Consumer Data Right (CDR) Policy
We’re committed to being as open and honest as possible when it comes to how we deal with your information. This CDR Policy explains what information is shared through the Consumer Data Right, how you can access or correct information we hold about you, how to make a complaint and how we deal with complaints.
For information on how we manage your personal information generally and the rights you have under the Privacy Act, please refer to our Privacy Policy. Both Policies are available via www.gsb.com.au/privacy-policy or in hardcopy on request.
Legal Background
The Consumer Data Right is embedded within the Competition and Consumer Act and the Privacy Act. It’s designed to provide customers with the ability to access information banks and some other service providers hold about them and to share that information with others. The Consumer Data Right is highly regulated to ensure customers and businesses can benefit from sharing their information while minimizing privacy risks. The rules in place set out the obligations for businesses that hold your data (Data Holders like Great Southern Bank), those that want to collect your data (Accredited Data Recipients) and those that facilitate the transfer (Designated Gateways).
What information is available?
Product information
Information about our saving, transaction, term deposit, credit card, personal loan, home loan, overdraft and line of credit products including features, eligibility, rates and fees is called Product Reference Data. It doesn’t include information about identifiable customers.
Customer information
Consumer Data Right Data (CDR Data) is information about the identity, contact details, products, account numbers, account balances, scheduled payments, payees and recent transactions of identifiable customers. For business customers, CDR Data also includes the business name, business type and the ABN/ACN. CDR Data can only be shared with the customer’s consent, or the consent of someone they’ve authorised to share their data.
Data sharing authorities
There are two situations where someone else can consent to sharing your information. The first is where another joint account holder authorises data sharing on a jointly held account. The second situation is where you appoint a data sharing delegate on one or more of your accounts. You can only appoint a delegate who is over 18, an existing signatory on the account and registered for online banking.
Business customers who want to share data will need to appoint a data sharing delegate on the relevant business accounts. We’ll let you know by SMS or email if someone else sets up data sharing on your accounts. You can log into online banking at any time to stop these data sharing arrangements and/or remove a data sharing delegate’s authority over your account.
How does it work?
Another business may ask you to share your information so that they can offer you their products or services. They will ask for your consent to collect that information and will then forward that consent on to us. We’ll then contact you to verify your instructions before releasing the information.
It’s important that you understand what information the organisation is collecting and why they’re asking for it. Every organisation participating in CDR must have a CDR Policy so before you consent to sharing your information you should read their CDR Policy. You can ask us to stop sharing your information, including information on joint accounts, at any time and the easiest and quickest way to do this is through online or mobile banking, or through the business banking app where applicable. Please be aware that any information we’ve already shared may still be held by the recipient.
Your services may be impacted if you stop sharing your data so you should check with the data recipient before ending a data sharing arrangement. Please note, we don’t currently accept requests for voluntary product data or voluntary consumer data.
When we will send you notifications
If you participate in CDR, we’ll tell you when you enter a new data sharing arrangement and when you withdraw or amend an existing data sharing consent. We’ll also let you know each time we share your information and when any data sharing arrangements are approaching expiry. Some of these notifications will be by email or SMS, while others may be through the CDR dashboard in online banking or via the business banking app. Mandatory privacy breach reporting also applies to CDR, which means that we’ll tell you if your information is lost or stolen in circumstances where you’re likely to suffer serious harm. More information on the mandatory breach reporting is available at www.oaic.gov.au.
Access and Correction Requests
Product Reference Data can be accessed by any person or business through a Product Data request service.
By contrast, we’ll only ever share a customer’s CDR Data with consent unless otherwise required by law. A practical example of how to access your CDR Data is by authorising us to share your CDR Data such as transaction information and records with an Accredited Data Recipient if you are applying for a product with them.
If you believe the information we hold or have shared is inaccurate, incomplete or out of date you can ask us to correct it. You can do this by calling us on 133 282 or visiting your nearest branch. If you’re a business banking customer you should contact us through the business banking app. We don’t charge a fee for considering correction requests. We’ll acknowledge a request to correct information as quickly as possible and within ten business days we’ll either update the information, include a qualifying statement with it or leave it as it is if we believe it to be correct. Our written response will let you know which option we chose, and if we haven’t changed your information we’ll let you know why. Our response will also provide you with information on how to make a complaint about the way we handled your request.
Complaints and Feedback
If you believe that we haven’t met our obligations under the Consumer Data Right and wish to make a complaint, you can do so by calling us on 133 282 or visiting your nearest branch. If you’re a business banking customer interacting with us primarily through the banking app we again recommend that you use the app to make your complaint.
When contacting us, please provide enough information so that we can identify you, understand the nature of the complaint and investigate it. Please also let us know your preferred outcome. We’ll acknowledge your complaint within two business days and will try to resolve it as quickly as possible. We’ll ensure that you’re kept updated as our investigation progresses and the options for resolving the matter will depend on the outcome of our investigation and the nature of the complaint.
If your complaint isn’t resolved to your satisfaction you can refer the matter to our Customer Advocates by calling 07 3552 4743, by emailing customeradvocacy@gsb.com.au or by writing to Member Advocacy, GPO Box 100, Brisbane QLD 4000.
If your complaint relates to data quality, we might correct your information or give reasons why it won’t be changed. Resolution may also include an apology where appropriate. If you’re dissatisfied with our complaint handling processes or the proposed outcome you may escalate your complaint to one of the following bodies:
Australian Financial Complaints Authority
Address: GPO Box 3, Melbourne VIC 3001
Website: www.afca.org.au
Email: info@afca.org.au
Tel: 1800 931 678
Office of the Australian
Information Commissioner.
Address: GPO Box 5218, Sydney NSW 2001
Website: www.oaic.gov.au
Email: enquiries@oaic.gov.au
Tel: 1300 363 992