The Consumer Data Right: Building the Information Nation

The background

There is considerable momentum right now in Australia towards giving control of data back to citizens.

It’s a debate that has swirled around the My Health Record initiative, and more recently the banking sector. Private individuals regularly hand over sensitive information about their lives – how can they reclaim autonomy over it?

The Federal Government’s proposed Consumer Data Right legislation has approached quietly over the horizon, with the ACCC’s consultation period to close on 12 October. The implications for business of the proposed laws are significant.

Data Sharing and Release (DSR) laws aim to hand back control to customers with respect to their own information, setting firm, nationally-consistent boundaries around who can have that information and how it can be used. But what’s distinctive about the proposed scheme is that it addresses the benefits of a regulated data industry, as much as the risks.

The new laws will firstly target the banking sector, then the telecommunications and energy sectors. ‘Open Banking’ is expected to hand customers control of the information they’re already sharing with their bank, allowing them to safely share that data with trusted third parties and potentially leading to more consumer choice in retail banking.

Let’s look at the scheme…

The new CDR laws will slot into the Australian Competition and Consumer Act. An exposure draft has been circulated and submissions closed on 7 September.

Which data comes under the legislation? The definition of so-called ‘CDR data’ is yet to be settled, but likely includes not only transactional data in its primary form, but also derivations of that data. In other words, the raw material, and more detailed analyses built out of it.

The laws are likely to cover data held by Commonwealth entities, regardless of the purpose for which it was collected or generated (with some exceptions). It’s been suggested that it would be appropriate to exclude certain categories, such as data used for national security or law enforcement and data subject to contractual obligations.

There would be civil and criminal protections for correct uses of data under the scheme, and as a further balancing measure, all of the existing Australian Privacy Principles would be inbuilt.

The Federal Government’s Issues Paper proposed the use of: (1) a ‘purpose test’; and (2) a ‘Five-Safes Framework’, to determine whether and how data may be shared. It’s worth looking more closely at both of these.

The purpose test

In most cases, individuals and small businesses who use data analytics to develop new products and services designed to enhance everyday life will be the ones looking to access public sector data that is collected and held by the government. A party demonstrating any of the following purposes is expected to have sufficient grounds to be authorised for data sharing under the new legislation:

  1. informing government policy-making;
  2. supporting the efficient delivery of government services or government operations;
  3. assisting the implementation and assessment of government policy; or
  4. research and development with clear and direct public benefits.

Victoria, NSW and South Australia have all enacted data sharing laws which adopt similar lists of purposes.

The ‘Five-Safes Framework’

Before any data can be shared, certain safeguards must be put in place under the ‘Five-Safes Framework’. These principles are aimed at reducing risk in data sharing while preventing over-regulation. There are five key questions to ask about any proposed release or sharing of data:

  1. Safe data: can the data disclose identity?
  2. Safe people: can the users be trusted?
  3. Safe setting: does the access environment prevent unauthorised use?
  4. Safe outputs: are the project results likely to disclose identity?
  5. Safe project: is the purpose of use appropriate?

If a set of data is weak on one ‘safe’, the other ones could be ratcheted up to counteract that weakness. So if, for instance, the user is a trust risk, then the release must be designed (safe number one) so it doesn’t identify anyone.

Some users would accrue ‘trusted’ status, so that their track record would accredit them to pass on data in limited circumstances.

The implications

We believe regulatory compliance costs will rise as the ACCC take up the role as head regulator of the CDR. The impact of increased compliance costs will be amplified by heightened competition and the resulting attempts by businesses to retain customers by lowering prices.

Now is the time to ask the basic questions about your business’s collection and use of data. If a regulated marketplace is shortly to be created, and if the data you’re collecting – or contributing – is currency in that new market, how will you adapt?

Individuals and small to medium businesses should be preparing to ride these changes – not only avoiding the pitfalls but positioning themselves to take advantage of the opportunities presented by the CDR.