Consumer Data Right sponsored accreditation – information security self assessment and attestation

Closed 8 Nov 2021

Opened 15 Oct 2021

Published responses

View submitted responses where consent has been given to publish the response.

Overview

Version 3 of the Competition and Consumer (Consumer Data Right) Rules 2020 (Rules) introduces new ways businesses can participate in the CDR and includes sponsored accreditation.

The sponsored level of accreditation removes the requirement to provide an independent third party assurance report to demonstrate that applicants satisfy the information security requirements.

Instead, where a business has, or will have, an arrangement with an unrestricted accredited person (their sponsor) the business may apply for accreditation and self-assess and attest that they satisfy the information security requirements set out in Schedule 2 of the Rules.

The sponsored level of accreditation will be available to participants from 1 February 2022.

We seek your feedback on:

  • the draft information security self assessment and attestation form and
  • proposed information security reporting obligations.

Further details are below.

Draft self-assessment and attestation form

The ACCC has developed a self-assessment and attestation form which will be required to be completed and uploaded as part of a sponsored accreditation application. This will enable businesses seeking accreditation to self-assess and attest that they satisfy the information security requirements set out in Schedule 2 of the CDR Rules.

The draft self-assessment and attestation form is provided as an attachment at the bottom of this page under the heading "Related".

The proposed self-assessment and attestation form details how an applicant must perform an assessment to confirm they meet their information security obligations in relation to their CDR data environment. Applicants are required to complete 3 sections set out in the form in order to demonstrate they satisfy the information security obligations:

  • Description of System - Applicant and proposed sponsor details (if applicable)
  • CDR Data Environment - Compliance with the information security governance requirements set out in Schedule 2 Part 1 of the CDR Rules
  • CDR Controls Questionnaire - Testing of the design and implementation of the CDR information security controls set out in Schedule 2 Part 2 of the CDR Rules.

Sponsored accreditation applicants will only need to complete sheet C3A in the Controls Questionnaire which covers the design and implementation for each control as at a point in time.

Ongoing information security reporting obligations

To meet ongoing information security reporting obligations in accordance with Schedule 1, sponsored level accredited persons will self-attest and assess with this same form but will need to complete both sheet C3A and C3B.

The C3B CDR Controls Questionnaire sets out what is required to demonstrate operating effectiveness of each control. That is, an assessment of how the control operates over a period of time.

We propose that the ongoing information security reporting obligations are consistent with the unrestricted level in that a full self-assessment and attestation form will be required to be provided every second year (covering design, implementation and operating effectiveness of controls), with a more simple written attestation statement provided in the alternate year.

Confidentiality

Submissions will be published on the ACCC website at the end of the consultation period unless a claim for confidentiality is made and accepted, or a submission is withdrawn.

Please mark any information that you believe to be of a confidential nature and provide reasons why this information should be treated confidentially. If the ACCC accepts your confidentiality claim, it will not publish or disclose the confidential information to third parties, other than advisors or consultants engaged directly by the ACCC, without first endeavouring to provide you with notice of its intention to do so, wherever possible, such as where it is compelled to do so by law.

If the ACCC rejects your confidentiality claim, you will be given the opportunity to withdraw your submission before it is published, or any information is disclosed.

The ACCC's information policy includes information on the collection and disclosure of information.

Audiences

  • Anyone from any background

Interests

  • All interests