Consumer Data Right (CDR) Framework (Australia)

Australia

v2023

3 domains

25 controls

Australia's Consumer Data Right (CDR) framework, established under Part IVD of the Competition and Consumer Act 2010, enables consumers to securely share their data with accredited third parties. Initially rolled out in banking, with energy and non-bank lending in development. Regulated by the ACCC (competition and accreditation), OAIC (privacy), and the Treasury (policy oversight), with technical standards set by the Data Standards Body.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (3)

Accreditation Framework

6 controls

Types of CDR accreditation for data recipients

Controls in the Accreditation Framework domain of Consumer Data Right (CDR) Framework (Australia) — 6 controls
Code	Title	Description
CDR-ACC-1	Unrestricted Accreditation	Full accreditation enabling receipt and holding of all CDR data. Requires demonstrated compliance with information secur...
CDR-ACC-2	Limited Data Restriction	Restricted accreditation with access limited to specific data clusters (e.g., bank accounts, payees, basic customer data...
CDR-ACC-3	Data Enclave Restriction	Restricted accreditation where CDR data may only be accessed within an unrestricted accredited data recipient's data env...
CDR-ACC-4	Affiliate Restriction	Restricted accreditation where an unrestricted 'sponsor' certifies a commercial relationship with the restricted 'affili...
CDR-ACC-5	CDR Representative	Operates under a CDR Representative Principal who is fully liable for the representative's use and disclosure of CDR dat...
CDR-ACC-6	Accredited Action Initiator	Authorised to submit consumers' instructions (e.g., initiate payments, switch providers). Introduced by Treasury Laws Am...

CDR Privacy Safeguards

13 controls

The 13 CDR Privacy Safeguards under Division 5, Part IVD of the Competition and Consumer Act 2010

Controls in the CDR Privacy Safeguards domain of Consumer Data Right (CDR) Framework (Australia) — 13 controls
Code	Title	Description
CDR-PS-1	Privacy Safeguard 1: Open and Transparent Management	Participants must have up-to-date CDR policies and documented procedures/systems to ensure they meet privacy obligations...
CDR-PS-10	Privacy Safeguard 10: Notification of Disclosure	Must update consumer dashboards when data is shared/disclosed to another entity (s 56EM).
CDR-PS-11	Privacy Safeguard 11: Quality of CDR Data	Must ensure data accuracy; must notify consumer in writing within 5 days if incorrect data was disclosed; must provide c...
CDR-PS-12	Privacy Safeguard 12: Security and Destruction	Must protect data from misuse, interference, loss, and unauthorised access; must delete or de-identify data no longer ne...
CDR-PS-13	Privacy Safeguard 13: Correction of CDR Data	Must address consumer correction requests and notify consumers when corrections are completed (s 56EP).
CDR-PS-2	Privacy Safeguard 2: Anonymity and Pseudonymity	Accredited businesses must allow consumers to remain unidentified or use pseudonyms, with limited exceptions (s 56EE).
CDR-PS-3	Privacy Safeguard 3: Collection of CDR Data	Accredited businesses can only collect data from another business with the consumer's express consent; cannot exceed nec...
CDR-PS-4	Privacy Safeguard 4: Unsolicited CDR Data	Must destroy or de-identify unrequested CDR data unless legally required to retain it (s 56EG).
CDR-PS-5	Privacy Safeguard 5: Notification of Collection	Must notify consumers via their consumer dashboard when data is collected (s 56EH).
CDR-PS-6	Privacy Safeguard 6: Use or Disclosure	Data use requires CDR authorisation and consumer consent, except where law or court orders apply (s 56EI).
CDR-PS-7	Privacy Safeguard 7: Direct Marketing	CDR data cannot be used for direct marketing without consent under CDR Rules (s 56EJ).
CDR-PS-8	Privacy Safeguard 8: Overseas Disclosure	Cannot send data overseas unless exceptions apply (e.g., overseas recipient is accredited) (s 56EK).
CDR-PS-9	Privacy Safeguard 9: Government Related Identifiers	Cannot adopt, use, or disclose government identifiers (e.g., Medicare, passport numbers) unless authorised by law (s 56E...

Consent Requirements

6 controls

CDR consent model under CDR Rules 2020

Controls in the Consent Requirements domain of Consumer Data Right (CDR) Framework (Australia) — 6 controls
Code	Title	Description
CDR-CON-1	Voluntary Consent	Consent must be freely given, not inferred or implied.
CDR-CON-2	Express Consent	Consent must be given through an affirmative act.
CDR-CON-3	Informed Consent	Consumer must understand what data is collected, for what purpose, and for how long.
CDR-CON-4	Specific Consent	Consent must be tied to particular data sets and specified purposes.
CDR-CON-5	Time-Limited Consent	Maximum consent duration of 12 months; must be renewed.
CDR-CON-6	Withdrawable Consent	Consumers can withdraw consent at any time through their consumer dashboard.

Frequently Asked Questions

What is Consumer Data Right (CDR) Framework (Australia)?

Consumer Data Right (CDR) Framework (Australia) is a compliance framework from Australia with 3 domains and 25 controls. Australia's Consumer Data Right (CDR) framework, established under Part IVD of the Competition and Consumer Act 2010, enables consumers to securely share their data with accredited third parties. Initially rolled out in banking, with energy and non-bank lending in development. Regulated by the ACCC (competition and accreditation), OAIC (privacy), and the Treasury (policy oversight), with technical standards set by the Data Standards Body. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does Consumer Data Right (CDR) Framework (Australia) have?

Consumer Data Right (CDR) Framework (Australia) has 25 controls organised across 3 domains. The largest domains are CDR Privacy Safeguards (13 controls), Accreditation Framework (6 controls), Consent Requirements (6 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does Consumer Data Right (CDR) Framework (Australia) map to?

Consumer Data Right (CDR) Framework (Australia) does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with Consumer Data Right (CDR) Framework (Australia) compliance?

Start your Consumer Data Right (CDR) Framework (Australia) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Consumer Data Right (CDR) Framework (Australia) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 25 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 693 frameworks.

Get Started Free →

Free forever — no credit card required