With regular reports of data breaches, information security and privacy protection are increasingly important concerns for many Australian consumers.
Implementing rigorous data protection measures can be a good corporate differentiator – setting your business apart from the competition by giving your customers the confidence their confidential personal and financial information is secure.
Another important driver incentivising Australian businesses to implement stricter information security controls is the new Consumer Data Rights initiative.
Over coming years, the Government will roll out Consumer Data Rights across a number of Australian industries. Whilst this offers businesses exciting new opportunities to attract more customers, it also comes with additional obligations regarding data protection and privacy.
In order to make the most of Consumer Data Rights, it’s important to understand how this new initiative can affect your business and what steps you can begin taking to prepare for its implementation.
1. What are Consumer Data Rights?
‘Data is the new oil’.
That was the catchphrase first coined by UK mathematician Clive Humby in 2006. Like oil, data needs to be mined and refined so it can be useful to us. However, the analogy has its limits. Unlike oil, data is not a finite resource. The same data can be used in many different ways, revealing many different insights. Arguably, the more data is used, the more valuable it becomes.
Consumers are increasingly aware of data’s value. Seemingly endless reams of information are collected every day about consumers and their behaviour patterns. Many consumers now believe they should have some rights over the data collected on them.
Until now, consumers faced an uphill struggle finding out specifically what information is being collected, let alone gaining access to it or controlling its use.
That’s all about to change with a new government initiative: Consumer Data Rights, or CDR.
Under CDR, consumers will have the right to access certain types of information businesses collect on them. They will be able to direct a business to transfer that data to an accredited, trusted third party of their choice.
If, upon receiving the data, the third party is able to offer the consumer a superior product or service, the consumer will be able to switch brands quickly and easily.
So, not only will CDR empower consumers by giving them greater control over their data, it will also encourage greater competition in a range of industries.
2. What industries are effected?
CDR will start off in the financial sector.
Banking customers are notoriously ‘sticky’ and tend not to switch financial institutions regularly. That inertia hampers competition in the sector. The government is committed to an initiative called ‘Open Banking’ which has CDR at its heart. The aim is to make it easier for consumers to ‘shop-around’ for the best financial products such as mortgage or credit card rates.
Once CDR is implemented within the financial sector, the government plans to extend it to other industries, starting with energy and telecommunications.
Further sectors will follow over time.
3. What are the principles underpinning CDR?
CDR will be implemented according to four key principles:
CDR should be consumer focussed. It should be for the consumer, be about the consumer, and be seen from the consumer’s perspective.
CDR should encourage competition. It should seek to increase competition for products and services available to consumers so that consumers can make better choices.
CDR should create opportunities. It should provide a framework from which new ideas and business can emerge and grow, establishing a vibrant and creative data sector that supports better services enhanced by personalised data.
CDR should be efficient and fair. It should be implemented with security and privacy in mind without being more complex or costly than needed.
4. What are some of the considerations informing the implementation of CDR?
Information security and privacy considerations are core features of the CDR initiative.
With consumer data being transferred to multiple parties via API, it is essential controls are in place to prevent breaches, leakage or unauthorised use of the data.
Among the data protection considerations are:
- Measures to ensure businesses only transfer data to accredited third parties at the direction of the consumer;
- Measures to ensure consumers control how their information is used by those third parties;
- Obligations surrounding the deletion or de-identification of data by third parties once the data has been used in accordance with the consumer’s wishes;
- Rigorous data transfer and storage standards;
- Extension of provisions within the Privacy Act 1988 to other organisations currently not covered, such as organisations with less than $3 million revenue per annum;
- Avenues for consumers to seek meaningful remedies for breaches, including external dispute resolution and direct rights of action.
5. How can businesses participate in CDR?
There are a range of security implications when transferring sensitive and potentially highly valuable consumer data between organisations via API. That’s why businesses will be required to meet a rigorous set of information security and privacy standards in order to participate in the CDR initiative. These are necessary to ensure consumer data is not compromised.
The Australian Competition and Consumer Commission (ACCC) has responsibility for overseeing the initiative and accrediting those organisations that meet the cybersecurity standards. Accreditation is necessary in order to participate in the initiative.
CDR will also impose obligations on businesses to provide access to data on the goods and services they have on offer. This will enable comparison websites to gain up-to-date information so consumers can make more informed choices.
In some cases, achieving ACCC accreditation will be possible if the organisation already meets other similar information security and privacy standards. For example, an Authorised Deposit-Taking Institution (ADI) will already meet many standards that align with the ACCC rules, so accreditation to CDR shouldn’t encounter any hurdles.
However, if any breaches of the ACCC rules occur, an organisation’s accreditation may be suspended and they will not be able to access any further consumer data.
6. What are the technical requirements for CDR participation?
Many businesses stand to benefit significantly from the adoption of CDR.
However, it comes with onerous requirements that must be adhered to.
At a minimum, you need to ensure your organisation meets the necessary technical standards. These have been formulated through four work streams:
- API standards enable consistent transfer methods that meet acceptable levels of safety, convenience and efficiency and include specifications for data description and recording.
- Information security standards consist of techniques to protect users of the system, networks, devices, software, processes, information in storage, applications, services and systems.
- Consumer experience standards provide best practice language and user experience (UX) design patterns to request consumer consent and guide authentication and authorisation flows.
- Engineering standards focus on demonstrating the API Standards through the delivery of usable software artefacts that assist ecosystem participants demonstrate conformance with the standards and rules for CDR.
In cases where data holders or data recipients breach the CDR rules, there are a range of possible penalties, ranging from infringement notices, civil penalties, compensation orders, enforceable undertakings and potentially de-accreditation.
7. When will CDR start?
Whilst the CDR start-date has been pushed back pending resolution of some details, the Government is now committed to begin launching the initiative for the finance sector by July 2020.
Initially, the Big Four Banks will begin complying with the initiative, with other financial institutions to follow 12 months later.
CDR rules for the energy and telecommunications sectors are still under development.
8. What’s the first step to get ready for CDR?
Whilst the rules surrounding CDR are yet to be fully finalised, it’s clear that privacy protection is going to be a central feature.
The Privacy Act 1988 established a range of privacy standards for organisations with revenues in excess of $3 million per annum. However, under CDR, we know that aspects of the Privacy Act will also be extended to financial organisations with lower revenues. The same may also be true for smaller organisations in other sectors.
The Australian Privacy Principles (APPs) form part of the Privacy Act. These apply to organisations holding consumer data and are designed to ensure that Personally Identifiable Information (PII) and other sensitive data assets are handled responsibly.
The APPs require organisations to maintain sufficiently robust controls to prevent unauthorised access, disclosure or use of information.
In addition to the APPs, CDR will also see the creation of Privacy Safeguards. The Privacy Safeguards are likely to be more onerous than the APPs as they apply to both individual data and organisational data, which is harder to de-identify.
The Privacy Safeguards will come into effect once a consumer makes a data transfer request. They will outline how transfers via API are to be conducted and how the third party receiving the data needs to handle it.
Making sure your organisation is compliant with the Australian Privacy Principles is a good first step to preparing for CDR so you’ll be able to take advantage of the benefits it offers once it is rolled out across different sectors of the economy.
How Shearwater can help you?
For further information about complying with the Australian Privacy Principles, Contact Shearwater. We have extensive experience assisting organisations of all sizes ensure they have the systems and policies in place to protect your information assets.