Data holders

Learn about data holders and where the data comes from in the Consumer Data Right - what they do, how sectors are designated, and their obligations under the Customer and Product Data Act.

What is a data holder?

A data holder is an organisation in a designated sector that holds customer or product data covered by the Customer and Product Data Act 2025. An example is specific banks in the banking sector.

Data holders play a key role in the Consumer Data Right by:

Give customers access to their own data.
Sharing that data securely with accredited requestors when the customer authorises it.
Undertaking specific actions if the regulations allow it and a customer has authorised it.

How an organisation becomes a data holder

When a sector is first designated, organisations may be nominated to become data holders. This means they must be a data holder by law. Other organisations that meet the criteria of the sector regulations may choose to become data holders – this is called ‘opting in’.

Designation applies only to sectors formally brought under the CDR framework:

Banking is the first designated sector, enabling open banking, with five banks nominated to become data holders – these banks are called designated data holders.
Under the bank sector regulations, other deposit takers volunteer to be a data holder by notifying MBIE – this is called opting-in.
Electricity is expected to be designated next and the regulations may nominate organisations to be data holders.
Other sectors like insurance and telecommunications may follow.

When a sector is designated, regulations specify:

Which organisations in that sector are data holders.
What data they must make available.
What actions they must perform when authorised by a customer.

If your organisation operates in a designated sector and meets the criteria in the regulations, you may be a data holder and must comply with the Act, regulations, and standards.

Responsibilities of data holders

Under the Act and supporting regulations, data holders must:

Provide designated customer data to an accredited requestor on a customer’s request.
Provide designated customer data to a customer on a customer’s request.
Perform certain actions (like initiating a payment or switching a plan) when requested and authorised by a customer.
Where specified in sector regulations, make designated product data (such as pricing or plan details) available in a standardised, machine-readable format.
Operate secure electronic systems that meet technical standards.
Comply with privacy and security requirements, and refuse requests where disclosure would create a significant risk of harm.
Follow all rules under the Customer and Product Data Act 2025.
Have clear complaints processes.
Act inline with the purpose and intended outcomes of the CDR regime.

These obligations are set out in Part 2 of the Customer and Product Data Act 2025 and detailed in regulations and standards for each sector.

MBIE and the Office of the Privacy Commissioner – working together

Whilst the CDR is enabled by the Customer and Product Data Act 2025, as with all activity, organisations must also fulfil their obligations under the Privacy Act 2020. The CDR specifies how organisations must meet their storage and security obligations under the Privacy Act, and how organisations should treat requests for customer data, which can include personal information.

The Ministry of Business, Innovation and Employment (MBIE) is responsible for sector designation, accreditation of data recipients and oversight of regulated data services. The Office of the Privacy Commissioner (OPC) regulates breaches of the CDR regime that involve personal information.

We work closely together to monitor compliance, support participants, and take action if any rules are broken.

What it means to opt in as a data holder

If your organisation operates in a designated sector and meets the criteria set out in the regulations, you can choose to become a data holder even if you are not nominated by law. This is called opting in. Opting in means your organisation will take on the same responsibilities as other data holders under the Customer and Product Data Act 2025, including:

providing customer and product data in line with the regulations
meeting security and privacy requirements
complying with technical standards

What to do if you want to opt in

If you are considering opting in, contact the Consumer Data Right (CDR) team at MBIE to discuss what this involves and the steps you need to take. We will:

work with you to understand the obligations and technical requirements
confirm whether your organisation meets the criteria
guide you through the notification process

Contact the CDR team with your organisation’s details and a brief description of your interest in opting in.

Who to contact about Consumer Data Right

Where to find the current list of data holders

MBIE maintains a Register of Participants, which includes:

All data holders.
All accredited requestors.

You can view the Register of Participants. It will be updated as new sectors are designated and participants join the regime.

Join our mailing list

If you want to get updates about regulations and standards related to the CDR, email us to join our mailing list.

Join our mailing list

Last updated: 01 December 2025

https://www.mbie.govt.nz/business-and-employment/business/consumer-data-right/participating-as-a-data-holder-or-accredited-requestor/data-holders
Please note: This content will change over time and can go out of date.

Building and construction

Tenancy and housing

Energy and natural resources

Employment and skills

Consumer Protection

Business

Economic growth

Isolation and quarantine

Immigration

Tourism and hospitality

Tourism research and data

Science and innovation

New Zealand Space Agency

Communications and Broadband

Government Centre for Dispute Resolution

Regulatory stewardship

New Zealand Government Procurement and Property

Language Assistance Services

Who we are

Open government and official information

Contact us

Upcoming events