Consumer Data Right Policy
Open Home Loans is committed to providing quality services to you and this policy outlines our ongoing obligations to you in respect of how we manage your Personal Information.
About the Consumer Data Right (CDR)
The Consumer Data Right (CDR) provides you with a secure way to share certain data held about you by banks and other financial institutions (CDR Data) with other service providers with your full knowledge and consent. You control who holds your CDR Data and how it is used. The intention is to help you find the best products and pricing and make it easier to switch to new service providers.
Open Home Loans is partnered with Basiq – an Accredited Data Recipient under the CDR framework, which receives users’ data from the bank or other financial institution – only after the user have given consent. Basiq has partnered with various Basiq approved partners (Partners) who, with your consent, may request Basiq to collect and provide them with your data to enable them to provide their services and/or products to you. Basiq’s Partners can only use or disclose your data in accordance with your instructions.
Basiq is subject to strict controls under applicable CDR legislation and privacy laws. This policy (CDR Policy) explains when and how Basiq and Partners collect, use, hold and / or disclose your CDR Data in accordance with the consent you provide. This CDR Policy also explains how you can manage your CDR Data and associated consents, resolve concerns and lodge complaints.
What details you can share with us
You can share the following CDR Data with us:
Account Details
product category, account type and product name (e.g. transaction accounts, savings accounts, term deposits, overdrafts and business finance and mortgage accounts)
BSB and account number / masked number
account nickname
account status
account holder / display name
account owner (true / false)
account meta data (e.g. credit cards, term deposits, loans)
interest rates
fees
discounts
Balance Details
current balance
available funds
Transaction Details
status (pending / posted)
incoming & outgoing transactions
amounts
dates
descriptions of transactions
account names for accounts you have sent money to and received money from
Name, occupation and contact details
name
occupation
phone
email address
mail address
residential address
Organisation profile and contact details
agent name and role
organisation name
organisation numbers (ABN or ACN)
charity status
establishment date
industry
organisation type
country of registration
organisation address
mail address
phone number
Direct debits and scheduled payment details
direct debit authorisations
scheduled, outgoing payments
Payee details
names and details of saved payee accounts
You are in control of your CDR Data
How we collect your CDR Data
When you request a service from a Partner and provide your consent, Basiq facilitates the provision of that service by the Partner. Basiq collects your CDR Data for this purpose directly from your bank or other financial institution via an application programming interface (API).
The kinds of services that will involve the collection of your CDR Data (with your consent) include:
Data Aggregation and Enrichment: your CDR Data is aggregated, enriched and demystified to provide a single view of your finances across each of your banks.
Spending Insights: your CDR Data is analysed to provide insights into spending, including the category of spend.
Income Insights: your CDR Data is analysed to identify your income streams including surfacing patterns around regularity and stability.
Affordability Report: insights above are presented in an easy to read PDF report.
When we can share your CDR Data
When you request a service from a Partner and provide your consent, Basiq will support the provision of that service and share your CDR Data with the Partner as reasonably necessary for that purpose.
When we share your CDR data with Partners, they are required to operate in accordance with CDR controls and privacy protections.
What we do with your CDR Data
With your consent, Basiq and its Partners will use your CDR Data for the purpose agreed, including to provide data enrichment, spending, income and affordability insights, and will hold your CDR Data for the period covered by the consent you have provided.
Basiq will ensure, and will procure that its Partners will ensure, the following:
Your CDR Data will not be disclosed to any third party without your consent.
Your CDR Data will be deleted or de-identified in accordance with your instructions once your consent expires or is withdrawn by you, except to the extent we are required under Australian Law to retain certain data.
You may withdraw or modify your consent at any time.
Managing your consent
You are able to review, modify or withdraw any CDR consent you have provided through the relevant Partner application. You can also withdraw your consent by contacting us in writing, or via the data holder consent dashboard (provided by your bank or other financial institution).
Manage your consent to share your CDR Data
You can review and manage your CDR consents at any time.
Stop sharing
You can withdraw your consent at any time through the Partner application and we will stop collecting, using or disclosing your CDR Data for the agreed purpose.
CDR Data deletion or de-identification
Basiq must adhere, and must procure that its Partners adhere, to the data minimisation principle. This principle outlines that a Partner can only ask you for CDR Data that is necessary for the agreed purpose and can only hold it for the minimum amount of time needed to provide their service.
