Consumer Data Right Policy

Consumer Data Right Policy #

Last Updated: September 13, 2024

See What’s Changed

About the CDR #

The Consumer Data Right (CDR) is an economy-wide regime that gives consumers access to, and control over, their data (CDR data). The regime also enables consumers to obtain products and services from accredited persons using CDR data.

CDR is jointly regulated by the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC). The legislative framework includes the Competition and Consumer Act 2010 and the Competition and Consumer (Consumer Data Right) Rules 2020.

About this Policy #

All Data Holders and Data Recipients are required to provide a consumer-facing CDR Policy. As a Data Recipient, Biza provides this CDR Policy to you as a consumer free of charge. It is made publicly available on our website and referenced within Biza’s ADR software application(s) and associated consumer dashboard. If you would like to receive an electronic or hard copy of this policy, let us know via our Contact form or by emailing contact@biza.io.

Within the CDR it is your choice whether you consent to share your data with a Data Recipient. If you provide consent for Biza to collect your data we’ll only use it for the purpose you agreed to. We will only retain your data beyond the stated purpose if we are required to do so under Australian law and in any event your data will not leave Australia.

The legislation and rules associated with the Consumer Data Right give you the right to choose:

  • what data types you share (such as customer information, account and transaction information);
  • how long you share the data for;
  • whether you wish to receive direct marketing related to the data shared;
  • whether your data will be deleted entirely or used in a de-identified way

Each consent granted can last for a maximum of twelve (12) months. At any point during the consent period you can choose to withdraw your consent using the dashboard supplied by Biza as a Data Recipient, our Representatives or the Data Holder you provided consent to disclose from.

After the consent expires you can choose to extend it further. If you don’t actively choose to extend your consent it will be automatically withdrawn.

You may view and manage your consent using the consent dashboards made available either through Biza as a Data Recipient or the service provider (Data Holder) you chose to share the data from.

Collecting your CDR Data #

The types of data Biza requests you to share will vary depending on the service being offered. We will always clearly explain which types of data we need and why we require it before asking for your consent. You may withdraw your consent at any time although this action may affect our or our Representatives ability to provide service to you.

Biza adheres to the data minimisation principle and as such we only collect data necessary to provide a specified product or service to you and will only hold it for the amount of time required to provide the service.

As an Accredited Data Recipient at the Unrestricted level, Biza is permitted to access data from all designated CDR sectors following appropriate consumer (ie. your) consent. The types of data currently available within the Consumer Data Right are prescribed and are referred to within the industry as data clusters, these are summarised below.

Common Data #

Name, occupation, contact details #

For Individual consumers:

  • Full Name and title(s)
  • Occupation
  • Phone Numbers
  • Email addressees
  • Mail addressees
  • Residential addresses

Organisation profile and contact details #

For Business consumers:

  • Agent name and role
  • Organisation name
  • Organisation numbers (ABN or ACN)
  • Charity status
  • Establishment date
  • Industry
  • Organisation type
  • Country of registration
  • Organisation address
  • Mail address
  • Phone number

Banking Data #

Account balance and details #

  • Name of account
  • Type of account
  • Account balance
  • Account number
  • Interest rates
  • Fees
  • Discounts
  • Account terms
  • Account mail address

Transaction details #

  • Incoming and outgoing transactions
  • Amounts
  • Dates
  • Descriptions of transactions
  • Who you have sent money to and received money from

Direct debits and scheduled payments #

  • Direct debits
  • Scheduled payments

Payees #

  • Names and details of accounts you have saved

Energy Data #

Account and plan details #

  • Account and plan information
  • Account type
  • Fees, features, rates and discounts
  • Additional account users

Concessions and assistance #

  • Concession type
  • Concession information

Payment preferences #

  • Payment and billing frequency
  • Any scheduled payment details

Billing payments and history #

  • Account balance
  • Payment method
  • Payment status
  • Charges, discounts, credits
  • Billing date
  • Usage for billing period
  • Payment date
  • Invoice number

Electricity connection and meter #

  • National Meter Identifier (NMI)
  • Supply address
  • Customer type
  • Connection point details
  • Meter details
  • Associated service providers

Electricity usage #

  • Usage
  • Meter details

Energy generation and storage #

  • Generation information
  • Generation or storage device type
  • Device characteristics
  • Devices that can operate without the grid
  • Energy conversion information

Control of your data #

You are in control of your data at all times. You may withdraw consent for us to collect and use your data at any time through our consent dashboard, your providers dashboard or in writing to either party. Biza will not sell your data to anyone. We will not provide your data to any third party without telling you first and asking for your permission.

