Commonwealth Consolidated Acts Commonwealth Consolidated Acts(1) The object of this section is to ensure that each person (a CDR entity ) who is:
(a) a data holder of CDR data; or
(b) an accredited person who is or who may become an accredited data recipient of CDR data; or
(c) a designated gateway for CDR data;
manages the CDR data in an open and transparent way.
Compliance with this Part etc.
(2) The CDR entity must take such steps as are reasonable in the circumstances to implement practices, procedures and systems that:
(a) will ensure that the CDR entity complies with this Part and the consumer data rules; and
(b) will enable the CDR entity to deal with inquiries or complaints from a CDR consumer for the CDR data about the CDR entity's compliance with this Part or the consumer data rules.
Policy about the management of CDR data
(3) The CDR entity must have and maintain a clearly expressed and up - to - date policy that:
(a) is about the CDR entity's management of CDR data; and
(b) is in a form approved in accordance with the consumer data rules; and
(c) contains the information required by subsections (4), (5) and (6) (as applicable).
Note: This subsection is a civil penalty provision (see section 56EU).
(4) If the CDR entity is a data holder of any CDR data, the CDR entity's policy must contain the following information:
(a) how a CDR consumer for the CDR data may access the CDR data and seek the correction of the CDR data;
(b) how a CDR consumer for the CDR data may complain about a failure of the CDR entity to comply with this Part or the consumer data rules, and how the CDR entity will deal with such a complaint.
(5) If the CDR entity is an accredited person who is or who may become an accredited data recipient of any CDR data, the CDR entity's policy must contain the following information:
(a) the classes of CDR data that is or may become held by (or on behalf of) the CDR entity as an accredited data recipient, and how such CDR data is held or is to be held;
(b) the purposes for which the CDR entity may collect, hold, use or disclose such CDR data with the consent of a CDR consumer for the CDR data;
(c) how a CDR consumer for such CDR data may access the CDR data and seek the correction of the CDR data;
(d) how a CDR consumer for such CDR data may complain about a failure of the CDR entity to comply with this Part or the consumer data rules, and how the CDR entity will deal with such a complaint;
(e) whether the CDR entity is likely to disclose such CDR data to accredited persons who are based overseas;
(f) if the CDR entity is likely to disclose such CDR data to accredited persons who are based overseas--the countries in which such persons are likely to be based if it is practicable to specify those countries in the policy;
(g) the circumstances in which the CDR entity may disclose such CDR data to a person who is not an accredited person;
(h) the events about which the CDR entity will notify the CDR consumers of such CDR data;
(i) the circumstances in which the CDR entity must delete or de - identify such CDR data in accordance with a request given by a CDR consumer for the CDR data under the consumer data rules.
(6) If the CDR entity is a designated gateway for any CDR data, the CDR entity's policy must contain the following information:
(a) an explanation of how the CDR entity, as a designated gateway, will act between persons to facilitate:
(i) the disclosure of CDR data; or
(ii) the accuracy of CDR data; or
under the consumer data rules;
(b) how a CDR consumer for such CDR data may complain about a failure of the CDR entity to comply with this Part or the consumer data rules, and how the CDR entity will deal with such a complaint.
(7) The CDR entity must make the CDR entity's policy available:
(b) in accordance with the consumer data rules.
Note: One way the consumer data rules could require the policy to be made available is to require the policy to be made available in accordance with a data standard.
(8) If a copy of the CDR entity's policy is requested by a
CDR consumer for the CDR data, the CDR entity must give the CDR consumer a
copy in accordance with the consumer data rules.