Acronyms and Glossary


Proof that a service or provider meets the trust criteria under the draft law and future regulations.

Accredited requestor

 An entity which is accredited under the draft law to request data from a data holder, or request actions by the data holder. While other entities (who are not accredited) can request data or actions, data holders do not have to respond to these. Data holders are only required to respond to a request when the request comes from an accredited requestor and otherwise complies with the safeguards.

Action request

A request from a customer (or an accredited requestor on behalf of a customer), that a data holder perform an action. This could be making payments, or updating information. Sometimes referred to as ‘write access’.


Application Programming Interface


Not acting in accordance with the draft law, or regulations or standards under it.


Consumer Data Right


Customer authorisation for an entity to access data or perform an action on their behalf. A customer may revoke or withdraw consent at any time.

Consumer data right

A legal framework that requires businesses that hold data (data holders) to share prescribed data that they hold about customers (customer data) with trusted third parties (accredited requestors) with the consent of the customer.


A person – whether individual or entity – that acquires goods or services from a data holder.

Customer data

Data relating to a particular customer, eg account histories, transaction data, product usage. For the purposes of the draft law, customer data is only part of the regime where that type of data has been designated and/or the data holder has been designated.

Data holder

An entity that holds data (or is capable of giving effect to an action) to which the consumer data right applies. Only designated entities holding designated data are considered data holders under the draft law.


The process of choosing a sector and set of product data and customer data to be brought into the regulated data system established by the draft law.


Digital Identity Services Trust Framework Act 2023

Draft law

The Customer and Product Data Bill


Financial technology


Information Privacy Principle. The Privacy Act sets thirteen privacy principles to govern how businesses and organisations should collect, handle and use personal information.


Ministry of Business, Innovation and Employment

Regulated entities

Data holders and accredited requestors.