SecurityBrief New Zealand logo
New Zealand's leading source of cybersecurity and cyber-attack news
Story image

The Consumer Data Right and what it could mean for Aotearoa's data privacy

By Sara Barker
Wed 16 Feb 2022

In 2018, The Reserve Bank declared ‘an open mind on open banking’. Though it could be argued that such a statement positioned the Bank for the future of payment technologies, progress has been slow.

While the Bank attempted to get ahead of the game by addressing the possible benefits and challenges of adopting an open banking system, change, it seems, was at odds with the rapidly-evolving tech space. But legislation is starting to catch up, and the discussion about open banking is just one part of a broader discussion about open data sharing and what is called the Consumer Data Right.

The Consumer Data Right describes a new legislative framework set out by the New Zealand Government. This framework aims to help consumers share their data with trusted third parties. This requires a secure and common way of ensuring data is both machine-readable and accessible to third parties, such as trusted banking providers. A CDR will also work in conjunction with the Digital Identity Services Trust Framework, also in development. 

In July 2021, Minister for the Digital Economy and Communications, David Clark, said that consumers need to control how their personal information is used with third parties. That is what the CDR is designed to achieve.

“Any data shared through the consumer data right will only take place with a person’s informed consent, and would be strictly used for the reasons agreed upon. For example, if a person was seeking financial advice, they could ask their bank to share data, such as transaction information, with their chosen adviser,” Clark noted.

“The businesses and services wishing to receive this data would also have to meet a number of safeguards to ensure the information could be handled safely and securely.”

Why a CDR, and why now?

Australia first launched the CDR in November 2017 as a multi-year rollout plan. It also aims to ensure adults aged 18 and older can opt into sharing data with businesses and withdraw consent at any time. Australia’s CDR was first applied to the banking sector in July 2020. The energy and telecommunications sectors are next in line.

Australia and New Zealand both recognise that banking - particularly the rise of open banking - is one of the major forces driving discussions CDRs.

A Payments NZ API Centre spokesperson says, “What’s unfolding with open banking in Aotearoa will eventually go further than banking, wider into other areas of finance and other sectors like telco and energy—supported by the upcoming CDR.

“We believe the open data revolution and with consumers' interests at the forefront, we can only strengthen our country’s economic prosperity and individual financial wellbeing.”

A closer look at data privacy and security

When Minister David Clark declared in his 2021 speech that businesses using the CDR would need to ensure data safety and security, he did not specify what kinds of safeguards could be required. 

However, what Clark was alluding to is the underlying principle that New Zealanders’ data is protected and secured, no matter who is sharing the data and through what systems they use. It also means businesses must follow other privacy and security regulations, such as the Privacy Act 2020.

A spokesperson from the Ministry of Business, Innovation and Employment (MBIE) says, “Consumers can be assured that the protections and principles in the Privacy Act will apply to CDR data collection, storage, sharing and disposal. The CDR closely relates to Information Privacy Principle 6 – the right that people have to access and use their own information. 

“The CDR regime will also have additional privacy protections built into it (for example, requiring that consumer consent be informed, express and time limited; having specific security requirements for accredited data recipients).”

In 2020, The Ministry of Business, Innovation and Employment (MBIE) opened public feedback on the CDR concept. There were 59 submissions from individuals and organisations, including ASB, Equifax, Fidelity Life, Genesis, Google, Paymark, and technology companies such as Microsoft and Ping Identity. These Submissions were generally in support of the CDR; the diverse range of voices contributed to a wide breadth of suggestions and concerns. 

A common concern is that a CDR cannot take a blanket approach to data sharing or security - it must be differentiated to suit every sector individually.

Spark, for example, also points to a ripple effect inherent to the CDR: Organisations such as retailers may share customer information with third parties; therefore, all of those third parties must also be able to use and protect data in line with the CDR.

Spark states in its submission, “We fully support the need for robust privacy and security requirements. We note that the way that such requirements are structured and implemented will significantly impact both compliance (and consumer privacy) outcomes and organisational compliance costs.”

