If an accredited person makes a request for consumer data on behalf of an RDC consumer in accordance with Part 4 of these Rules and the application contains RDC data on one or more joint accounts where the RDC consumer`s owner holds a joint account, Division 4.3 will deal with the processing of the application. A data recipient MUST be accredited to participate in the CDR Federation. The accreditation rules for data recipients go beyond the scope of this artifact. The accreditation process is managed by the RDC Registrar. (i) designate one or more persons (designated representatives) who are able to grant, amend and manage authorisations on behalf of the CDR consumer to disclose RDC data for the purposes of those rules; and for section 56EI(1)(b) of the Act, the use or disclosure of RDC data for which there is a CDR consumer by an accredited recipient of CDR data is permitted under these Rules if it is an authorized use or disclosure that does not relate to direct marketing. (5) Part 5 of these Regulations deals with how persons may become accredited persons. It also deals with ancillary issues such as the revocation and suspension of accreditation, the obligations of accredited persons and the register of accredited persons. The rules set out in this Part should be read in conjunction with section 3 of Part IVD of the Act. Here are the rules that came into effect in February 2020. The rules of procedure have since been amended.
Announcements of new versions of the rules can be found on our main page or in the Federal Register of Legislation. The standards in this section provide a non-exhaustive list of options that data owners can implement to support their compliance with these rules. The specific implementation of an alternative notification schedule and offer, which may or may not include the options listed here, is at the discretion of the data owner. It is the responsibility of the controller to ensure that it complies with its obligations under the rules of the RDC. Compliance with the RDC rules for alternative notification plans would require at least the implementation of a combination of options (a combination of the options listed below, other measures, or both). The accredited data recipient must document and implement the processes related to the management of CDR data throughout its lifecycle, including a policy on the classification and processing of information (which must take into account the confidentiality and sensitivity of CDR data) and processes related to backup, the retention of CDR data and, in accordance with Rules 7.12 and 7.13, deletion and de-identification. Note 2: If the Account Holder provides an indication in accordance with paragraph 5(b)(i), the Data Controller may no longer disclose the RDC data to that accredited person through that Account: see Sub-Rules 4.6, paragraphs 2 and 4, and Rule 4.6A, paragraph 1. The RDC rules will come into force on February 6, 2020.
(d) direct marketing consent is consent given by a RDC consumer under these Rules to an accredited data recipient of certain RDC data to use or disclose RDC data for direct marketing purposes; and Note: Paragraph 56EI(1)(b) of the Act provides that an accredited recipient of RDC data may not use or disclose it unless the use or disclosure is otherwise required or permitted by consumer data regulations. This rule provides for authorization for this paragraph. (2) The accredited data recipient shall monitor and assess the design, implementation and operational effectiveness of its security controls with respect to the management of RDC data in accordance with its obligations under Part IVD of the Act and these Rules and taking into account the information security controls set out in Part 2 of this Schedule. 5. Under these rules, the reference to an accredited person who makes a request for consumer data, collects data from the RDC, obtains consents, provides a consumer dashboard or uses or discloses RDC data does not include a reference to an accredited person who performs those transactions on behalf of a principal in his or her capacity as a supplier in an outsourced service contract. in accordance with the Agreement. ASAE 3150 could be downloaded from the Auditing and Assurance Standards Board (www.auasb.gov.au/admin/file/content102/c3/Jan15_ASAE_3150_Assurance_Engagements_on_Controls.pdf) website in 2020. Note 2: For point (b), the period indicated may not exceed 12 months: see sub-rule 4.12 (1). At the end of the period, redundant data should be processed in accordance with Article 56EO(2) of the Act (Data Protection 12) and Rules 7.12 and 7.13. (4) Part 4 of those rules deals with consumer data requests involving accredited persons and should be read in conjunction with the relevant annexes to those rules relating to specific designated sectors. On June 4, 2020, the ACCC announced another set of exceptions that give secondary data holders more time to comply.