Consumer Data Right Policy


Being transparent with our customers and keeping you informed is an important part of how we do business. As required by the new Consumer Data Right legislation, we’ve put together this Consumer Data Right (CDR) Policy. This policy explains how we manage your CDR data and make a complaint if needed.


SISS Data Services (SDS), as an Accredited Data Recipient (ADR) that provides a platform for software applications ‘apps’ that access consumer data securely via the Consumer Data Right (CDR). If you have heard the term ‘open banking’, then you may already have an idea of what the Consumer Data Right (CDR) involves. The CDR regime will apply first to the banking industry than to other industries. CDR is designed to give you greater control of your data to increase competition and encourage innovation in the Australian economy.

Collection of your personal data

We are seeking (with your consent) to collect the data that your bank is able to provide. SDS does not collect any additional data such as voluntary consumer data that the bank may have, but not obligated to supply under the CDR rules. With your consent, we will collect and provide data to your nominated software application. There are no costs associated with the collection of CDR data. The following is an example of data that could be collected,

  • Account balance and details
    • Type of account
    • Name of account
    • Account balance
    • Account mailing address
    • Interest rates, Discounts, Fees
    • Account terms
  • Transaction details
    • Incoming and outgoing transactions
    • Dates
    • Amounts
    • Descriptions of transactions
    • The name of a person or company who you have sent or received money

Data collection could occur on a single occasion or several times a day depending on the disclosure and purpose displayed on the consent screens provided by the software application. The consent screens will also detail the terms, scope and duration of data collection for the nominated bank account(s). Your software and data holder (bank) is required to disclose your consent within a dashboard via their app or website.

Purposes of CDR data

The purpose of SISS Data Services (SDS) collecting data is to transport it to the nominated software application. Each software application will have its own purpose, and this will be detailed in the consent screens. SDS does not have any other role or purpose other than aiding in the safe & secure transport of data. SDS does not store or use your data. SDS will only deliver data to a software application that requested it and you gave consent, this means data will not be provided to anyone you have not given explicit consent.

A valid question you (consumers) may have is why various applications utilize SDS. In simple terms, SDS provides applications with a prebuilt service that securely connects, collects, delivers, and manages consents to multiple data holders (like banks). SDS is, therefore, a company that is a team of data and security experts. SDS has been providing a direct data collection service from banks and transporting it to software applications for ten years. Therefore SDS saves software applications the development time and costs to provide data to consumers.


To provide a positive consumer experience and ensure control over data, SDS does not provide information to third parties to engage in direct marketing. SDS does not disclose or use your personal data for commercial purposes. SDS does not disclose your personal data to any additional accredited or non-accredited persons, be they Australian or foreign.

Outsourced service providers

SDS does not provide CDR data to any outsourced providers. SDS develops and maintains its own software. SDS hosts its software and systems with Microsoft Azure stored in Australia and SDS has proudly achieved ISO 27001 accreditation.

Contacting Us

You can contact us at any time via email (, or post, or through the website ( Once we have received your contact, we will respond as soon as is practical.

How to make a complaint

If you believe that there has been a breach of the CDR rules by SDS, please submit your CDR consumer data complaint via email to

Please include the following information when submitting your complaint.

  • Your name;
  • Your contact details;
  • Your preferred contact method of complainant (phone/ email/ letter); and,
  • The details of your complaint.

A CDR complaint can be made at any time. Once your complaint is received, SDS will immediately acknowledge receipt of the complaint within five (5) business days of being received. SDS will investigate your complaint and attempt to provide you with a written response to resolve the complaint, within thirty (30) calendar days of receipt of your complaint.

If your complaint remains unresolved after thirty (30) calendar days, you will be advised in writing that additional time is required to complete the investigation and to provide a response.

When the complaint is resolved, you will receive a ‘final response’ letter within 45 days, informing you of:

  • the final outcome of your complaint;
  • your right to make a complaint to an External Dispute Resolution service; and
  • should you not be satisfied with the result of any complaint you may contact the Australian Financial Complaints Authority (SDS is a member as required by the accreditation rules)

Australia Financial Complaints Authority (AFCA)



[P] 1800 931 678 (free call)

[M] GPO Box 3, Melbourne VIC 3001

If your complaint remains outstanding after 45 days, SDS must write to you to:

  • inform you of the reasons for the delay;
  • specify a date when a decision can be reasonably expected;
  • inform you of your right to take your complaint or dispute to an External Dispute Resolution service; and
  • if you are not satisfied with our response, you may lodge a complaint with the Australian Financial Complaints Authority.

Summary of Participants in CDR system

  • CDR: Consumer Data Right gives you the right to share your data between service providers of your choosing. It’s now active in banking.
  • Consumer: This is you the person or business seeking to have their data collected from a data holder and delivered to a software application
  • Data Holder: This the organization who is the source of data, like a bank, who holds consumer data
  • Software Application: This the primary accredited data recipient (ADR). That is the ‘software application’ that plans to receive and use consumer data in order to provide a service. ADR’s are required to be accredited and registered by the ACCC.
  • SDS: SISS Data Services, is an accredited data recipient (ADR) with the role of providing the technology platform for software applications to collect data from data holders. The technology platform SDS offers can also be called a outsource provider (OSP) or intermediary service.
  • ACCC: The lead government regulatory for the Consumer Data Right (CDR) system. ACCC is also responsible for registration and compliance monitoring of ADR’s.
  • OAIC: Office of the Australian Information Commissioner. A government organization with the purpose to uphold consumers rights to privacy and access to data utilising legislation such as the Privacy Act & Freedom of Information Act.
  • ASIC: Australian Securities Investment Commission, a government organization with a purpose to ensure the proper function of corporations, markets, financial services and providing of credit.
  • AFCA: Australian Financial Complaints Authority are a dispute resolution service for consumers and organizations within the financial services industry.