The ACCC has recently announced that they intend to recognise both ISO 27001 and the ATO's DSP Operational Framework as alternative accreditation methods for Consumer Data Right (CDR) at the unrestricted level. This move will potentially reduce the costs of CDR accreditation and open up the doors for more DSPs that are interested in becoming Accredited Data Restricted (ADRs).
This announcement is welcomed by the industry and it mirrors much of the work undertaken by ABSIA over the past 12 months. We continue to advocate for the use of the Security Standard for Add-on Marketplaces (SSAM) for third party consumers of CDR data. ABSIA Directors, along with our members, have been advocating for the Operational Framework to be leveraged in various CDR submissions and in meetings with the ATO, ACCC and Treasury.
Under schedule 2 of the CDR Rules, the ACCC intends to recognise both ISO 27001 and the Operational Framework as follows:
- ISO 27001 certifications will be recognised together with an additional scope assurance report to supplement the ISO 27001 controls; and
- The Operational Framework will be recognised where a person meets the framework requirements to its highest 'standard' for a particular software product. This will also apply to DSPs that have a product or service either more than 10,000 taxpayer or superannuation records.
The guidance materials for those interested in using ISO 27001 for certification is expected to be released by the end of October. For recognition of the DSP Operational Framework, the ACCC is still working through this with the ATO and the guidance material will be provided at a later date.
ABSIA supports the ACCC's commitment to leveraging existing standards that will reduce the costs and work needed for DSPs to become accredited under CDR. Further, with DSPs investing heavily in the Operational Framework, ABSIA strives to continue advocating for other areas of government and industry to consider leveraging the DSP Operational Framework and the Security Standard for Add-on Marketplaces (SSAM).