The Office of the Privacy Commission's submission also notes that the Privacy Act gives the Commissioner the power to issue compliance notices against organisations that are unable to uphold the Privacy Act. that any CDR framework would need to consider "security standards for transfer of consumer data and the role of the receiving organisation in verifying that the data has been received successfully". In other words, the OPC is concerned about how data is protected during the data sharing process and how the organisation that receives the data makes sure the data is legitimate.

 A fundamental technical point of the CDR is the technical means for how data will be shared, displayed, shared, and protected. This is where an application programming interface (API) comes into play. Such an API would be used to connect organisations to each other, and the consumer.

The Payments NZ API Centre unpacks the privacy and security issues of API security:

“There are two broad aspects which make up an API standard. The security profile forms only one part of this picture. Much of the API Centre’s standards focus on what action is being done, for example, initiating a payment or setting up a data sharing arrangement. The security profile of the API standards covers a different aspect – the how. It is a technical standard that sets out how the API Centre’s Third Party Standards Users can technically use APIs to connect to banks. The security profile’s purpose is to set out how banks can securely make APIs available when they connect with third parties. It is a technical safeguard to protect the consumer and the organisations involved."

The API Centre also notes that in terms of privacy, fraud and security, it is vital for consumers to know what they are consenting to, what information is being shared, who will get that data, and for what purpose it’s being shared. 

“Some of these customer consent issues are managed technically in the Centre’s standards through the security profile. Other parts will be managed more through business rules. Overall, it adds up to the customer being well-informed and in control of their data at all times." 

Why would people want to share their data?
In 2020, the API Centre conducted a survey that found 84% of New Zealanders are either unsure or uncomfortable with sharing banking data. These fears stem from issues such as cybercrime, distrust of third parties, unwanted data sharing, error accountability, and consumers would rather stay in control of their data.

The Payments NZ API Centre says, “The payments industry knows, based on the experiences of other, similar jurisdictions to Aotearoa, that consumer trust is an essential ingredient of successful open banking ecosystems. 

“The more trust there is in the safety and security of the payment system, the more willing consumers will be to use open banking products and services and vice versa.”

But there is one major challenge: ask any Kiwi what open banking means to them, and you’ll quickly discover that public awareness of open banking remains reasonably low. This is because open banking is a regulatory and industry term that hasn’t translated well into a more consumer-friendly concept. In the meantime, the Centre continues to work with the industry to develop high-trust open banking systems.

“Establishing and nurturing consumer and end user trust is at the core of all our activities, from the management of customer consent in the standards, through to ensuring that all our Standards Users apply the same customer safeguards and good practices through our API standards and supporting documentation.” 
What next's for the CDR?

MBIE expects the Government to address the Consumer Data Right this year by first deciding how it will be implemented. A Bill is also expected to be introduced to Parliament sometime this year.

“This will include decisions on which institutions have a role in implementation and developing rules and standards, and measures for enforcing the consumer data right. The Government will also consider which sectors should be assessed first for the potential application of the CDR,” says MBIE.

Payments NZ concludes, “We’re hoping with Aotearoa’s CDR lessons will be taken from Australia and other jurisdictions to ensure ours is principles-based and simple. It is important to the industry that our resources and efforts made in developing a progressive, innovative, and trusted open banking ecosystem will help inform CDR developments and continue to play a core role in open banking and API standards development in Aotearoa.”

