ACCC & DSB | CDR Implementation Call Agenda & Meeting Notes | 18th of August 2022

CDR Implementation Call Banner

Agenda & Meeting Notes

When: Weekly every Thursday at 3pm-4.30pm AEST
Location: WebEx, quick dial +61-2-9338-2221,,1650705270##

Meeting Details:

Desktop or Mobile Devices https://treasuryau.webex.com/treasuryau/j.php?MTID=m9614a7c6166155d3d950a8999e437f9f Once connected to your meeting remember to start your audio and video
Please mute when you are not speaking.

Video Conferencing (VC) Rooms
Use the remote control or touch panel and dial the number indicated below:
External VC Room: 1650705270@webex.com

Phones - AUDIO ONLY

Primary Australia: +61-2-9338-2221
Quick Dial: +61-2-9338-2221,,1650705270##
Other Global Numbers: https://treasuryau.webex.com/cmp3300/webcomponents/widget/globalcallin/globalcallin.do?MTID=m311f46c87a3ab9ae5335a6c0ea431da4&MTID=m311f46c87a3ab9ae5335a6c0ea431da4&MTID=m311f46c87a3ab9ae5335a6c0ea431da4&MTID=m311f46c87a3ab9ae5335a6c0ea431da4&serviceType=MC&serviceType=MC&serviceType=MC&siteurl=treasuryau&siteurl=treasuryau&siteurl=treasuryau&apiname=globalcallin.php&apiname=globalcallin.php&apiname=globalcallin.php&rnd=6124483603&rnd=6124483603&rnd=6124483603&tollFree=0&tollFree=0&tollFree=0&ED=1403111402&ED=1403111402&ED=1403111402&needFilter=false&needFilter=false&needFilter=false&actappname=cmp3300&actappname=cmp3300&actname=/webcomponents/widget/globalcallin/gcnredirector.do&actname=/webcomponents/widget/globalcallin/gcnredirector.do&renewticket=0
Meeting Number/Access Code: 165 070 5270

Agenda

Introductions
Actions
CDR Stream updates
Presentation
Q&A
Any other business

Introductions

5 min will be allowed for participants to join the call.

Acknowledgement of Country

We acknowledge the Traditional Custodians of the various lands on which we work today and the Aboriginal and Torres Strait Islander people participating in this call.
We pay our respects to Elders past, present and emerging, and recognise and celebrate the diversity of Aboriginal peoples and their ongoing cultures and connections to the lands and waters of Australia.

House Keeping

Recording

The Consumer Data Right Implementation Calls are recorded for note taking purposes. All recordings are kept securely, as are the transcripts which may be made from them. No identifying material shall be provided without the participant's consent. Participants may contact@consumerdatastandards.gov.au should they have any further questions or wish to have any material redacted from the record.

Community Guidelines

By participating in the Consumer Data Right Implementation Call you agree to the Community Guidelines. These guidelines intend to provide a safe and constructive space for members to discuss implementation topics with other participants and members of the ACCC and Data Standards Body.

