(1) The Information Commissioner may assess whether a CDR participant, or designated gateway, for CDR data is maintaining and handling the CDR data in accordance with:
(a) the privacy safeguards; or
(b) the consumer data rules to the extent that those rules relate to:
(i) the privacy safeguards; or
(ii) the privacy or confidentiality of the CDR data.
(1A) The Information Commissioner may assess whether an accredited person who may become an accredited data recipient of CDR data is complying with:
(a) section 56ED (about privacy safeguard 1); or
(b) the consumer data rules to the extent that those rules relate to that section.
(1B) The Information Commissioner may assess whether an action service provider for a type of CDR action, who has been or may be disclosed CDR data under the consumer data rules, is maintaining and handling the CDR data in accordance with:
(a) the privacy safeguards; or
(b) the consumer data rules to the extent that those rules relate to:
(i) the privacy safeguards; or
(ii) the privacy or confidentiality of the CDR data.
(2) The Information Commissioner may conduct an assessment under subsection (1), (1A) or (1B) in such manner as the Information Commissioner considers fit.
(3) The Information Commissioner may report to the Minister, the Commission or the Data Standards Chair about an assessment under subsection (1), (1A) or (1B).