Public Interest Journalism Fund logo
Public Interest Journalism funded through NZ On Air.
Related stories
Top stories
Story image
Tech job moves - Forcepoint, Malwarebytes, SolarWinds & VMware
We round up all job appointments from May 13-20, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Let’s clear the cloud visibility haze with app awareness
Increasingly, organisations are heading for the cloud, initiating new born-in-the-cloud architectures and migrating existing applications via ‘lift and shift’ or refactoring.
Story image
Remote Working
Successful digital transformation in the hybrid work era is about embracing shifting goalposts
As organisations embraced remote working, many discovered they lacked the infrastructure needed to support history’s first global load test of remote work capabilities.
Story image
Vectra AI
Understanding the weight on security leader’s shoulders, and how to shift it
Millions of dollars of government funding and internal budgets are being funnelled into cybersecurity to build resilience against sophisticated threats, indicating how serious this issue has become.
Story image
Supply chain
Jetstack promotes better security with supply chain toolkit
The web-based resource is designed to help organisations evaluate and plan the crucial steps they need to establish effective software supply chain security.
Story image
Remote Working
How zero trust and SD-WANs can support productive remote working
The way people connect with applications and data has changed, users are remotely accessing resources that could be stored anywhere from a corporate data center to the cloud.
Story image
Nozomi Networks
Nozomi Networks, Siemens reveal software integration
Nozomi Networks and Siemens have extended their partnership by embedding Nozomi Networks’ software into the Siemens Scalance LPE local processing engine.
Story image
KnowBe4 celebrates reaching 50,000 customers worldwide
KnowBe4 has reached the milestone of 50,000 customers, adding nearly 2,500 in the first quarter of 2022 alone.
Story image
BeyondTrust integrates Password Safe solution with SailPoint
BeyondTrust has announced the integration of BeyondTrust Password Safe with SailPoint identity security offerings.
Story image
Managed service providers: effective scoping to avoid costly vendor pitfalls
Managed security services are outsourced services focusing on the security and resilience of business networks.
Story image
Artificial Intelligence
How to ensure ethical deployment of AI implementations
The increase in automation and machine technology such as AI and machine learning has unlocked a whole new level of scale and service to organisations. 
Story image
Noname Security partners with Netpoleon to target API issues
Specialist API security firm Noname Security has appointed Netpoleon as its distributor in Australia and New Zealand.
Threat actors are exploiting weaknesses in interconnected IT/OT ecosystems. Darktrace illuminates your entire business and takes targeted action to stop emerging attacks.
Link image
Story image
NCSC advisory highlights poor security configurations
The GCSB's National Cyber Security Centre (NCSC) has released a cyber security advisory identifying commonly exploited controls and practices.
Story image
Maintaining secure systems with expectations of flexible work
Most office workers feel they've proved they can work successfully from home, and as much as employers try, things aren't going back to the way they were anytime soon.
Story image
BlackBerry offers Kaspersky replacement cybersecurity for the channel
BlackBerry advises that users of Kaspersky software in Australia and New Zealand undertake a rigorous risk analysis of their current security posture.
Story image
Amazon Web Services / AWS
RedShield leverages AWS to scale cybersecurity services
"Working with AWS gives RedShield the ability to mitigate significant application layer DDoS attacks, helping leaders adopt best practices and security architectures."
Story image
The 'A-B-C' of effective application security
Software applications have been a key tool for businesses for decades, but the way they are designed and operated has changed during the past few years.
Story image
PwC NZ unveils new Cloud Security Operations Center
PwC New Zealand has unveiled its new Cloud Security Operations Center for the entire Microsoft technology stack.
Story image
Application Security
What are the DDoS attack trend predictions for 2022?
Mitigation and recovery are vital to ensuring brand reputation remains solid in the face of a Distributed Denial of Service (DDoS) attack and that business growth and innovation can continue.
Story image
Digital Transformation
Physical security systems guide the hybrid workplace to new heights
Organisations are reviewing how data gathered from their physical security systems can optimise, protect and enhance their business operations in unique ways.
Story image