Updates

Type	Topic	Update
Standards	Version 1.18.0 Published	Link to change log here
Maintenance	Maintenance Iteration 12	First meet on the 20th of July 2022
Maintenance	Maintenance Iteration 12	This week on the 17th of August 2022 the Working Group met. Agenda here.
Maintenance	Decision Proposal 259 - Maintenance Iteration 12	Changes, meeting notes and updates for the iteration can be found here
TSY Newsletter	To subscribe to TSY Newsletter	Link here
DSB Newsletter	To subscribe to DSB Newsletter	Link here
TSY Newsletter	26th of July 2022	View in browser here
DSB Newsletter	12th of August 2022	View in browser here
Consultation	Normative Standards Review (2021)	No Close Date Link to consultation
Consultation	Decision Proposal 229 - CDR Participant Representation	Placeholder: no close date Link to consultation
Noting Paper	Noting Paper 255 - Approach to Telco Sector Standards	Link to consultation
Noting Paper	Noting Paper 258 - Independent Information Security Review	Link to consultation
Consultation	Decision Proposal 260 - Energy Closed Accounts Feedback closes: 18th of August 2022	Link to consultation
Consultation	Decision Proposal 262 - Telco Product Reference Payloads Feedback closes: 5th of September 2022	Link to consultation
Consultation	Decision Proposal 263 - Telco Accounts Payloads Feedback closes: 16th of September 2022	Link to consultation
Guidance	Consumer Data Right legislation: A quick reference guide to finding key documents in the Consumer Data Right legislative framework.	Link to CDR.gov.au
Guidance	Sharing CDR data “related to” a consumer’s NEM supply. This guidance sets out the ACCC's expectations regarding sharing of energy data “related to” a customer’s National Electricity Market supply, which will be of particular interest to retailers with customers in WA and the NT who are outside the NEM and where charges for gas are included in the account balance.	Link to the CDR Support Portal
Guidance	New Guidance article on what constitutes a material change under rule 5.14(1)(a) such that an accredited person would have to notify the ACCC	Link to the CDR Support Portal
Action	Publish Consent Flow Sequence Diagrams	Link to CDR Support Portal
Request for Feedback	The Data Standards Body request the Energy retailers to review and comment on Maintenance Issue 529 - CX - Energy Data Language Standards - NMI and Scheduled Payments. If there is consensus for the change to take effect from November, we will propose that the change be treated as urgent and dealt with separate to Maintenance Iteration 12.	Link to Issue 529

CDR Stream Updates

Provides a weekly update on the activities of each of the CDR streams and their stream of work

Organisation	Stream	Member
ACCC	CDR Register	Emma Harvey
ACCC	CTS	Emma Harvey
DSB	CX Standards	Amy Nussbaumer
DSB	Technical Standards - Energy	Hemang Rathod
DSB	Technical Standards - Banking	Mark Verstege
DSB	Technical Standards - Telecommunications	Brian Kirkpatrick
DSB	Technical Standards - Engineering & Register	James Bligh

Presentation

None.

Q&A

Questions will be received by the community via WebEx chat before the questions are opened to the floor. Participants can submit questions outside of the CDR Implementation Call to the CDR Support Portal.

In regards to topics for questions, we ask the participants on the call to consider the Community Guidelines when posing questions to the subject matter experts.

