Derived data exists in the 1988 Privacy Act and refers to any data that is not raw; for instance, data that is changed from one format to another.
The government has confirmed that the consumer data right regime must be able to apply some data sets that are processed by the holder (derived) and not just data collected or observed by the holder (raw).
The Treasury department’s rationale is that if derived data were to be excluded, then data holders may be able to avoid their obligations to make data available to consumers and to protect consumers by making most, if not all, data that they hold derived.
The bill now reflects that raw transaction data and a wider range of derived data sets are to be included but provides a number of safeguards so that access rights to derived data doesn’t become too broad.
Access rights to derived data will now only occur if the minister specifies that data in the designation instrument and sets limits on the scope of requirements to derived data.
The Treasury department rejected that the legislation should exclude value-added data and just list specific value-added data to be included as such an approach would require legislative amendments every time the consumer data right is expanded into a new sector.
As open banking is the first sector to use the consumer data right, some examples of derived data within scope were included such as identifiers relating to people or accounts and common classifications such as transaction types.
The department also offered guidance on when data holders can charge fees for data access and, as a rule, consumers should be able to exercise their data rights without charge.
This may change in the future if the minister determines it should be the case but only after seeking the advice of the ACCC.
Some reasons may include consumers frequently accessing data for which there is a high marginal cost in disclosure or if data access might impact incentives for data holders to continue to collect and manage consumer data.
The bill has also changed to reflect the adoption of the principle of reciprocity, so those that receive data under the right should also be required to respond to requests to disclose equivalent kinds of data they hold in relation to the customer.
This is directed at growing the system for the benefit of consumers and to ensure a level playing field.
The second stage of the designation is currently on the Treasury website, and the government invites industry stakeholders to comment on the consultation up until 12 July.
