(1) Each person (a CDR entity ) who is:
(a) an accredited data recipient of CDR data; or
(b) a designated gateway for CDR data;
must take the steps specified in the consumer data rules to protect the CDR data from:
(c) misuse, interference and loss; and
(d) unauthorised access, modification or disclosure.
Note: This subsection is a civil penalty provision (see section 56EU).
(a) the CDR entity no longer needs any of that CDR data for either of the following purposes (the redundant data ):
(i) a purpose permitted under the consumer data rules;
(ii) a purpose for which the person is able to use or disclose it in accordance with this Division; and
(b) the CDR entity is not required to retain the redundant data by or under an Australian law or a court/tribunal order; and
(c) the redundant data does not relate to any current or anticipated:
(i) legal proceedings; or
(ii) dispute resolution proceedings;
to which the CDR entity is a party;
the CDR entity must take the steps specified in the consumer data rules to destroy the redundant data or to ensure that the redundant data is de-identified.
Note 1: This subsection is a civil penalty provision (see section 56EU).
Note 2: Australian Privacy Principle 11 will not apply for paragraph (b) (see paragraph 56EC(4)(a) or (d)).