Answer provided

Ticket #	Question	Answer
1531	Please could the clarify the following list of questions on Service point IDs 1 - Would Service Point ID gets changed for a premises, if a Account holder changes the Energy Retailer? 1a- IF Service point ID changes, Would NMI ID (used in AEMO as Service point) also changed? 2b- Assume Service point ID and NMI ID are one to one mapped. If there are edge cases where they differ. Please could we know these scenarios 2 - Would Service Point ID gets changed, if the current account holder leaves the property and some one else occupies who is part of . Example: If AccountHolder1 lives in Property1 for three months and is replaced by AccountHolder2 for another three months. Would Property1 have same service point if both account holders are part of same Energy Retailer?	The servicePointId would be unique per NMI within the bounds of a specific consumer consent. It must adhere to the standards of ID permanence defined in the standards. 1 - Would Service Point ID gets changed for a premises, if a Account holder changes the Energy Retailer? If the account holder changes retailer, all the consents they would have established for data sharing with the previous retailer would become invalid. They would need to provide new consents in which case the new retailer would issue new servicePointIDs. Unless you mean to ask if the service point id changes does the NMI field also change? in that case the answer is no i belive. 1a- IF Service point ID changes, Would NMI ID (used in AEMO as Service point) also changed? This depends on the situation. In the example above, new servicePointIDs are issued for the same customer-NMI because the retailer changed. Another scenario where servicePointID could change is when a new consent is established, for e.g. the customer is providing consent to a new ADR. 2b- Assume Service point ID and NMI ID are one to one mapped. If there are edge cases where they differ. Please could we know these scenarios As mentioned above, the servicePointID can change for a different consent 2 - Would Service Point ID gets changed, if the current account holder leaves the property and some one else occupies who is part of . Example: If AccountHolder1 lives in Property1 for three months and is replaced by AccountHolder2 for another three months. Would Property1 have same service point if both account holders are part of same Energy Retailer? The servicePointID is related to a given consent. If the account holder changes the consent for that property/NMI would become invalid. Account holder 2 would need to establish new consent
791	I've been trying to find some information around what could be the consequences to Data Holders for not being able to meet the timelines as mandated ACCC. So far the information I've been able to dig out is Refusal to disclose required consumer data in response to consumer data request may have the following fines. Civil penalty: (a) for an individual―$50,000; and (b) for a body corporate―$250,000. Just wanted to make sure if my understanding is correct and if the above fines apply to each instance of refusal to disclose?	Thanks for your question and apologies for the delay in coming back to you. Contraventions of the CDR Rules, Part IVD of the Competition and Consumer Act 2010 (including the Privacy Safeguards) and the Consumer Data Standards may lead to pecuniary penalties and other consequences. We note the timeframes for compliance set out in the CDR Rules are set by Treasury (as the CDR Rule maker). Where a data holder (e.g. bank) receives a consumer data request made under rule 4.4 of the CDR Rules, and the CDR consumer has given the data holder a current authorisation to disclose that CDR data, under subrule 4.6(4) of the CDR Rules the data holder must disclose required consumer data it is authorised to disclose using its accredited person request service and in accordance with the data standards. This is subject to rules 4.6A and 4.7 which set out circumstances in which a data holder can refuse to disclose required consumer data. Subrule 4.6(4) is a civil penalty provision. The maximum penalty per breach of a civil penalty provision is generally: (a) for an individual - $500,000 (b) for a body corporate – the greater of $10 million; 3 times the value of the benefit received; or 10% of annual turnover in the preceding 12 months (if the Court cannot determine the benefit obtained from the breach). While these are the maximum penalties, a number of factors are taken into account by the court in determining the appropriate level of penalty. In addition, under subrule 1.13(1)(b) of the CDR Rules, data holders must provide an online service that: can be used by accredited persons to make consumer data requests on behalf of eligible consumers; discloses data in machine-readable form; and conforms with the data standards. This subrule is a civil penalty provision and subject to the same maximum penalties as set out above. Again, a court would take a number of factors into account in determining the appropriate level of penalty. We also note that where the ACCC has reasonable grounds to believe a person has breached a civil penalty provision of the CDR Rules it can issue an infringement notice. The penalty amount in each infringement notice will vary, depending on the alleged breach, but in most cases is fixed at: (a) for a corporation – $13,320 (b) for a listed corporation – $133,200 (c) for individuals – $2,664 for each alleged contravention. For more information, including further details on the range of enforcement options available to respond to and resolve breaches of the CDR legislation, please refer to the ACCC/OAIC Compliance and Enforcement Policy.
