Introduction to the Consumer Data Right (CDR)

The Consumer Data Right (CDR) regulates the collection and handling of CDR data in line with privacy safeguards and rules that:

• Ensure users' data is managed securely.
• Provide users with control over how their data is shared and used.

Accredited Data Recipients (ADRs)

An Accredited Data Recipient (ADR) is an organisation approved under the CDR framework to receive and manage consumer data securely. As an ADR, TelstraSuper is required to adhere to strict privacy and security rules, ensuring that our members’ data is used only with their consent. We are expected to;

• Transparently disclose how data is used.
• Ensure secure storage and transfer of your data.
• Implement privacy safeguards to protect your consent.

Key benefits for our members

• Choice and control: You decide what data to share, how it’s used, and who it can be disclosed to.
• Manage consent: You can view, modify, or revoke consents at any time.
• Data deletion requests: You can request data deletion or de-identification.

Data usage under CDR

We may use the data collected under the CDR framework for:

• Services: Enabling you to connect to your bank to retrieve your bank account details to service requests.
• Operational purposes: Preventing fraud, detecting abuse, and generating analytical insights using de-identified data.
• Communication: Sending updates and notifications aligned with user preferences.

Consent management

When you give consent for your CDR data to be retrieved through Basiq, your consent will be valid for 3 days and will automatically expire after 3 days. You can easily review, update, or withdraw your consent at any time by:

1. Submitting your request using the enquiry form via SuperOnline, or
2. Calling us on 1300 033 166.

Data retention and de-identification

You have the right to request data deletion at any time.

When you do so:

• Your data within Basiq will be securely deleted or de-identified, depending on your instructions
• Redundant data within Basiq will be destroyed (except for specific use cases when we are required by law to retain it for a longer period)
• Basiq has informed us that it will securely erase shared data with any third-party processors

De-identification process

De-identification involves removing identifiable information while retaining anonymous data for operational purposes, such as analytics and fraud prevention. Steps include:

• Removing your personal information from transactions
• Stripping timestamps and descriptions that reveal specific details
• Aggregating data to ensure anonymity

We may use de-identified data for improving services, creating insights, and operational analysis.

Retention Policy

TelstraSuper will retain your data in line with required legislative requirements and TelstraSuper’s Privacy Policy and Privacy Collection Statement. A copy of our Privacy Policy and Privacy Collection Statement is available at telstrasuper.com.au or by calling 1300 033 166.