Consumer Data Right Policy

About the Consumer Data Right (CDR)

The Consumer Data Right (CDR) provides you with a secure way to share certain data held about you by banks and other financial institutions (CDR Data) with other service providers with your full knowledge and consent. You control who holds your CDR Data and how it is used. The intention is to help you find the best products and pricing and make it easier to switch to new service providers.

Open Home Loans is partnered with Basiq – an Accredited Data Recipient under the CDR framework. This means that Basiq has been accredited by the Australian Competition and Consumer Commission (ACCC) to receive your data from your bank or other financial institution – only after you have given your consent. Basiq has partnered with various Basiq approved partners (Partners) who, with your consent, may request Basiq to collect and provide them with your data to enable them to provide their services and/or products to you. Basiq’s Partners can only use or disclose your data in accordance with your instructions.


Basiq is subject to strict controls under applicable CDR legislation and privacy laws. This policy (CDR Policy) explains when and how Basiq and Partners collect, use, hold and / or disclose your CDR Data in accordance with the consent you provide. This CDR Policy also explains how you can manage your CDR Data and associated consents, resolve concerns and lodge complaints.


What details you can share with us

You can share the following CDR Data with us:


Account Details

  • product category, account type and product name (e.g. transaction accounts, savings accounts, term deposits, overdrafts and business finance and mortgage accounts)

  • BSB and account number / masked number

  • account nickname

  • account status

  • account holder / display name

  • account owner (true / false)

  • account meta data (e.g. credit cards, term deposits, loans)

  • interest rates

  • fees

  • discounts

Balance Details

  • current balance

  • available funds

Transaction Details

  • status (pending / posted)

  • incoming & outgoing transactions

  • amounts

  • dates

  • descriptions of transactions

  • account names for accounts you have sent money to and received money from

Name, occupation and contact details

  • name

  • occupation

  • phone

  • email address

  • mail address

  • residential address

Organisation profile and contact details

  • agent name and role

  • organisation name

  • organisation numbers (ABN or ACN)

  • charity status

  • establishment date

  • industry

  • organisation type

  • country of registration

  • organisation address

  • mail address

  • phone number

Direct debits and scheduled payment details

  • direct debit authorisations

  • scheduled, outgoing payments

Payee details

  • names and details of saved payee accounts


You are in control of your CDR Data

How we collect your CDR Data

When you request a service from a Partner and provide your consent, Basiq facilitates the provision of that service by the Partner. Basiq collects your CDR Data for this purpose directly from your bank or other financial institution via an application programming interface (API).

The kinds of services that will involve the collection of your CDR Data (with your consent) include:

  • Data Aggregation and Enrichment: your CDR Data is aggregated, enriched and demystified to provide a single view of your finances across each of your banks.

  • Spending Insights: your CDR Data is analysed to provide insights into spending, including the category of spend.

  • Income Insights: your CDR Data is analysed to identify your income streams including surfacing patterns around regularity and stability.

  • Affordability Report: insights above are presented in an easy to read PDF report.

When we can share your CDR Data

  • When you request a service from a Partner and provide your consent, Basiq will support the provision of that service and share your CDR Data with the Partner as reasonably necessary for that purpose.

  • When we share your CDR data with Partners, they are required to operate in accordance with CDR controls and privacy protections.

What we do with your CDR Data

With your consent, Basiq and its Partners will use your CDR Data for the purpose agreed, including to provide data enrichment, spending, income and affordability insights, and will hold your CDR Data for the period covered by the consent you have provided.

Basiq will ensure, and will procure that its Partners will ensure, the following:

  • Your CDR Data will not be disclosed to any third party without your consent.

  • Your CDR Data will be deleted or de-identified in accordance with your instructions once your consent expires or is withdrawn by you, except to the extent we are required under Australian Law to retain certain data.

  • You may withdraw or modify your consent at any time.