Once your consent expires, or you want to stop sharing your CDR Data and withdraw your consent, then we will delete your CDR Data in accordance with your instructions except to the extent we are required under Australian Law to retain certain data.
When you withdraw CDR consent or your consent expires, we’ll automatically, irretrievably destroy or de-identify your CDR Data in accordance with your instructions, within seconds. We’ll also automatically notify any Partner with whom your data has been shared and require them to irretrievably destroy or de-identify your CDR Data as well.
De-identified CDR Data
If you elect to have your CDR Data de-identified once it is no longer required for the agreed purpose, Basiq may de-identify CDR Data by removing all personal identifying information fields from the CDR Data and only storing the remaining fields.
Once CDR data is fully de-identified, Basiq may use de-identified data for internal operational purposes (ie. to improve the quality of Basiq’s services), as well as to provide feedback to data holders in respect of data and services quality.
Basiq does not disclose de-identified CDR Data to any third parties.
Security of your data
Basiq’s approach to data security is designed to protect you as a consumer. The Basiq CDR platform is built and maintained to follow best practices to keep CDR Data you share with us secure. Basiq is responsible for the CDR platform and is regularly investing in, and improving, its data security framework.
Secure Environment
The Basiq physical infrastructure is hosted and managed in an ISO 27001, SOC 1 & SOC 2, PCI Level 1, FISMA Moderate and SOX certified data centre.
Multi-factor authentication
Two-factor authentication and strong password controls are required for administrative access to systems.
Restricted network access
Firewalls are utilised to restrict access to systems from external networks and between systems internally.
Data encryption
Basiq stores data at rest using 256-bit AES encryption and use an SSL/TLS secure tunnel to transfer data between your app and our API.
Secure development practises
Basiq development follows industry-standard secure coding guidelines, such as those recommended by OWASP.
Realtime monitoring
Basiq conducts behavioural monitoring, vulnerability assessment, SIEM and intrusion detection to detect threats and keep our system safe and secure.
What happens if there is a security breach
Basiq maintains a Data Breach Response Plan - Basiq can provide a copy of this policy on request.
If a security breach occurs we:
Contain the data breach to prevent any further leak of personal information.
Assess the data breach by gathering the facts. Then check the risks or potential harm to affected members and take action to reduce any risk of harm.
Review the incident and consider what actions we can take to prevent future breaches.
Storage of CDR Data
Basiq stores data securely in AWS data centres in Sydney and Melbourne.
Basiq has granted permission to two CDR Representatives to store CDR Data overseas in New Zealand and the United Kingdom.
Basiq’s Partners do not otherwise store CDR Data outside Australia and its external territories.
Overseas Disclosure of CDR Data
Basiq has one New Zealand-based outsourced service provider. Otherwise all other outsourced service providers are based in Australia.
Complaints
If you are unhappy with any aspect of Basiq service let us know. The fastest way to resolution is to talk it through. Our internal dispute resolution process is easy to access and if free of charge.
The Complaints Policy explains how to get in touch with Basiq, the investigation process and remedies available to resolve complaints.
Here is a link to Basiq’s Complaints Policy.
You are in control of your CDR Data
How we collect your CDR Data
When you request a service from a Partner and provide your consent, Basiq facilitates the provision of that service by the Partner. Basiq collects your CDR Data for this purpose directly from your bank or other financial institution via an application programming interface (API).
The kinds of services that will involve the collection of your CDR Data (with your consent) include:
Data Aggregation and Enrichment: your CDR Data is aggregated, enriched and demystified to provide a single view of your finances across each of your banks.
Spending Insights: your CDR Data is analysed to provide insights into spending, including the category of spend.
Income Insights: your CDR Data is analysed to identify your income streams including surfacing patterns around regularity and stability.
Affordability Report: insights above are presented in an easy to read PDF report.
When we can share your CDR Data
When you request a service from a Partner and provide your consent, Basiq will support the provision of that service and share your CDR Data with the Partner as reasonably necessary for that purpose.
When we share your CDR data with Partners, they are required to operate in accordance with CDR controls and privacy protections.
