, they are not authorised Data Recipients under CDR rules and only provide very specific services to illion.

It is important to note these service providers are not permitted to share or use any CDR or illion information.

 

Notifications about certain events

As part of CDR it is important that individuals are aware of specific events including:

  • when consent is given to collect, use and/or disclose their CDR information;
  • when consent is amended or withdrawn;
  • when collection of an individual’s consumer CDR information will occur;
  • when disclosure of an individual’s consumer’s CDR information will occur;
  • details of an individual’s ongoing consent (where consent is not for a singular share request) including expiry or amendment of a consent; and
  • any response to an individual’s complaint, correction or request to delete or deidentify their information.

When providing the initial consent, the individual will receive confirmation of giving consent and the nature of the consent, they will then receive confirmation that the information has been collected from the Data Holder and disclosed to the Data

illion may provide its services as an:

  • Accredited Data Recipient, in which case illion will provide the notifications throughout the consent process and using email notifications and / or our consumer dashboard. [The consumer dashboard is an on-line service that allows an individual to perform functions in the CDR environment such as to: i) withdraw consent to collect, use and disclose CDR information or ii) request that redundant data be retained or deleted at any time.]
  • Outsourced Service Provider, in which case illion’s client will be the principal and may provide the relevant notifications including providing the relevant consumer dashboard.

If a situation arises where an eligible data breach occurs that satisfies the Notifiable Data Breach obligations involving CDR information illion will advise those impacted of this in accordance with the regulatory obligations.

 

Consent management

Consent to transfer CDR information from a Data Holder to a Data Recipient or Trusted Adviser can be either singular (once-off) or ongoing (continuing for a period up to 12 months).

Singular use consent. This will allow the transfer of CDR information once only for a specific purpose (e.g. transferring bank transaction information such as income / expenses from the Data Holder to the Data Recipient to allow the Data Recipient to assess a loan application).

Ongoing use consent. This will allow for CDR information to be shared regularly (e.g. for a budget management app or managing a banking relationship) for a maximum period of 12 months unless the consent;

  1. a) is established for a shorter period or
  2. b) is withdrawn earlier.

If the consent is withdrawn, or expires (after the maximum period of 12 months), then the service (such as the budgeting app) will no longer be available, in order for the service to continue or be reinstated the consent will need to be renewed. Consent can be withdrawn at any time (it does not have to be retained for any prescribed period), this can be done by making the necessary changes in the Consumer Dashboard.

illion will only allow sharing information that is specifically consented by the individual that sets out the Data Holder, Data Recipient/Trusted Adviser and type of information to be shared.  The details of the information shared will be retained on the Consumer Dashboard, this will include:

(a) what CDR information was collected;

(b) when the CDR information was collected; and

(c) the Data Holder / Data Recipient or Trusted Adviser involved in the sharing of the CDR information.

illion will retain records that allow it to track activities such as consents, consent withdrawal and data sharing in accordance with its.

If you require a free, printed copy of this policy, or have any enquiries relating to this policy or illion Open Data Solutions please contact us at: odssupport@illion.com.au.

 

Policy version February 2024