As an Accredited Data Recipient (“ADR”) in the consumer data right (“CDR”) environment illion Open Data Solutions Pty Ltd (“illion”) [accreditation number ADRBNK000017] recognises the importance of protecting your CDR information.

This policy outlines how we collect, hold, use and disclose data that you consent to share with us under the CDR, the type of information that may be shared, how you can request updates, withdrawal of your consent, when your data will be deleted, when you will be notified of certain events, and how you can make a complaint about the handling of your data. This policy is distinct from our Privacy Policy. Please refer to that policy for how we handle your personal information.

Collection, use and disclosure of your information

illion provides income and expense categorisation and transaction scoring services to businesses. On the request of the business that is providing goods or services to you and with your consent, illion will, on your behalf, make a request to share your account information such as your account type and transaction information from the nominated organisation that holds your information (the “Data Holder”) with either:

  1. an accredited data recipient who is a fully participating member within the CDR regime (to identify participating members please refer to the Consumer Data Right website https://www.cdr.gov.au/find-a-provider ); or
  2. a Trusted Adviser who is a person that belongs to a defined class listed in Rule 1.10C(2) of the CDR Rules such as a mortgage broker , qualified accountant, practising solicitor, registered tax agent, financial adviser, or financial counsellor, who has been engaged to provide professional services to you. Please note that a Trusted Advisor must be expressly nominated by you to receive the information.

The accredited data recipient and Trusted Adviser will be collectively referred to as the Data Recipient in this document. The service provided by illion is at no cost to you.

There are many reasons why an individual may want to share their information with a Data Recipient. This includes, but is not limited to:

  • assessing the individual’s credit application; or
  • providing relevant information to a mortgage broker for the purpose of obtaining a mortgage or other credit (where the mortgage broker is named as the individual’s Trusted Adviser);
  • receiving financial advice, taxation advice or other professional services from a nominated Trusted Adviser; or
  • supplying information to a Mobile App that may provide budgeting or money management services.

Third Party Service Providers

To provide the CDR service to you, illion uses third parties located in Australia to provide its services. The services provided by these third parties include:

  • Network infrastructure providers – who provide computing hardware and services that allow us to develop and provide our products;
  • Data Centre providers who store large volumes of data in a safe and secure manner to protect the information illion is responsible for;
  • Cloud Service Providers that allow information to be stored safely and allow for secure access.

These service providers are not authorised Data Recipients under CDR rules and only provide very specific services to illion. It is important to note these service providers are not permitted to share or use any CDR or illion information.

We note that it is possible that a Data Recipient may use service providers located overseas or allow data they receive to be used or held overseas (please refer to the CDR or Privacy Policy of the Data Recipient/Trusted Adviser for details on this).

Type of information that may be shared

The type of information that may be shared includes:

  • information about you such as your name, address, occupation, and contact details;
  • information about your online account transaction details such as banking transaction data and account balances;
  • information about the use of a product by you such as the terms and conditions or type of product being used.

You can choose the type of information to be shared. We provide you with a Data Sharing Dashboard for the management of your consents which includes receipts or confirmations of your consents and a summary of the data shared. You may update your sharing arrangements or withdraw your consent when you no longer want the data to be shared with the Data Recipient.

illion will retain records that allow it to track activities such as consents, consent withdrawal and data sharing in accordance with its obligations. These are referred to as service logs. While they form a record of what transpired, they do not contain identifiable CDR information.

What happens to your data after we shared it with the Data Recipient

Once CDR information has been shared with the Data Recipient illion considers the CDR information redundant and will delete it so that it no longer has access to this information.

Trusted Advisers

The information disclosed to a Trusted Adviser will be stored, used, disclosed and protected in accordance with the relevant professional services industry standards and the service agreement between you and your Trusted Adviser.

In some situations, a Trusted Adviser may authorise us to send a copy of the data shared with them to a storage facility or to a nominated third party such as their aggregator. While the storage facility may be offered by illion it is important to note that illion will not have any access to the information. The Trusted Adviser may access and share the information in the storage facility with third parties including their aggregator for up to 30 days after which the data is automatically deleted. To understand how your Trusted Adviser will handle your data, you should check with your Trusted Adviser.

Access, Correction or Deletion of your information

As noted above illion does not retain CDR information in an identifiable form. If you need to access, correct or delete your CDR information you will need to make this request to either the Data Holder or the Data Recipient (depending on who holds the information requiring access/correction/deletion). If an access, correction or deletion request about CDR information is made to illion then illion may need to direct you to the organisation that is best able to assist with the request.

Any request for access, correction or deletion of the data provided to a Trusted Adviser will need to be directed to the Trusted Adviser. Please note that data supplied to a Trusted Adviser is no longer CDR data.