Where your data is stored #

Your data is held by Biza in our secure and audited environment. Biza only stores your data in Australia, does not hold hard copies of CDR Data and does not share data to any parties outside of Australia, including our Outsourced Service Providers and Representatives.

Data contained in backup systems is only accessible to authorised Biza personnel in accordance with our business continuity procedures. Backups are held for seven years after which they are destroyed.

Correcting or Deleting your Data #

If any of your CDR data is wrong, you have the right to ask us to correct it. If Biza has incorrectly collected or provided your data, let us know and we’ll do our best to fix it right away. If the data was incorrectly provided by your bank or energy company you can ask them to correct it for you. Once they’ve done this, we can collect it again for you.

During the consent process you can also request that your CDR data, along with any derived data, is deleted as soon as it becomes redundant unless we are required to retain it by law. By default we assume that redundant and derived data is deleted.

You can withdraw your consent at any time through the following methods:

  • Using Biza or our Representatives CDR Dashboard or;
  • Using your Bank or Energy Providers CDR Dashboard or;
  • In writing to either party

If you use the CDR Dashboard to withdraw your consent the status of your consent will be updated immediately and reflect the outcome of your request. If you request to withdraw consent in writing this is expected to be completed by either party within two business days.

Withdrawing your consent could impact the services provided by us or our Representatives.

Once your consent expires or is withdrawn we will immediately delete any CDR data we might hold in our systems - unless we’re required to retain it under Australian law.

During data deletion, we will also automatically notify any Outsourced Service Provider or CDR Representative with whom your data has been shared of the withdrawal or expiration, requiring them to destroy your data as well. Deletion by these third parties is managed through contractual arrangements, regular attestations and technical controls.

Ongoing Notifications #

You will receive notifications every 90 days confirming the data you have shared, when it will expire and other consent information as required by the CDR Rules. You will also receive these notifications whenever:

  • You grant consent to collect or disclose CDR data;
  • You extend your consent;
  • You make changes to your consent;
  • You withdraw your consent;
  • When your consent expires;

We appreciate that you may not wish to receive these notifications however at this stage we are not currently permitted to allow you to opt out of these notifications.

Disclosing your data to third parties #

Outsourced Service Providers #

Biza leverages some third parties, referred to as outsourced service providers (OSPs). We are required to disclose details of OSPs we use for CDR. Should this change, this Policy will be updated.

Outsourced Service Provider Nature Of Services Of OSP Classes Of Data That May Be Disclosed To It
Amazon Web Services Hosting Of Biza’s technical infrastructure None
Microsoft Azure Hosting Of Biza’s technical infrastructure None
Rackspace Technology Operational Monitoring and Response None

If we share your data with an Outsourced Service Provider this is because we have a written agreement to do so. We will disclose this clearly to you during the establishment of your consent.

CDR Representatives #

All of Biza’s CDR Representatives are required to be registered with the ACCC and made available on Register of Accredited Persons. If your data is shared to one of our CDR Representatives it is because you have provided a consent to do so. CDR Representatives are contractually obligated to treat CDR Data in accordance with this policy.

Below is a list of our CDR Representatives including the nature of services provided and the CDR Data we allow them to access through our platform:

CDR Representative Nature Of Services Of Representative Permitted Data Clusters
WHAT POWERS US? PTY LTD t/a Automised Energy Energy comparison and optimisation service All Energy & Common Data Clusters

Making a complaint #

Concerns or complaints about how your data is handled by Biza may be made at any time via email complaints@biza.io

In order to investigate and provide a response to you we will need your name, contact information and details of the complaint.

We will acknowledge your complaint within 1 business day and aim to resolve it within 5 business days.

Depending on the nature of the complaint and our joint availability to discuss the matter, this process may take longer. If the complaint has not been resolved within 10 business days, we will inform you that we need more time to investigate and provide an expected outcome date.

We will notify you of the final outcome of your complaint within 20 business days. At this time we will also provide information to you about your right to access an external dispute resolution service and to lodge a complaint with the Australian Financial Complaints Authority (AFCA) or The Office of the Australian Information Commissioner (OAIC) should you wish to do so.

The Australian Financial Complaints Authority

GPO Box 3
Melbourne, VIC 3001
Phone: 1800 931 678
Email: info@afca.org.au
Online: afca.org.au

The Office of the Australian Information Commissioner (OAIC)

GPO Box 5218
Sydney NSW 2001
Phone: 1300 363 992
Email: enquiries@oaic.gov.au
Online: oaic.gov.au