Introduction to the Consumer Data Right (CDR)

The Consumer Data Right (CDR) regulates the collection and handling of CDR data in line with privacy safeguards and rules that:

• Ensure users' data is managed securely.
• Provide users with control over how their data is shared and used.

Accredited Data Recipients (ADRs)

An Accredited Data Recipient (ADR) is an organisation approved under the CDR framework to receive and manage consumer data securely. ADRs are required to adhere to strict privacy and security rules, ensuring that the consumer's data is used only with their consent. ADR and ADR rep/ (Partners) are expected to;

• Transparently disclose how data is used.
• Ensure secure storage and transfer of consumer data.
• Implement privacy safeguards to protect user consent.

Key Benefits for Users

• Choice and Control: Users decide what data to share, how it’s used, and who it can be disclosed to.
• Manage Consent: Users can view, modify, or revoke consents at any time.
• Data Deletion Requests: Users can request data deletion or de-identification.

Data Usage under CDR

We may use the data collected under the CDR framework for:

• Services: Enabling the ability to connect to your bank to retrieve your bank account details to service requests.     
• Operational Purposes: Preventing fraud, detecting abuse, and generating analytical insights using de-identified data.
• Communication: Sending updates and notifications aligned with user preferences.

Consent management

When you give consent, the consent period will be valid for 3 days and will automatically expire after 3 days have passed. You can easily manage your consent at any time—whether that means reviewing, updating, or withdrawing it—using any of the following methods:

1. Submitting your request using the enquiry form via SuperOnline, or
2. Calling us on 1300 066 133.

Data retention and de-identification

You have the right have the right to request data deletion at any time.

Upon withdrawal of consent:

• Your data will be securely deleted or de-identified, depending on your consent
• Redundant data will be destroyed (except for specific use cases when we are required by law to retain it for a longer period)
• We will ensure that any third-party processors will securely erase any shared data

De-identification process

De-identification involves removing identifiable information while retaining anonymised data for operational purposes, such as analytics and fraud prevention. Steps include:

• Removing your personal information from transactions
• Stripping timestamps and descriptions that reveal specific details
• Aggregating data to ensure anonymity

We may use de-identified data for improving services, creating insights, and operational analysis.

Retention Policy

We will always:

• Ensure your data is retained in line with the required legislative requirements as mandated of a superannuation fund.