iscover
iscover 
The Office of the Australian Information Commissioner (OAIC) has urged businesses to be compliant with CDR after Regional Australia Bank (RAB) was found to have breached privacy safeguards
Privacy commissioner Carly Kind said RAB’s recent incident saw the CDR data of 197 consumers “co-mingled” which created risk of “inaccurate information to other participants in the CDR ecosystem about an affected consumer.”
This had the potential to affect the approval of credit or financial products for consumers.
According to Kind, the problem stemmed from flaw in Biza’s software, which was provided as a service to multiple clients.
While Biza had released a software patch to fix the problem for existing clients, they overlooked the fact that RAB—then in the process of transitioning to the platform—would also be impacted.
The problem was only discovered when an accredited data recipient reported an incident involving a consumer who found unauthorised transactions in their banking history.
While Biza resolved the issue immediately, the OAIC investigated to prevent any future issues from arising.
This incident prompted the OAIC to reinforce that businesses are legally responsible for CDR breaches, even if unaware of the issue.
“Under Privacy Safeguard 11, data holders need to ensure the accuracy of the information they disclose, either personally or through a third-party service provider,” said Kind.
“While I found RAB took reasonable steps to comply with both privacy safeguards, Biza did not.”
Following the breach, RAB looked to shift liability for the issue. However, Kind said that the issue arose due to Biza acting on behalf of RAB.
“Section 84(2) of the Competition and Consumer Act 2010 stipulates that when a company acts as an agent of another, for the purposes of the consumer data rules, that conduct is deemed to have been engaged in by the other entity. As such, RAB was liable for any failings by Biza, even if it had no knowledge or awareness of them and was not in a position to take steps to prevent or address them,” she said.
This incident involving RAB and Biza reinforces the liability businesses have when handling CDR.
The OAIC’s ruling reinforces that privacy safeguards in the CDR system are non-negotiable. Businesses must take active responsibility for their third-party providers’ compliance.
Failure to do so could result in regulatory action, even if the breach was beyond their direct control.
OAIC said that for companies operating under CDR rules, now is the time to audit third-party agreements, enhance oversight mechanisms, and ensure airtight compliance strategies to protect both the consumer and the company.
[Related: CDR expanded to non-banks]
