Outsourcing CDR obligations? The buck stops with you

Most businesses rely on numerous third-party service providers to deliver their services and help them meet their obligations. However, reliance on third parties introduces risks that businesses need to manage.

Liability for the actions of a third-party provider is a key issue in my first Consumer Data Right (CDR) determination published today. I found that Regional Australia Bank (RAB), in its capacity as a data holder in CDR, breached Privacy Safeguards 1 and 11 by virtue of the conduct of its third-party service provider, Biza^.[1]

Strong privacy protections have been built into CDR, with the system strengthening Australian consumers’ ability to use and control their banking and energy data. This regulatory action is an example of the safeguards in the CDR system working to protect consumers.

The relevant incident involved the CDR data of up to 197 consumers being co-mingled. This created a real risk that RAB would provide inaccurate information to other participants in the CDR ecosystem about an affected consumer. This in turn had the potential to impact information and decisions about the affected consumers, such as whether they were approved for credit or a financial product.

The issue came about through a fault in Biza’s software that was provided as a service to multiple clients. Biza had implemented a software patch for clients to remediate the issue, but failed to identify that RAB, who were in the process of transitioning to the software platform, would become affected. The issue was identified only when an accredited data recipient raised an incident where a consumer had transactions in their banking history that did not belong to them. Biza quickly addressed the issue when they became aware of it. However, the OAIC considered it important to investigate the incident to identify the cause and make sure it was not repeated, and to support trust in the privacy safeguards in the CDR system.

The CDR system is designed to keep data secure and protect consumers’ privacy. There are high standards on data holders. The first – and bedrock – privacy safeguard requires data holders to proactively consider, plan and address how to ensure compliance with CDR obligations. Under Privacy Safeguard 11, data holders need to ensure the accuracy of the information they disclose, either personally or through a third-party service provider.

While I found RAB took reasonable steps to comply with both privacy safeguards, Biza did not. RAB had sought via contractual provisions to shift liability for non-compliance with the CDR framework to Biza. However, my view is the nature of the agreements between RAB and Biza, and the obligations contained in them, made Biza’s activities conduct engaged in on behalf of RAB. Section 84(2) of the Competition and Consumer Act 2010 stipulates that when a company acts as an agent of another, for the purposes of the consumer data rules, that conduct is deemed to have been engaged in by the other entity. As such, RAB was liable for any failings by Biza, even if it had no knowledge or awareness of them and was not in a position to take steps to prevent or address them.

For other CDR participants, this determination clarifies the OAIC’s position where outsourcing is involved and should inform decisions about governance arrangements when engaging third-party service providers. Where CDR functions are outsourced, businesses should review and consider opportunities to strengthen the terms of contractual agreements, especially audit and monitoring activities. I also strongly encourage businesses to document processes to ensure you proactively review and monitor compliance with obligations.

When you outsource obligations under the CDR framework, you have oversight responsibilities for those contractors and need to make sure they are doing the right thing and that individuals’ privacy is protected.