This Consumer Data Right (CDR) Policy (the Policy) explains how Skript Pty Ltd (Skript) can collect, use, hold and disclose your data that you consent to sharing with us. This ensures transparency and trust between all parties, as well as ensuring the quality, integrity and security of your personal information under applicable CDR legislation and Privacy Laws.
In order to access customer banking data, an account holder must be identifiable, or ‘reasonably identifiable’ and the data requested from the bank accounts nominated relates to them and is appropriate for that persons use. This includes banking data from a joint account.
What is the CDR?
The rules for Open Banking are defined by the Consumer Data Right (CDR) which aims to provide greater choice and control for Australians over how their data is used and disclosed. The CDR gives you control about the data that you share with other banks and financial institutions. It helps you send your data to other companies with your full consent, knowledge and control in a secure way. The intention is that you can help find the best products, prices, suitable and to help switch to new products and services.Open Banking will allow you to ask that your data be sent to other banks, financial institutions and authorised organisations when you want to. You control who holds your data and how it is used.
Your Rights as a Consumer Regarding Your Data
As a consumer you have control over who you can share your data with. Any data recipient is accredited by the ACCC and is subject to ongoing processes, internal dispute resolution, information security, service-level agreements, audit and other requirements by the Data Accreditation Body.You may choose to share your data that is held by an existing data holder (for example, a banking institution) with an accredited data recipient (for example, another banking institution or a fintech).
Granting and Managing Consent
Should you choose, you can consent to share your data with a data recipient.
You have rights to choose the following about sharing:
which data types (for example, profile, payments, transaction or product information);
how long you will share your data for, whether one-off share or ongoing sharing;
whether you opt in to receiving direct marketing related to the data shared;
election of deletion of redundant data, if an alternative de-identification of data is offered.
Consent may only last for a maximum of twelve (12) months, until the time that you withdraw consent, re-grant consent or the consent expires.
You may view and manage your consent in the consent dashboard of either of the organisations that receive or send your data.
You may withdraw your consent at any time. You can withdraw your consent in multiple ways, including:
Through the data recipient consent dashboard;
Through the data holder consent dashboard; or
In writing to either party.
The consent revocation must be completed within two business days if notified in writing. If revocation occurs through the consent dashboard, the dashboard will be updated in near real-time to reflect your change in consent status (for example, active, expired or withdrawn).
If the consent is withdrawn, we will delete your data.
If you withdraw your consent, the services provided to you by the Data Recipient may cease.
Deletion of Your Data
Legislation requires that Skript adheres to the data minimisation principle, which requires that only the required data is held as long as needed. This is related to the purposes stated for data capture.
If you give consent to an accredited data recipient to collect and use their CDR data, you may elect that your collected data, and any data derived from it, be deleted when it becomes redundant. This can be managed when consent is given or during the consent lifecycle before consent is withdrawn or expired.
Accessing and correcting your personal information
A user can request correction of their data through the contact us channels listed below.
Sufficient details must be provided in order to assess and correct the data that is incorrect. If notified by phone or email, Skript will update the consumer dashboard, as soon as practical, with the request and later with the notification of the corrective action if applicable.
Once assessed, notice is given over email and the consumer’s dashboard. The notice sets out what Skript did in response to the request, any corrective action or comments, and the complaint mechanism available to the consumer if they are not satisfied.
Notifying CDR consumer
Skript does not make a consumer’s banking data accessible or visible to outside organisations. Skript employs stringent up to date information security practices.
In the event of a data breach e.g. someone gaining unauthorised access which results in loss of CDR data, we would notify a CDR consumer as soon as practical in order for the consumer to take appropriate action if required.
Skript does not disclose your data to any parties. Skript develops and maintains all software products in-house for use with banking data collected under the CDR Rules.
Where Your Data is Stored
Your data is stored onshore. Copies of your data are only stored in Australia.
Making a Complaint
If you believe that there has been a breach of the CDR rules by Skript, please submit your CDR consumer data complaint via email to email@example.com
Please include the following information when submitting your complaint.
Your contact details
Your preferred contact method of complainant (phone / email / letter)
The details of your complaint
A CDR complaint can be made at any time. Once your complaint is received, Skript will acknowledge receipt of the complaint within five (5) business days of being received.
Skript will investigate your complaint and attempt to provide you with a written response to resolve the complaint, within thirty (30) calendar days of receipt of your complaint.
If your complaint remains unresolved after thirty (30) calendar days, you will be advised in writing that additional time is required to complete the investigation and to provide a response.
When the complaint is resolved, you will receive a ‘final response’ letter within 45 days, informing you of:
the final outcome of your complaint or dispute;
your right to take their complaint or dispute to External Dispute Resolution; and
if you are not satisfied with the response, you may lodge a complaint with the Australian Financial Complaints Authority.
If your complaint remains outstanding within forty-five (45) days, Skript must write to you to:
inform you of the reasons for the delay;
specify a date when a decision can be reasonably expected;
informs your of your right to take your complaint or dispute to an External Dispute Resolution; and
if you are not satisfied with our response, you may lodge a complaint with the Australian Financial Complaints Authority.
You can contact us in the following ways:
24th June, 2021