What are my rights when a company asks for my consent to collect my data?

In Plain English

When a company asks for your consent to collect your data, you have the right to be informed about what data they want to collect, how they plan to use it, and who they might share it with. Your consent must be freely given, specific to the purpose, and current. You can also withdraw your consent at any time, which will stop them from collecting any more of your data from that moment on.

Detailed Explanation

Several pieces of Australian legislation outline your rights regarding consent for data collection. Here's a breakdown:

1. General Consent Requirements:

   • Before giving consent, you must be adequately informed about:
     • The nature of the personal information to be shared (Data Availability and Transparency Code 2022, [Chunk 9], [Chunk 10], [Chunk 8], [Chunk 17], [Chunk 18], [Chunk 19], [Chunk 20]).
     • Whether the information will be shared more than once (Data Availability and Transparency Code 2022, [Chunk 17], [Chunk 19]).
     • The entities with which the information will be shared (Data Availability and Transparency Code 2022, [Chunk 9], [Chunk 17], [Chunk 19]).
   • Consent must be:
     • Voluntary (Data Availability and Transparency Code 2022, [Chunk 9], [Chunk 19], [Chunk 20]).
     • Specific to the sharing of information for the project or purpose (Data Availability and Transparency Code 2022, [Chunk 9], [Chunk 17], [Chunk 19], [Chunk 20]).
     • Current at the time of sharing (Data Availability and Transparency Code 2022, [Chunk 9], [Chunk 10], [Chunk 17], [Chunk 19], [Chunk 20]).
   • You can withdraw your consent:
     • Withdrawal must be express (oral or written) (Data Availability and Transparency Code 2022, [Chunk 9], [Chunk 10], [Chunk 17], [Chunk 19], [Chunk 20]).
     • Withdrawal is only effective for sharing after the withdrawal is communicated (Data Availability and Transparency Code 2022, [Chunk 9], [Chunk 10], [Chunk 17], [Chunk 19], [Chunk 20]).
   • Consent must be given by:
     • The individual, if they have the capacity to consent (Data Availability and Transparency Code 2022, [Chunk 9], [Chunk 10], [Chunk 17], [Chunk 19], [Chunk 20]).
     • Otherwise, by a responsible person as defined in the Privacy Act 1988 (Data Availability and Transparency Code 2022, [Chunk 9], [Chunk 10], [Chunk 17], [Chunk 19], [Chunk 20]).
   • Consent can be express (oral or written) or implied in certain data sharing agreement circumstances (Data Availability and Transparency Code 2022, [Chunk 9], [Chunk 17]).

2. Consumer Data Right (CDR) Specifics:

   • The Competition and Consumer Act 2010 establishes the Consumer Data Right (CDR), giving you the right to authorize secure access to your data by accredited third parties (Consumer Data Right (Non-Bank Lenders) Designation 2022, [Chunk 6], Consumer Data Right (Telecommunications Sector) Designation 2022, [Chunk 6], Consumer Data Right (Energy Sector) Designation 2020, [Chunk 5]).
   • The Competition and Consumer (Consumer Data Right) Rules 2020 outline specific requirements for seeking consent under the CDR:
     • Consent must be voluntary, express, informed, specific, time-limited, and easily withdrawn (Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, [Chunk 35]).
     • Accredited persons asking for consent must have processes that are easy to understand, using concise language and visual aids where appropriate (Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, [Chunk 35], Competition and Consumer (Consumer Data Right) Rules 2020, [Chunk 42]).
     • Processes must not include the accredited person's CDR policy in a way that reduces comprehensibility, or bundle consents with other agreements (Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, [Chunk 35], Competition and Consumer (Consumer Data Right) Rules 2020, [Chunk 42]).
     • You must be allowed to choose the types of data to which the consent applies, the specific uses of the data, and the period of consent (Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, [Chunk 35], Competition and Consumer (Consumer Data Right) Rules 2020, [Chunk 42]).
     • Pre-selected options are not allowed (Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, [Chunk 36]).
     • You must be informed of the accredited person's name and accreditation number, how the data collection and use comply with the data minimization principle, and information about fees, withdrawal of consent, and redundant data (Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, [Chunk 36]).
     • You must be allowed to elect for deletion of redundant data (Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, [Chunk 36], Competition and Consumer (Consumer Data Right) Rules 2020, [Chunk 42]).

3. Specific CDR Consents:

   • Collection Consent: Permission for an accredited person to collect your CDR data from a CDR participant (Competition and Consumer (Consumer Data Right) Rules 2020, [Chunk 36]).
   • Use Consent: Permission for an accredited person to use your CDR data for specific purposes (Competition and Consumer (Consumer Data Right) Rules 2020, [Chunk 36]).
   • Disclosure Consent: Permission for an accredited person to disclose your CDR data to another person (Competition and Consumer (Consumer Data Right) Rules 2020, [Chunk 36]). An accredited person must not ask a CDR consumer to give a disclosure consent unless the consumer has already given the collection and use consents required to collect the CDR data to be disclosed (Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, [Chunk 35]).

4. Data Minimisation Principle:

   • Data collection and use must adhere to the data minimisation principle (Competition and Consumer (Consumer Data Right) Rules 2020, [Chunk 36]). This means that only data that is reasonably needed should be collected, and only for a time period that is reasonably needed (Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, [Chunk 36]).

5. Privacy Safeguards:

   • The Competition and Consumer Act 2010 includes privacy safeguards to protect your data, including restrictions on the use, collection, and disclosure of information received through the CDR rules (Consumer Data Right (Non-Bank Lenders) Designation 2022, [Chunk 6], Consumer Data Right (Telecommunications Sector) Designation 2022, [Chunk 6], Consumer Data Right (Energy Sector) Designation 2020, [Chunk 5]).

6. Telecommunications Sector Limitations:

   • In the telecommunications sector, the designation instrument specifically limits the amount of data that can be captured by the CDR and excludes location and content of communications to address privacy risks (Consumer Data Right (Telecommunications Sector) Designation 2022, [Chunk 7]).