For the Australian version of Open Banking, the Consumer Data Right (CDR) regulates the collection and handling of CDR data in line with privacy safeguards and rules that ensure that your data is managed securely and provides you with control over how your data is shared out.
Accredited Data Recipients (ADRs)
An Accredited Data Recipient (ADR) is an organisation approved under the CDR framework to receive and manage consumer data securely.
ADRs are required to adhere to strict privacy and security rules, ensuring that the consumer's data is used only with their consent. ADR and ADR rep/ (Partners) are expected to:
Transparently disclose how data is used.
Ensure secure storage and transfer of consumer data.
Implement privacy safeguards to protect user consent.
Key Benefits for you
Choice and control: You can decide what data to secure, how that data is used and who it can be disclosed to.
Manage consent: You can view, modify or revoke consents at any time.
Data deletion request: You can request data deletion or de-identification.
Data Usage under CDR
We may use the data collected under the CDR framework for:
Personalised services: Tailoring recommendations to user activities.
Operational purpose: Prevent fraud, detect abuse, and generate analytical insights using de-identified data.
Communication: Sending updates and notifications aligned with our customers' preferences.
Consent Management
When you give consent for bank feeds in Access Bank Feeds, you remain in control. You can easily request your accountant to update your consent at any time whether that means reviewing, updating or withdrawing.
You have the right to request data deletion at any time
If and or when you withdraw your consent, the following happens:
Your data will be securely deleted or de-identified, depending on your consent.
Redundant data will be destroyed except for specific use cases when we are required by law to retain it for a longer period.
We will ensure that any third-party processors will securely erase any shared data.
De-identification process
De-identification involves removing identifiable information while retaining anonymised data for operational purposes, such as analytics and fraud prevention. The process includes the following steps:
Removing your personal information from transactions.
Stripping timestamps and descriptions that reveal specific details.
Aggregating data to ensure anonymity.
We may use de-identified data for improving services, creating insights and operational analysis.
β
Retention policy
We will always ensure that your data is deleted or de-identified promptly when it is no longer required, upon data sharing consent expiry or within 24 hours of receiving a consent revocation request.