1169	As we understand it under CDR Rules Version 3, the intent is that OSPs are able to outsource the collection of CDR data to other OSPs (Please see Explanatory Memorandum which says: "Outsourced service providers may now subcontract collecting activities. This prohibition was originally required to ensure only accredited OSPs could collect CDR data on behalf of the principal under the existing rules, and is no longer necessary given the expansion to unaccredited OSPs."). However, the Notes for CDR Rule 1.10(2) in the Consumer Data Right Rules Amendment 3 suggests otherwise. It says: "Note 1: In order to provide goods or services in accordance with the CDR consumer’s request, it might be necessary for the accredited person to request CDR data from more than 1 CDR participant. Note 2: The CDR data may be collected and used only in accordance with the data minimisation principle: see rule 1.8." Can you please clarify the intent of the notes?	In accordance with the Explanatory Statement, an OSP can subcontract collection activities. Treasury is aware of the error with Note 2 at rule 1.10A(2) in version 4 of the CDR rules and has indicated that the Explanatory Statement and the text of the rules accurately reflect the policy position for collecting OSPs. On this basis we recommend disregarding the note when considering the collecting OSP rules.
1399	I have some questions around secondary users. 1. Do all account holders need to agree to the secondary user instruction for Joint Accounts which are flagged as Co-Approval (or indeed any Joint Account)? 2. Should secondary users see Authorisations made by the Account holder against the account for which they have a secondary user instruction within their dashboard? 3. Should secondary users get notifications when the Account holder amends, creates, or withdraws an Authorisation for an account which they have a secondary user instruction on but they did not initiate the authorisation? i.e., this is an authorization created by the account owner 4. Should a secondary user get a notification when an authorisation expires which contains an account for which they have a secondary user instruction, but they did not initiate the authorisation? 5. What does a secondary user see for an authorisation created by another owner which contains multiple accounts, and they are only a secondary user instruction for one account (if they see the authorisation at all)? 6. If the primary account holder removes the secondary user instruction, will authorisations created by that secondary user against that account stays active, but sharing from the account will stop?	Thanks for your questions. Please see the below responses: (1) Do all account holders need to agree to the secondary user instruction for Joint Accounts which are flagged as Co-Approval (or indeed any Joint Account)? How a secondary user instruction is made is left to the discretion of the data holder (see rule 1.13(1)(e)). This includes whether all relevant account holders need to agree to the secondary user instruction before it is made. (2) Should secondary users see Authorisations made by the Account holder against the account for which they have a secondary user instruction within their dashboard? No. Note that an account holder will be able to see relevant information about each authorisation given by a secondary user to disclose CDR data (see Rule 1.15(5)(a) and Rule 1.15(3)(a)). However, there is no provision in the Rules stating that a secondary user must be able to see authorisations made by the account holder for which they have a secondary user instruction. (3) Should secondary users get notifications when the Account holder amends, creates, or withdraws an Authorisation for an account which they have a secondary user instruction on but they did not initiate the authorisation? i.e., this is an authorization created by the account owner Whilst an account holder will be notified when a secondary user amends or withdraws an authorisation (see Rule 4.28), there is no equivalent rule which provides that a secondary user will receive notifications for actions of the account holder. Therefore, if the secondary user did not initiate the authorisation, they will not be notified when the account holder amends, creates or withdraws an authorisation for an account which they have a secondary user instruction. (4) Should a secondary user get a notification when an authorisation expires which contains an account for which they have a secondary user instruction, but they did not initiate the authorisation? Similar to the above, the secondary user will not get a notification alerting them that an authorisation has expired if they did not initiate the authorisation. (5) What does a secondary user see for an authorisation created by another owner which contains multiple accounts, and they are only a secondary user instruction for one account (if they see the authorisation at all)? As above, the secondary user will not have oversight of any authorisations created by another owner. (6) If the primary account holder removes the secondary user instruction, will authorisations created by that secondary user against that account stays active, but sharing from the account will stop? If the former secondary user no longer satisfies the eligibility criteria under rule 1.10B and clause 2.1 of Schedule 3 because of the withdrawal of the secondary user instruction, the person will cease being eligible in relation to the data holder. This will cause their authorisations with the data holder to expire under rule 4.26(1)(c). However, if the former secondary user continues to satisfy the eligibility criteria under rule 1.10B and clause 2.1 of Schedule 3 (e.g. the person holds another account that is accessible online with the data holder), the person’s authorisations (including in relation to that particular account) will not expire. Nonetheless, in both cases data sharing from the particular account on behalf of the former secondary user will cease. For more information about secondary users, please also refer to the ACCC’s Secondary User FAQs.
