Compliance Essentials

CDR outsourcing rules

Category: Privacy | by David Jacobson

While Consumer Data Right (CDR) accredited persons, CDR representatives and service providers are permitted to outsource complex requirements relating to CDR data they receive, there are privacy obligations both for the principal and the outsourced service provider (OSP).

The Office of the Australian Information Commissioner (OAIC) has published guidance on the privacy obligations of both outsourced service providers and the principals of those OSPs under a CDR outsourcing arrangement.

An outsourcing arrangement must be in a written contract that must meet the requirements described in Rule 1.10 of the Competition and Consumer (Consumer Data Right) Rules 2020 (the CDR Rules).

A CDR outsourced service provider must comply with the privacy safeguards relating to CDR data holding, use and disclosure as well as information security and CDR data deletion and access obligations.

CDR outsourcing arrangements can apply repeatedly – that is, the second provider can subcontract to a third provider and so on, forming a ‘chain’.

Where it is an accredited person, the OSP chain principal bears ultimate responsibility for ensuring each of its direct and indirect OSPs complies with the requirements of their relevant CDR outsourcing arrangement.

An accredited person who is an OSP chain principal will breach a civil penalty provision if one of their direct or indirect OSPs fails to comply with a required provision of their CDR outsourcing arrangement.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.

David Jacobson

Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.

Print Friendly, PDF & Email
LinkedIn
 

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.

Support Plans