Notifications about certain events

As part of CDR it is important that you are aware of specific events including:

  • when consent is given to collect, use and/or disclose your CDR information;
  • who information will be shared with;
  • what type of information will be shared;
  • when consent is amended or withdrawn;
  • when collection of your CDR information will occur;
  • when disclosure of your CDR information will occur;
  • details of your ongoing consent (where consent is not for a singular share request) including expiry or amendment of a consent; and
  • any response to your complaint, correction or request to delete or deidentify your information.

When providing the initial consent, you will receive confirmation of giving consent and the nature of the consent, you will then receive confirmation that the information has been collected from the Data Holder and disclosed to the Data Recipient.

illion may provide its services as an:

  • Accredited Data Recipient, in which case illion will provide the notifications throughout the consent process and using email notifications and / or our Data Sharing Dashboard. [The Data Sharing Dashboard is an on-line service that allows you to perform functions in the CDR environment such as to:

i) withdraw consent to collect, use and disclose CDR information; or

ii) request that redundant data be retained or deleted at any time.]

  • Outsourced Service Provider, in which case illion’s client will be the principal and may provide the relevant notifications including providing the relevant Data Sharing Dashboard.

illion invests heavily in data and information security controls that allow it to monitor and protect the information it holds. If a situation arises where an eligible data breach occurs that satisfies the Notifiable Data Breach obligations involving CDR information illion will enact its Data Breach Response Plan to minimise any risk of harm and notify those impacted of this in accordance with its regulatory obligations.

Complaint management

While we aim to address matters quickly and efficiently we understand there are times when things may go wrong and there may be a need to raise a complaint. As noted above it is important to be aware that the CDR services provided by illion may involve a number of parties being:

  1. the Data Holder – this is the organisation that holds the information and who is being requested to share with another party (for example a financial service provider who provides a bank or credit account to the individual);
  2. illion Open Data Solutions – illion facilitates the transfer of information from the Data Holder to a Data Recipient in accordance with the individual’s instructions and consent;
  3. the Data Recipient – this is a party that is permitted under CDR rules to receive the consented information from the Data Holder. This may be:
    1. another accredited data recipient such as a credit provider assessing a loan application; or
    2. a Trusted Adviser such as a mortgage broker, accountant, solicitor, tax agent or financial counsellor engaged by the individual to provide their professional services to them.

It is important to ensure that any complaint is directed to the correct party and all relevant information is supplied so that it can be fully investigated and resolved.

If a complaint relates to the service provided by illion such as the manner in which illion has classified the data it may be beneficial to complete the online form (available here)provided, this should include the complainants full name, contact details, the nature of the complaint, type of information shared, who it was shared by (Data Holder) shared with (Data Recipient) and the nature of the resolution required.

If a complaint relates to the nature or content of CDR information then illion may need to refer the matter to the Data Holder or Data Recipient (as relevant) as illion may not be able to respond to the substance of the complaint, if this is the case illion will advise the complainant of this.

If the complaint relates to illion’s actions directly please contact us using the online form (available here) or these contact details:

Attention to: Complaints
Company: illion Open Data Solutions
Postal Address: PO Box 7405
St Kilda Rd Melbourne VIC 3004
Email: complaints@illion.com.au
Phone: 13 23 33

As per illion’s complaint handling policy we will address complaints as quickly and efficiently as possible. We encourage any concerns to be raised to us as soon as they are identified so we can respond appropriately and avoid the matter escalating unnecessarily. We will endeavour to acknowledge receipt of a complaint within two business days and provide a written response within 30 days (provided we have all necessary information). In cases where further information, assessment or investigation is required, we will seek to agree on an acceptable alternative time frame.

The outcome of a complaint is highly reliant on the nature of the issue and how/when it arose but may include an apology for a disruption or shortcoming in the service provided by illion or resupplying the service.   If a complaint relating to illion’s actions continues to be unresolved or is not resolved satisfactorily there may be the option to refer the matter to:

  • the Australian Financial Complaints Authority (AFCA). AFCA is a free and independent complaint resolution service that may be available to individuals and small businesses using iODS; or
  • the Office of the Australian Information Commissioner(OAIC).

Please note that organisations in the CDR process (Data Holders / authorised data recipients) will be members of AFCA or a similar external dispute resolution scheme. While some Trusted Adviser (such as mortgage brokers) will also be covered by AFCA others (such as accountants and solicitors) will have dispute resolution services linked to the professional services’ representative body for their industry.

If you require a free, printed copy of this policy, or have any enquiries relating to this policy or illion Open Data Solutions please contact us at: odssupport@illion.com.au.

 

Policy version July 2024