New vulnerabilities found in Nuspire’s Q1 2022 Threat Report
“Threat actors are quickly adjusting their tactics and these exploits tend to get industry attention, but the threat posed by older and attacks still persists."
Story image
Video: 10 Minute IT Jams - An update from IronNet
Michael Ehrlich joins us today to discuss the history of IronNet and the crucial role the company plays in the cyber defence space.
Booster Innovation Fund. A fund of Kiwi ingenuity – for Kiwi investors.
Link image
Story image
Workato unveils enhancements to enterprise automation platform
"The extra layer of protection with EKM, zero-logging, and hourly key rotation gives customers a lot more visibility and control over more sensitive data."
Story image
Hard numbers: Why ambiguity in cybersecurity no longer adds up
As cybersecurity costs and risks continue to escalate, CEOs continue to struggle with what their investment in cyber protection buys. Getting rid of ambiguity becomes necessary.
Story image
Data Protection
Barracuda launches new capabilities for API Protection
"Every business needs this type of critical protection against API vulnerabilities and automated bot attacks," Barracuda says.
Story image
Google reveals new safety and security measures for users
Google's new measures include automatic two step verification, virtual cards and making it easier to remove contact information on Google Search results.
Story image
ChildFund launches new campaign to protect children online
ChildFund says WEB Safe & Wise aims to protect children from sexual exploitation and abuse online while also empowering them to become digitally savvy. 
Story image
Cloud Security
Aqua Security createa unified scanner for cloud native security
“By integrating more cloud native scanning targets into Trivy, such as Kubernetes, we are simplifying cloud native security."
Story image
Ivanti and Lookout bring zero trust security to hybrid work
Ivanti and Lookout have joined forces to help organisations accelerate cloud adoption and mature their zero trust security posture in the everywhere workplace.
Story image
Qualys updates Cloud Platform solution with rapid remediation
The new update is designed to enable organisations to fix asset misconfigurations, patch OS and third-party applications, and deploy custom software.
Story image
Artificial Intelligence
Updates from Google Workspace set to ease hybrid working troubles
Google Workspace has announced a variety of new features which will utilise Google AI capabilities to help make hybrid working situations more efficient and effective.
Story image
Palo Alto Networks says ZTNA 1.0 not secure enough
Palo Alto Networks is urging the industry to move to Zero Trust Network Access 2.0 because previous versions have major gaps in security protection.
Story image
Alarming surge in Conti Ransomware Group activity - report
A new report has identified a 7.6 per cent increase in the number of vulnerabilities tied to ransomware in Q1 2022.
Story image
Data backup plans inadequate, data still at risk - study
The Apricorn 2022 Global IT Security Survey revealed that while the majority organisations have data backup plans in place, data for many are at risk.
Story image
Tech job moves
Tech job moves - Datacom, Micro Focus, SnapLogic and VMware
We round up all job appointments from May 6-12, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Ingram Micro Cloud adds Bitdefender solutions to marketplace
Ingram Micro Cloud has announced the expanded availability of Bitdefender solutions on the Ingram Micro Cloud Marketplace.
Story image
A10 Networks finds over 15 million DDoS weapons in 2021
A10 Networks notes that in the 2H 2021 reporting period, its security research team tracked more than 15.4 million Distributed Denial-of-Service (DDoS) weapons.
Story image
Cybersecurity starts with education
In 2021, 80% of Australian organisations responding to the Sophos State of Ransomware study reported being hit by ransomware. 
Story image
Absolute Software expands Secure Access product offering
Absolute Software is enhancing its Secure Access product portfolio, enabling minimised risk exposure and optimised user experiences in the hybrid working environment.
Story image
A third of companies paying ransom don’t recover data - report
Veeam's report finds 76% of businesses who are victims of cyberattacks paid the ransom to recover data, but a third were still unable to get their information back.
Story image
Sift shares crucial advice for preventing serious ATO breaches
Are you or your business struggling with Account Takeover Fraud (ATO)? One of the latest ebooks from Sift can provide readers with the tools and expertise to help launch them into the new era of account security.
Story image
Customer experience
Gartner recognises Okta for abilities in Access Management
Okta has announced it has been recognised as a Customers' Choice for the fourth time in a row in the Gartner Peer Insights "Voice of the Customer" report.