CDR Policy
Last updated: 21.06.2024
- CDR Policy Overview
This Consumer Data Right (CDR) Policy (the Policy) explains how BillWill can collect, use, hold and disclose your data that you consent to sharing with us. This ensures transparency and trust between all parties. It also ensures the quality, integrity and security of your personal information under applicable CDR legislation and Privacy Laws.
Please refer to the Privacy Policy on our website for information on our management of your personal information.
- What is the CDR?
The CDR (Consumer Data Right) gives you control about the data that you share with banks and financial institutions. This is often referred to as Open Banking. It’s a secure way for you to send your data to companies with your full consent, knowledge and control. The intention is that you can help find the best products and pricing, and to help switch to new products and services.
Open Banking will allow you to ask that your data be sent to other banks, financial institutions and authorised organisations when you want to. You control who holds your data and how it is used.
BillWill’s mission is to lighten the administrative load left behind by reducing the uncertainty and administrative burden of a time of grief and stress, BillWill is one last gift to your loved ones.
We provide utility account management features that can access your personal banking information securely via the governments’ Open Banking initiative. We use these to identify subscriptions and billers to close or transfer after your death.
- Your rights as a consumer regarding your data
As a consumer you have control over who you share your data with. Any data recipient is accredited by the ACCC and is subject to:
- ongoing processes;
- internal dispute resolution;
- information security;
- service-level agreements;
- audits; and
- other requirements by the Data Accreditation Body.
You may choose to share your data that is held by an existing data holder (like a banking institution) with an accredited data recipient (like another banking institution or fintech).
- Granting and managing consent
Should you choose, you can consent to share your data with a data recipient.
CDR Legislation and Privacy Law gives you the right to choose how you share your data, including:
- which data types (like customer information, payments, transaction or account information);
- how long you’ll share your data for: as a once-off or ongoing;
- whether you want to receive direct marketing related to the data shared; and
- whether your data will be deleted or de-identified.
Consent can only last for a maximum of twelve (12) months. After 12 months your consent expires and you can either re-confirm your consent or explicitly withdraw your consent. If you don’t actively state your preference, your consent will automatically be withdrawn.
You may view and manage your consent in the consent dashboard of either of the organisations that receive or send your data. The three types of consent status include: active, expired or withdrawn.
- Data you may share with us
You can consent to share your data with BillWill or other CDR regulated customers (accredited persons).
BillWill will collect, hold and use your data in accordance with the purpose of the service we are providing (see scope). CDR data is held and stored on your behalf in secure systems, located in Australia. We do not share this information with anyone else without your consent.
We may hold and use the following types of data to provide services through our web applications:
Banking data
Transaction details
- Incoming & outgoing transactions
- Amounts
- Dates
- Descriptions of transactions
- The account name of who you have sent money to and received money from (e.g. their account name and number, and BSB)
Direct debits and scheduled payments
- Direct debit authorisations
- Scheduled, outgoing payments
- Withdrawing consent
You can withdraw your consent at any time and can be done in three (3) ways:
- Through our consent dashboard;
- Through the financial providers consent dashboard; or
- In writing to either party.
If you use the consent dashboard to withdraw your consent, the status of your consent will be updated in near real-time and reflect your change almost immediately. If you choose to withdraw your consent in writing, this will be completed by the data recipient or data holder within two business days.
If you withdraw your consent we’ll delete your data. However some services require your active consent and withdrawing consent could mean the services provided by the data recipient may cease.
- Events for consent notifications
You’ll receive a notification every 90 days to confirm the data you have shared, the expiry date and other consent information. You’ll also receive a notification with a summary of these details any time you:
- Grant consent;
- Commence allowing BillWill to collect CDR data;
- Commence allowing BillWill to disclose CDR data;
- Manage consent;
- Withdraw consent; or
- Your consent has expired.
You may not opt out of these notifications at any time.
- Deletion of your data
BillWill adheres to the data minimisation principle. This principle outlines that a data recipient can only ask you for data that is absolutely necessary and can only hold it for the minimum amount of time it is needed to provide their service.
Any time you give consent to a data recipient, you can also request that your CDR data, and any data derived from it, be deleted as soon as it becomes redundant. This can be managed when you first give consent or at any time your consent status is active.
We’ll only use your data for the purpose you have agreed to, and we will delete it after it has been used for that purpose. BillWill does not hold any redundant data.
When you withdraw data sharing consent or your consent expires, we’ll automatically irretrievably destroy your data within seconds. We’ll also automatically notify any Outsourced Service Provider or CDR Representative with whom your data has been shared and require them to irretrievably destroy your data as well. Deletion by third parties is managed through contracts and regular attestations.