Managing your consent

You are able to review, modify or withdraw any CDR consent you have provided through the relevant Partner application. You can also withdraw your consent by contacting us in writing, or via the data holder consent dashboard (provided by your bank or other financial institution).

Manage your consent to share your CDR Data

  • You can review and manage your CDR consents at any time.

Stop sharing

  • You can withdraw your consent at any time through the Partner application and we will stop collecting, using or disclosing your CDR Data for the agreed purpose.

CDR Data deletion or de-identification

  • Basiq must adhere, and must procure that its Partners adhere, to the data minimisation principle. This principle outlines that a Partner can only ask you for CDR Data that is necessary for the agreed purpose and can only hold it for the minimum amount of time needed to provide their service.

  • Once your consent expires, or you want to stop sharing your CDR Data and withdraw your consent, then we will delete your CDR Data in accordance with your instructions except to the extent we are required under Australian Law to retain certain data.

  • When you withdraw CDR consent or your consent expires, we’ll automatically, irretrievably destroy or de-identify your CDR Data in accordance with your instructions, within seconds. We’ll also automatically notify any Partner with whom your data has been shared and require them to irretrievably destroy or de-identify your CDR Data as well.

De-identified CDR Data

  • If you elect to have your CDR Data de-identified once it is no longer required for the agreed purpose, Basiq may de-identify CDR Data by removing all personal identifying information fields from the CDR Data and only storing the remaining fields.

  • Once CDR data is fully de-identified, Basiq may use de-identified data for internal operational purposes (ie. to improve the quality of Basiq’s services), as well as to provide feedback to data holders in respect of data and services quality.

  • Basiq does not disclose de-identified CDR Data to any third parties.

Security of your data

Basiq’s approach to data security is designed to protect you as a consumer. The Basiq CDR platform is built and maintained to follow best practices to keep CDR Data you share with us secure. Basiq is responsible for the CDR platform and is regularly investing in, and improving, its data security framework.

Secure Environment

  • The Basiq physical infrastructure is hosted and managed in an ISO 27001, SOC 1 & SOC 2, PCI Level 1, FISMA Moderate and SOX certified data centre.

Multi-factor authentication

  • Two-factor authentication and strong password controls are required for administrative access to systems.

Restricted network access

  • Firewalls are utilised to restrict access to systems from external networks and between systems internally.

Data encryption

  • Basiq stores data at rest using 256-bit AES encryption and use an SSL/TLS secure tunnel to transfer data between your app and our API.

Secure development practises

  • Basiq development follows industry-standard secure coding guidelines, such as those recommended by OWASP.

Realtime monitoring

  • Basiq conducts behavioural monitoring, vulnerability assessment, SIEM and intrusion detection to detect threats and keep our system safe and secure.

What happens if there is a security breach

Basiq maintains a Data Breach Response Plan - Basiq can provide a copy of this policy on request.

If a security breach occurs we:

  • Contain the data breach to prevent any further leak of personal information.

  • Assess the data breach by gathering the facts. Then check the risks or potential harm to affected members and take action to reduce any risk of harm.

  • Review the incident and consider what actions we can take to prevent future breaches.

Storage of CDR Data

  • Basiq stores data securely in AWS data centres in Sydney and Melbourne.

  • Basiq has granted permission to two CDR Representatives to store CDR Data overseas in New Zealand and the United Kingdom.

  • Basiq’s Partners do not otherwise store CDR Data outside Australia and its external territories.

Overseas Disclosure of CDR Data

  • Basiq has one New Zealand-based outsourced service provider. Otherwise all other outsourced service providers are based in Australia.


If you are unhappy with any aspect of Basiq service let us know. The fastest way to resolution is to talk it through. Our internal dispute resolution process is easy to access and if free of charge.

The Complaints Policy explains how to get in touch with Basiq, the investigation process and remedies available to resolve complaints. Here is a link to Basiq’s Complaints Policy.


Copyright © Open Home Loan 2023