As an accredited consumer data right (“CDR”) recipient illion Open Data Solutions Pty Ltd (“illion”) [accreditation number ADRBNK000017] recognises the importance of protecting CDR information.

illion provides a means for individuals to be able to share their information from a Data Holder with a Data Recipient. There are many reasons why an individual may want to share their information held by one institution with another such as a loan application where the Data Holder is the individual’s bank and the Data Recipient is the potential lender, or it may be a Mobile App that provides a budgeting service.

The most important requirement under CDR is that the individual is able to choose the type of information to be shared and is able to withdraw their consent when they no longer want the data to be shared or held by the Data Recipient.

This Policy outlines illion’s practices in relation to CDR. If you have any questions or enquiries relating to this policy or illion Open Data Solutions please contact us at: odssupport@illion.com.au.

Complaint management

While we aim to address matters quickly and efficiently we understand there are times when things may go wrong and there may be a need to raise a complaint. As noted above it is important to be aware that the CDR services provided by illion involve a number of parties being:

  1. the Data holder – this is the party who holds the information and who is being requested to share with another party (example the Bank)
  2. illion Open Data Solutions – illion facilitates the transfer of information from the Data Holder to the Data Recipient
  3. the Data Recipient – this is the party that will receive the requested information from the Data Holder (example a lender assessing a loan application).

It is important to ensure that any complaint is directed to the correct party to ensure it is able to be fully addressed.

If your complaint relates to the service provided by illion it may be beneficial to complete the Online Form to ensure all relevant information is available, otherwise please contact us on the contact details below.

Attention to: Complaints
Company: illion Open Data Solutions
Postal Address: PO Box 7405
St Kilda Rd Melbourne VIC 3004
Email: chc-au@illion.com.au
Phone: 1300 734 806

As per illion’s complaint handling policy here we will address complaints as quickly and efficiently as possible. We will endeavour to acknowledge receipt of a complaint within two business days and then provide a response within 30 days (provided that we have all necessary information). In cases where further information, assessment or investigation is required, we will seek to agree on an acceptable alternative time frame.

If a complaint relating to illion’s actions continues to be unresolved or is not resolved satisfactorily there may be the option to escalate the matter to the:

  • Australian Financial Complaints Authority (AFCA). AFCA is a free and independent complaint resolutions service that may be available to individuals and small businesses using iODS.

Please note all parties in the CDR process (Data Holders and Data Recipients) will be members of AFCA or a similar external dispute resolution scheme.

Outsourced Service Providers

illion uses services from third parties in order to provide its service, these are referred to as “outsourced service providers”.

Outsourced service providers include:

  • Network infrastructure providers – who provide computing hardware and services that allow us to develop and provide our products;
  • Data Centre providers who store large volumes of data in a safe and secure manner in order to protect the information illion is responsible for;
  • AWS / Cloud Service Providers that allow information to be stored in a safe and secure manner that allows for secure access.

These service providers are located in Australia they are not authorised data recipients themselves, and provide a very limited service to illion.  They are not permitted to share or use any illion CDR information.

Consent management

Consent can be either singular use or ongoing.

Singular use. This will allow the transfer of information once for a specific purpose e.g. transferring bank transaction information such as income / expenses from the Data Holder to the Data Recipient to allow the Data Recipient to assess a loan application.

Ongoing use. This will allow for information to be shared regularly (e.g. for a budget management app or managing a banking relationship) for a maximum period of 12 months unless

  1. a) it is established for a shorter period or
  2. b) consent is manually withdrawn earlier.

If consent is withdrawn (or expires) then the service will no longer be available, in order for the service to continue consent will need to be renewed. As noted previously consent can be withdrawn at any time (it does not have to be retained for the maximum or prescribed period), this can be done by going to your Consumer Dashboard linked to the Data Recipient.

illion will only allow sharing information that is specifically consented that aligns with the services being provided by the Data Recipient.

illion does not retain identifiable CDR data, in an effort to ensure the maximum protection of CDR data illion deidentifies the data once it becomes redundant (i.e. when it has been provided to the Data Recipient).  Deidentification involves the removal of any means of being able to link the data to the individual that it related to.

The deidentification process will ensure that critical identifiers such as name / address / date of birth / account numbers etc are destroyed and are not retained so only deidentified data will be retained. Deidentified data will be used for analysis, research, product development and product improvement purposes.  This includes supplying analysis services to third parties including illion’s customers or those of its related body corporates.

illion will retain records that allow it to track activities such as consents, consent withdrawal and data sharing in accordance with its obligations but will not retain the CDR data in an identifiable format.  Once data is deidentified it is no longer linked to a person and is not re-identifiable.

 

Policy version August 2021