- Disclosing your data to outsourced parties
Outsourced Service Providers
BillWill leverages some third parties, referred to as outsourced service providers (OSPs). We are required to disclose details of OSPs we use for CDR. Should this change, this Policy will be updated.
BillWill does not hold hard copies of CDR data. During business continuity events, redundant data is irretrievably destroyed before restoring service. Your data contained in backup systems is not accessible to anyone without invoking business continuity procedures, which may occur during a significant disaster or cyber security event. Backups are held for seven years after which they are destroyed.
Outsourced Service Provider | Nature of services of OSP | Classes of data that may be disclosed to it |
Amazon Web Services | Hosting BillWill’s infrastructure and platform | None |
Hello Again | Web App development | None |
Obietech Pty Ltd | Categorisation-as-a- Service Solution and Insights-as-a-Service Solution | All clusters of banking data |
ADATREE | CDR Representative | All clusters of banking data |
If we share your data with an accredited person, this is because we have a written agreement with them to collect data on their behalf. This will be clear to you in the consent granting process.
- Where your data is stored
Your data is held by BillWill in our secure and audited environment. BillWill only stores your data in Australia. BillWill does not share data with accredited parties based outside of Australia.
Any data shared with one of our OSPs is processed in Australia.
- Correction of your data
If any data that you share with BillWill is incorrect, you can request correction of your data using the BillWill contact details listed below. You can also ask the Data Holder (the business you authorised to share data with us) for access to your CDR data and, if required, to correct it.
When requesting a correction, be sure to provide specific details so we can assess the issue and make the right corrections. Once we’ve assessed your request, we will make the adjustments and reply to your email with a description of the changes we’ve made. You will also have the opportunity to make a complaint if you’re unsatisfied.
- Events for notifying you
In the event of a data breach (such as where an unauthorised party accesses your CDR Data, we will notify you as soon as practical. This is so you can take action to mitigate any potential damage or loss caused by the data breach.
If this occurs, we will:
- Contain the data breach to prevent any further leak of personal information;
- Investigate the data breach by gathering the facts and taking action to reduce any risk of harm;
- Notify the Commissioner if the breach is an ‘eligible data breach’ under the Notifiable Data Breach scheme; and
- Review the incident and improve our processes, policies and controls to prevent future breaches.
- Resolving your privacy concerns and complaints – your rights
If you have a question or complaint about how your personal information is being handled by us, our affiliates or outsourced service providers, please contact us at any time by using the contact details below.
Please include the following information with your complaint.
- Your name;
- Your contact details;
- The details of your complaint.
Once we receive your complaint, we will acknowledge it as quickly as possible (one business day) and let you know if any further information is needed to resolve your complaint.
We will assess whether the complaint can be addressed immediately, investigate if more details are required, determine the most appropriate remedy and communicate the proposed remedy to the complainant. A potential remedy could include a formal apology or a correction of details.
We aim to resolve complaints as quickly as possible, but some complaints take longer to resolve than others. If your complaint has taken longer than five (5) business days to resolve we will send you an update of our progress and include an updated timeframe of when you can reasonably expect a response.
If BillWill does not resolve the dispute within 5 business days, then BillWill will provide an internal dispute resolution (IDR) response no later than 30 days after receiving the complaint. If the complaint is particularly complex or there are circumstances beyond BillWill’s controls which are causing the delays, then BillWill will provide an ‘IDR delay notification’ which informs the complainant about the reasons for the delay, their right to complain to AFCA if they are dissatisfied and the contact details for AFCA.
If you’re unhappy with our response you can request an independent review with our Complaints Officer by emailing complaints@billwill.com.au.
Raising your issue with our Complaints Officer does not limit you from raising your issue at any time with external disputes schemes or relevant regulators.
Under the Privacy Act you may complain to the Office of the Australian Information Commissioner (OAIC) about the way we handle your personal information. Please note the OAIC requires any complaint must first be made to the respondent organisation. Australian law allows 30 days for the respondent organisation to deal with the complaint before any complaint is made to the OAIC.
The Commissioner can be contacted at:
Office of Australian Information Commissioner
GPO Box 5218
Sydney NSW 2001
Phone: 1300 363 992
Email: enquiries@oaic.gov.au
Online: www.oaic.gov.au
The Australian Financial Complaints Authority (AFCA) can consider certain privacy complaints relating to either the provision of credit or credit reporting information in general.
The contact details for AFCA are set out below:
Phone: 1800 931 678 (free call)
Email: info@afca.org.au
Online: www.afca.org.au
Mail: Australian Financial Complaints Authority GPO Box 3 Melbourne VIC 3001
More details of our complaints process are outlined in our Complaints Policy.
- Availability of policy
This policy is available electronically via our website: billwill.com.au/cdrpolicy.
An electronic or hardcopy of this policy can be obtained by emailing complaints@billwill.com.au.