Consumer Data Rights (“CDR”) is legislation that was introduced to increase competition in the Australian economy, it allows individuals to control when they share their CDR information and with whom. As part of CDR an individual is able to choose:
- the type of information to be shared;
- the purpose for which it is being shared;
- when to withdraw their consent from it continuing to be shared; and
- when to request for their information to be deleted.
In the CDR environment illion Open Data Solutions Pty Ltd (“illion” “we” “us” “our”) is an accredited data recipient (“ADR”) [accreditation number ADRBNK000017].
We provide a means for our clients to allow an individual to be able to share their information from one party (the data holder) with another (the data recipient). We do not charge individuals for this service.
As an ADR we recognise the importance of protecting CDR information and provide this policy to outline our practices in relation to CDR information.
What type of CDR information is shared and how might it be held?
We note that our current services are limited to the banking and financial services. This means the type or class of information that may be shared using our CDR services include:
- information about the user of a product – such as the individual’s name, address and contact details;
- information about the use of a product – such as banking transaction details and account balances;
- information about a product – such as the type of product, price, features or benefits and terms and conditions of the product/s being used.
We will not be retaining the CDR information as we are simply providing a service that allows individuals to share their information from the data holder with the data recipient.
What is CDR information used for?
There are many reasons why an individual may want to share their CDR information, this includes assessing a credit application where the data holder is the individual’s financial service provider and the data recipient is a potential lender or broker assisting the individual with the loan process.
In providing our services we will categorise transaction information to make it easier for the data recipient to understand, this includes summarising items into income, liabilities and expenses into subcategories such as groceries, utilities, telephone costs, entertainment or other household and personal expense groups. While the various categories, information and summary supplied may be developed by us using raw transaction data we may also use predefined categories that are required by the data recipient.
Who will the CDR information be disclosed to?
We will only be disclosing the CDR information to the party that the individual has nominated as the data recipient.
Overseas storage practices.
We do not process or store CDR data overseas.
We use services from third parties in order to provide our services, this includes:
- Network infrastructure providers – who provide computing hardware and services that allow us to develop and provide our products;
- Cloud Service Providers that allow information to be analysed and categorised in a secure environment.
These service providers are located in Australia, they are not Accredited Data Recipients under CDR rules and only provide very specific services to us.
It is important to note these service providers do not have access to the CDR information.
How to access and correct CDR information?
We do not retain CDR information.
In an effort to ensure the maximum protection of CDR information we do not retain CDR information once it has been provided to the data recipient.
This means we will not be able to provide access to, or correction of the CDR information that was shared from the data holder with the data recipient using our services. If a situation arises where the information shared with the data receiver was inaccurate or incomplete then a new request to share information will be required.
How to complain about CDR information?
While we aim to address matters quickly and efficiently we understand there are times when things may go wrong and there may be a need to raise a complaint. As noted above it is important to be aware that the CDR services provided by us involve a number of parties including:
- the data holder – this is the party who holds the information and who is being requested to share with another party (example the financial service provider);
- illion Open Data Solutions – that facilitates the transfer of information from the data holder to the data recipient;
- the data recipient – this is the party that will receive the requested information from the data holder (example a lender assessing a loan application). While we are located in Australia we note that it is possible that a data recipient may be located overseas or allow data they receive to be used or held overseas (please refer to the CDR Policy of the data recipient for details on this).
It is important to ensure that any complaint is directed to the correct party and all relevant information is supplied to ensure it is able to be fully addressed.
If your complaint relates to the service provided by us it may be beneficial to complete the Online Form to ensure all relevant information is available, otherwise please contact us using the contact details below.
Attention to: Complaints
Company: illion Open Data Solutions
Postal Address: PO Box 7405
St Kilda Rd Melbourne VIC 3004
Phone: 1300 734 806
As per illion’s Complaints Handling Procedure we will address complaints as quickly and efficiently as possible. We encourage any concerns to be raised to us as soon as they are identified in order for us to be able to respond appropriately and avoid a matter escalating unnecessarily. We will endeavour to acknowledge receipt of a complaint within two business days and then provide a written response within 30 days (provided that we have all necessary information). In cases where further information, assessment or investigation is required, we will seek to agree on an acceptable alternative time frame.
The outcome of a complaint is highly reliant on the nature of the issue and when the issue arose but may include an apology for a disruption or shortcoming in the service provided. Whatever the outcome maybe we note that if a complaint relating to our actions continues to be unresolved or is not resolved satisfactorily there may be the option to escalate the matter to:
- the Australian Financial Complaints Authority (AFCA). AFCA is a free and independent complaint resolution service that may be available to individuals and small businesses using iODS.
Please note all parties in the CDR process (data holders and data recipients) will be members of AFCA or a similar external dispute resolution scheme.
Notifications about certain events
As part of CDR it is important that individuals are aware of specific events including:
- when consent is given to collect, use and/or disclose their CDR information;
- when consent is amended or withdrawn;
- when collection of an individual’s consumer CDR information will occur;
- when disclosure of an individual’s consumer’s CDR information will occur;
- details of an individual’s ongoing consent (where consent is not for a singular share request) including expiry or amendment of a consent; and
- any response to an individual’s correction request.
When providing the initial consent, the individual will receive confirmation of giving consent and the nature of the consent, they will then receive confirmation that the information has been collected from the data holder and disclosed to the data recipient. We may also provide our services as an outsourced service provider where our client is the principal, we note that notifications may be provided by the principal.
We may also provide our services as an ADR in which case we will provide these notifications throughout the consent process and using email notifications and / or our consumer dashboard. [The consumer dashboard is an on-line service that allows an individual to perform functions in the CDR environment such as to: i) withdraw consent to collect, use and disclose CDR information or ii) request that redundant data be retained or deleted at any time.] A consumer dashboard may also be provided by the principal where appropriate.
If a situation arises where an eligible data breach occurs under the Notifiable Data Breach Scheme involving CDR information under our control we will advise those impacted of this.
How do consents work?
Consent is required to allow any sharing of CDR information, when consent is granted this will allow for the historical transaction information to be shared for a period that may vary depending on the requirements of the data recipient.
The CDR environment allows for consent to be granted for a period of time – ongoing consent. This allows for CDR information to be shared regularly (e.g. for a budget management app or managing a continuing banking relationship), this is limited to a maximum consent period of 12 months unless the consent;
- is established for a shorter period or
- is withdrawn earlier.
If an ongoing consent for collection is withdrawn, or expires (after the maximum period of 12 months), then the service (such as the budgeting management app) may no longer be available, in order for the service to continue or be reinstated the consent will generally need to be renewed or re-instated. Consent can be withdrawn at any time (it does not have to be retained for any prescribed period).
We will only allow sharing of information that is specifically consented by the individual that clearly sets out the data holder, data recipient and type of information to be shared.
Deletion of CDR information
We do not retain CDR information once it becomes redundant (once it has been provided to the data recipient).
We will retain audit records that allow us to track activities such as the meta data (data about actions for which we were responsible) but will not retain the CDR information itself.
If you require a copy of, or have any enquiries relating to, this policy or illion Open Data Solutions please contact us at: firstname.lastname@example.org
Policy version May 2022