1429	At the CDR Implementation Advisory Committee Meeting, 15 March 2022, AGL raised the question of whether energy retailers who do not offer joint account capabilities will need to establish this capability for data sharing purposes under CDR. The advice provided at the meeting was that retailers will not have to provide CDR data sharing to joint account holders if they do not offer joint account arrangements. This is consistent with our reading and interpretation of the energy CDR rules, specifically, Schedule 2, item 39, clause 3.2(3) of Schedule 4, which states the data being shared must relate to an account held by the CDR consumer in their name alone, or to a joint account or partnership account. So for retailers who only provide single person accounts, they will need to share CDR data sets to the single account holder that makes the request through an ADR.	In general, obligations in relation to joint accounts will only arise if the data holder offers joint accounts as defined in rule 1.7 of the rules. See also the definition of joint accounts in our Joint account implementation guidance for further information.
1489	With reference to the attached email, Zendesk has advised that customer data sharing should not appear on the dashboards of the other account holders. Do we need to apply this rule to 9.5(1) if the person requesting for the records is not the person who originally created the arrangement to share customer data ? For example JAH-A created an arrangement to share his/her customer data. As part of rule 9.3, the data holder kept a record of this activity. JAH-B who is joint account owner with JAH-A requested for the record for the activity in step # 1. Is the data holder expected to disclose this record to JAH-B ? I would assume ‘no’ so it’s in-line with the following advice. Can you please confirm ? Extract from the attached email. The joint account rules apply to the disclosure of account data, transaction data and product specific data (as defined in clause 1.3 of schedule 3). The joint account rules apply to these categories of data for any product in phase 1, 2, or 3. Requesters may only ever share their own customer data; customer data of the other account holder(s) is not shareable (clause 3.2(3)(b) of Schedule 3). If a joint account holder requests the sharing of their customer data relating to a joint account, this request must be actioned as though it were a request in relation to an individually held account. Details of such data sharing must not appear on the dashboards of the other account holders.	We consider that rule 9.5 does not allow a joint account holder to request records relating to customer data shared by another joint account holder. Rule 9.5 states that a CDR consumer may request a data holder for copies of records relating to certain information that relates to the CDR consumer. However, a data holder cannot disclose the customer data of a joint account holder to any other joint account holder (see clause 3.2(3) of schedule 3). This means a joint account holder can only request copies of records relating to authorisations, amendments, withdrawals and disclosures of CDR data that relate to another joint account holder when the CDR data is account data, transaction data or product specific data. Customer data does not relate to an account but instead relates to a CDR consumer (see clause 3.2(b)(i) of schedule 3). Therefore, we consider that rule 9.5 does not allow for a joint account holder to request copies of records relating to authorisations and disclosure of customer data by another joint account holder.
1553	This is a follow-up to your previous request "Non-account data on Secondary User consent arrangements" The response to the above referenced request indicated that the Saved Payee cluster is account related data. As we dig deeper into the requirements for Secondary Users this becomes problematic due to how Saved Payees are recorded. Under the file structure in our core banking solution (and that of other banks) a Payee is stored at the client level and has no direct link to an account. Any account that the customer has transaction privileges for (owned, jointly owned or authority to operate) can be selected to make payments to an individual saved payee. This creates difficulties in providing a response to a get payee detail request under a sharing arrangement entered into by either a Secondary User, or a Nominated Representative in the case of a Business Client/Account. As an example: A Secondary User authorises data sharing on a single arrangement for a combination of owned accounts (individual or jointly owned) as well as for accounts they have Secondary User approval