What we do with your CDR Data
With your consent, Basiq and its Partners will use your CDR Data for the purpose agreed, including to provide data enrichment, spending, income and affordability insights, and will hold your CDR Data for the period covered by the consent you have provided.
Basiq will ensure, and will procure that its Partners will ensure, the following:
Your CDR Data will not be disclosed to any third party without your consent.
Your CDR Data will be deleted or de-identified in accordance with your instructions once your consent expires or is withdrawn by you, except to the extent we are required under Australian Law to retain certain data.
You may withdraw or modify your consent at any time.
Managing your consent
You are able to review, modify or withdraw any CDR consent you have provided through the relevant Partner application. You can also withdraw your consent by contacting us in writing, or via the data holder consent dashboard (provided by your bank or other financial institution).
Manage your consent to share your CDR Data
You can review and manage your CDR consents at any time.
Stop sharing
You can withdraw your consent at any time through the Partner application and we will stop collecting, using or disclosing your CDR Data for the agreed purpose.
CDR Data deletion or de-identification
Basiq must adhere, and must procure that its Partners adhere, to the data minimisation principle. This principle outlines that a Partner can only ask you for CDR Data that is necessary for the agreed purpose and can only hold it for the minimum amount of time needed to provide their service.
Once your consent expires, or you want to stop sharing your CDR Data and withdraw your consent, then we will delete your CDR Data in accordance with your instructions except to the extent we are required under Australian Law to retain certain data.
When you withdraw CDR consent or your consent expires, we’ll automatically, irretrievably destroy or de-identify your CDR Data in accordance with your instructions, within seconds. We’ll also automatically notify any Partner with whom your data has been shared and require them to irretrievably destroy or de-identify your CDR Data as well.
De-identified CDR Data
If you elect to have your CDR Data de-identified once it is no longer required for the agreed purpose, Basiq may de-identify CDR Data by removing all personal identifying information fields from the CDR Data and only storing the remaining fields.
Once CDR data is fully de-identified, Basiq may use de-identified data for internal operational purposes (ie. to improve the quality of Basiq’s services), as well as to provide feedback to data holders in respect of data and services quality.
Basiq does not disclose de-identified CDR Data to any third parties.
Security of your data
Basiq’s approach to data security is designed to protect you as a consumer. The Basiq CDR platform is built and maintained to follow best practices to keep CDR Data you share with us secure. Basiq is responsible for the CDR platform and is regularly investing in, and improving, its data security framework.
Secure Environment
The Basiq physical infrastructure is hosted and managed in an ISO 27001, SOC 1 & SOC 2, PCI Level 1, FISMA Moderate and SOX certified data centre.
Multi-factor authentication
Two-factor authentication and strong password controls are required for administrative access to systems.
Restricted network access
Firewalls are utilised to restrict access to systems from external networks and between systems internally.
Data encryption
Basiq stores data at rest using 256-bit AES encryption and use an SSL/TLS secure tunnel to transfer data between your app and our API.
Secure development practises
Basiq development follows industry-standard secure coding guidelines, such as those recommended by OWASP.
Realtime monitoring
Basiq conducts behavioural monitoring, vulnerability assessment, SIEM and intrusion detection to detect threats and keep our system safe and secure.
What happens if there is a security breach
Basiq maintains a Data Breach Response Plan - Basiq can provide a copy of this policy on request.
If a security breach occurs we:
Contain the data breach to prevent any further leak of personal information.
Assess the data breach by gathering the facts. Then check the risks or potential harm to affected members and take action to reduce any risk of harm.
Review the incident and consider what actions we can take to prevent future breaches.
Storage of CDR Data
Basiq stores data securely in AWS data centres in Sydney and Melbourne.
Basiq has granted permission to two CDR Representatives to store CDR Data overseas in New Zealand and the United Kingdom.
Basiq’s Partners do not otherwise store CDR Data outside Australia and its external territories.
Overseas Disclosure of CDR Data
Basiq has one New Zealand-based outsourced service provider. Otherwise all other outsourced service providers are based in Australia.
Complaints
If you are unhappy with any aspect of Basiq service let us know. The fastest way to resolution is to talk it through. Our internal dispute resolution process is easy to access and if free of charge.
The Complaints Policy explains how to get in touch with Basiq, the investigation process and remedies available to resolve complaints. Here is a link to Basiq’s Complaints Policy.