for (again these could be individually or jointly owned by the other account owner client). In this scenario payees may be saved against: 1) the Secondary User that they may may use to pay from their owned accounts or secondary user accounts 2) A Client who is a joint account holder with the Secondary User client 3) The Account owner of a Secondary User Account included on the arrangement who has provided the secondary user approval 4) Another Joint Account Holder of a Secondary User account included in the arrangement In each of these cases there is no link to a specific account and so it is not possible to populate the Saved Payee data specifically for the accounts included in the sharing arrangement. The selection of the saved payee is made by the client from their full list of payees at the time of payment. Likewise, If an individual account owner has been approved to act as a Nominated Representative of a Business Client (ie. they have account privilege's to a business client account) we have no way of distinguishing between payees that are used for individual payments from those that may be used for business account payments. We can differentiate between the accounts the Nominated Representative has access to but not the saved payees. This same issue would apply to sharing data from Joint Accounts. Can we please have guidance as to how Saved Payees is to be applied under the above scenarios given there is no linking of Payees to Accounts. As indicated above this scenario is likely to apply to Data Holders other than our clients.	We have consulted with other CDR agencies about this query and can advise that payee data is considered required consumer data. A CDR consumer can only give an authorisation to share payee data that is accessible to the consumer in their account. This means: A CDR consumer cannot give an authorisation to share the payee data of another account holder or secondary user. An individual that is a nominated representative for a non-individual or partner in a partnership can only give an authorisation on behalf of the non-individual or partner in a partnership to share the payee data of the non-individual or partner in a partnership. We recommend CDR participants obtain independent advice about how best to achieve compliance with the CDR rules in their specific circumstances.
1652	Question - if a current Data Holder's metric being displayed on the CDR Performance Dashboard is outside of the Non-Functional Requirements as defined in the Consumer Data Standards (and therefore being displayed as red), is this considered non-compliant with the Standard?	If a metric is outside of the Non-Functional Requirements (NFRs), it generally indicates non-compliance with the NFRs. We encourage you to seek independent advice if you require further information about your compliance obligations.
1658	Hoping you can help confirm the below behaviour when a Joint account becomes an individual account. Reference to consider : https://cdr-support.zendesk.com/hc/en-us/articles/4807458486671-Information-to-be-provided-about-joint-account-authorisations https://cdr-support.zendesk.com/hc/en-us/articles/4807502350351-Authorisations-when-a-joint-account-holder-is-removed-from-or-added-to-a-joint-account Scenario :- Joint account (JA) xxx111 has 2 account holders CustA and CustB. The Joint account xxx111 has now become an individual account xxx111. ( account number is retained ). The business process that may support this is many i.e a family law split , term deposit account etc.. When a Joint account changes to an individual account: 1. Does it trigger an active consent to expire due to the nature of the account type associated with the consent. ( Note the account number is retained xxx111). 2. Is CDR rule 1.15(1)(b) applicable to CustA and CustB?. Given the nature of the account type from Joint account to individual account could CDR rule 1.15(1)(b) lead to privacy concerns.	In relation to Question 1, we consider that the approach to active consents for the joint accounts where a joint account holder is removed would be the same as that for authorisations which is explained in our guidance on Authorisations when a joint account holder is removed from or added to a joint account which states that: “Where a person ceases to be a joint account holder on a joint account and that account remains open: (1) Authorisations of the remaining joint account holders remain current. (2) The data holder can no longer make disclosures from the joint account in response to a request made on behalf of the former joint account holder and the joint account will be dissociated from the former joint account holder’s authorisations as per the technical standards. … (3) If the former joint account holder remains eligible in relation to the data holder: (a) their existing authorisations will remain current - this allows disclosures from any other accounts held by the former joint account holder to continue.” In regards to Question 2, we consider that rule 1.15(1)(b) only requires data holders to provide information in relation to authorisations given by the former joint account holder at the time they were still a joint account holder. Data holders may provide historical information about authorisations of other joint account holders. This is also reflected in our guidance which states: “Where a person ceases to be a joint account holder on a joint account and that account remains open:… (3) If the former joint account holder remains eligible in relation to the data holder: … (b) data holders must continue to display historical information on the former joint account holder’s dashboard about their authorisations relating to the joint account at the time they were a joint account holder (as required by rule 1.15(1)(b)) (c) data holders may also continue to provide the former joint account holder(s), with historical information about authorisations associated with the former joint account that were given by other account holders before the former joint account holder(s) was removed (and which would have been required by r 4A.13(1)(c) at the time the person was a joint account holder).” We encourage you to seek independent advice if you have any concerns regarding privacy.
1659	I was hoping you could please provide some clarification relating to what is going to be counted as a joint account in energy, versus what is a secondary user. Our view is that most accounts with additional users should fall under the category of secondary users, rather than true joint account holders. As such, our understanding is that for accounts with multiple account holders (with initial Data Holders) data will be able to be shared by the primary account holder from 15 Nov 2022, and then by any additional holders from 15 May 2023. We think that this is the appropriate approach to take, as treating these accounts as joint accounts will introduce additional frictions that do not align with a consumer's existing relationship with their energy provider and would not adequately take into account the less sensitive nature of energy data compared to banking data. If you could please confirm our understanding then that would be very much appreciated. We are eager to engage in CDR energy, and this may impact on how we are able to progress.	Whether accounts with additional users are joint accounts or secondary users is governed by the definitions in the CDR Rules. In general, obligations in relation to joint accounts will only arise if the data holder offers joint accounts as defined in rule 1.7 of the CDR Rules. See also the definition of joint accounts in our Joint account implementation guidance for further information. A secondary user is an individual who is at least 18 years of age, has account privileges and the account holder has given the data holder an instruction to treat the person as a secondary user as stated in rule 1.7. A person in the energy sector has account privileges if they are a customer authorised representative of the account holder for the purposes of rule 56A of the National Energy Retail Rule or Chapter 10 of the National Electricity Rules (see clause 2.2 of schedule 4). Initial retailers are required to share data for non-complex and complex requests from 15 November 2022 and 15 May 2023 respectively. Complex requests are requests made behalf of a large customer, secondary user or relates to a joint account or partnership account as defined in clause 8.1 of schedule 4. We encourage you to seek independent advice if you require further information about the application of the rules to a specific scenario.
1678	when interpreting how we treat secondary user instruction eligibility, we consider Power of Attorney to be treated the same as any other role where the individual has self-service financial control via our channels. Yet, we came across a statement made by DSB which considers a PoA different from a Secondary User. https://cdr-support.zendesk.com/hc/en-us/articles/4413842384015-Secondary-user-instruction-and-vulnerability-implications-for-Joint-Accounts Answer no1. "Secondary users (with an instruction) can share data related to the joint account. Secondary users are not equivalent to a Power of Attorney so are not sharing on behalf of another joint account holder". Where is the guidance on how a PoA should be treated differently from another Secondary User? Is there a variation on the treatment where the PoA represents non-individual account holder's vs individual or joint account holders?	As explained in the knowledge article you have noted, a secondary user is not equivalent to a power of attorney. As set out in our secondary users guidance, an individual is a secondary user for an account if they are over 18, have account privileges, and the account holder has given the data holder an instruction to treat them as a secondary user. A secondary user can then share CDR data from an account in their own capacity in accordance with the CDR rules. A power of attorney is a legal arrangement allowing one person (e.g. the account holder, or someone who is a secondary user on an account) to provide another person (the attorney) with authority to make financial and legal decisions on the first person’s behalf. The CDR Rules do not contain provisions that expressly deal with powers of attorney. Where, for the purposes of the CDR, a data holder, accredited person or CDR representative deals with an attorney acting under a power of attorney, they will need to assess whether the attorney’s decisions on behalf of the CDR consumer are within the scope of the attorney’s authority. This will need to be assessed on a case by case basis, with reference to the power of attorney document. This applies whether the power of attorney is in relation to a CDR consumer that is an individual (including a joint account holder or secondary user) or a non-individual. For more information, please refer to the ACCC’s guidance on the interaction between powers of attorney and the CDR.