Wireframe ref | Type | Requirement level | Statement | Reference | Checklist ref | Focus area |
|---|---|---|---|---|---|---|
01 | CDR Rule | MUST | (1) If a data holder receives a consumer data request from an accredited person on behalf of a CDR consumer, the data holder must, in the circumstances specified in a sector Schedule, ensure that it provides the CDR consumer with an online service that: (a) can be used by the CDR consumer to manage authorisations to disclose CDR data in response to the request; and (b) contains the details of each authorisation to disclose CDR data specified in subrule (3); and (ba) contains any information in the data standards that is specified as information for the purposes of this rule; and (bb) contains any information on the Register of Accredited Persons that is specified as information for the purposes of this rule; (2) Such a service is the data holder’s consumer dashboard for that consumer. Note: If the consumer data request relates to a joint account, there may be an obligation to provide all joint account holders with consumer dashboards: see rule 4A.13. | CDR Rule 1.15(1)(a),(b),(ba),(bb), (2) | 5CM1.00.01 | |
02 | CDR Rule | MUST | A data holder must update a CDR consumer’s consumer dashboard as soon as practicable after the information required to be contained on the dashboard changes. | CDR Rule 4.27 | 5CM1.00.02 | |
03 | CDR Rule | MUST | (3) For paragraph (1)(b) and paragraph (5)(a), the information is the following for each authorisation: (f) information relating to CDR data that was disclosed pursuant to the authorisation (see rule 7.9); (g) for a disclosure of CDR data that relates to the authorisation but that was pursuant to a request under subsection 56EN(4) of the Act—that fact. | CDR Rule 1.15(3)(f),(g) | 5CM1.00.03 | |
04 | CDR Rule | MUST | (1) If a data holder receives a consumer data request from an accredited person on behalf of a CDR consumer, the data holder must, in the circumstances specified in a sector Schedule, ensure that it provides the CDR consumer with an online service that: (c) allows the CDR consumer, at any time, to withdraw a current authorisation; | CDR Rule 1.15(1)(c) | 5CM1.00.04 | |
05 | CDR Rule | MUST | (3) For paragraph (1)(b) and paragraph (5)(a), the information is the following for each authorisation: (a) details of the CDR data that has been authorised to be disclosed | CDR Rule 1.15(3)(a) | 5CM1.00.05 | |
06 | CDR Rule | MUST | (3) For paragraph (1)(b) and paragraph (5)(a), the information is the following for each authorisation: (b) when the CDR consumer gave the authorisation; (c) the period for which the CDR consumer gave the authorisation; (d) if the authorisation is current—when it is scheduled to expire; (e) if the authorisation is not current—when it expired; | CDR Rule 1.15(3)(b)–(e) | 5CM1.00.06 | |
07 | CDR Rule | MUST | (1) For subsection 56EM(1) of the Act, a data holder that discloses CDR data to an accredited person as a result of a consumer data request must, as soon as practicable, update each consumer dashboard that relates to the request to indicate: (a) what CDR data was disclosed; and (b) when the CDR data was disclosed; and (c) the accredited data recipient, identified in accordance with any entry on the Register of Accredited Persons specified as being for that purpose. Note 1: For correction requests, see section 56EP of the Act (privacy safeguard 13) and Subdivision 7.2.5 of these rules. Note 2: If a consumer data request is made that relates to a joint account, the other joint account holder’s consumer dashboard may not be required to be similarly updated. See rule 4A.13. Note 3: See paragraph 1.15(3)(f). Note 4: See subrule 1.16(5) for how this rule applies where the CDR data is collected by an accredited person acting as a direct or indirect OSP to the accredited data recipient. | CDR Rule 7.9(1) | CDR Privacy Safeguard Guidelines: Privacy Safeguard 10 | 5CM1.00.07 | |
08 | CX Guideline | MAY | Data holders should prioritise information that is important to consumers. This may include using tabs (e.g. active, pending, archived), or presenting key details up front, such as when consent was granted. | 5CM1.00.08 | ||
09 | CX Guideline | MAY | Data holders should allow consumers to search, sort, and filter their data sharing arrangements in a way that is aligned to the outcomes consumers are seeking. Example: A consumer may want to sort by data recipient, data cluster, or by a user-defined tag. | 10 Usability Heuristics for User Interface Design: Flexibility and efficiency of use (Nielsen) | 5CM1.00.09 | |
10 | CX Guideline | MAY | If scrolling is required to view the total number of CDR participants, data holders should provide search functionality. | 10 Usability Heuristics for User Interface Design: Flexibility and efficiency of use (Nielsen) | 5CM1.00.10 | |
11 | CX Guideline | MAY | Data holders should organise authorisations using the brand and software product name of the ADR. The logo held at the brand level should also be presented in relation to the authorisation to aid recognition and management. | 5CM1.00.11 | ||
12 | CX Guideline | MAY | Data holders should use the phrase 'Stop access', 'Stop sharing' or 'Stop data sharing' to refer to how a consumer can withdraw authorisation. A generic term like ‘stop access’ can refer to withdrawing authorisations or actions. If data holders use this wording, they should clarify its meaning with context-specific explanations. CX research found this wording easy to understand. | 5CM1.00.12 | ||
13 | CX Guideline | MAY | Data holders should provide CDR Receipts reflecting the details of the authorisation shown on a consumer's dashboard. CDR Receipts should be provided in writing, such as in an email, when: 1. Authorisations are successfully established 2. Authorisations are withdrawn 3. Authorisations expire 4. Authorisations are amended CDR receipts should also outline details on complaint handling and resolution processes. Dashboards should provide a way for consumers to request a copy of their CDR receipts. | 5CM1.00.13 | ||
14 | CX Guideline | MAY | Data holders should show the status of the consent, which may refer to it being 'active', 'cancelled' or 'expired'. Data holders should also indicate the status of data sharing to consumers, which may include that data sharing has been paused or interrupted. | 5CM1.00.14 | ||
15 | CX Guideline | MAY | Data holder consumer dashboards should show details of any historical CDR data that was disclosed to reflect the equivalent requirement in rule 4.23(1)(b) for the authorisation flow, see CX Checklist ref 3AU.02.17. | CDR Rule 4.23(1)(b) | 5CM1.00.15 | |
16 | CX Guideline | MAY | Data holders should nudge consumers to be more privacy conscious and should use appropriate interventions to facilitate comprehension and consumer control. This can be done in a variety of ways, including through the use of design patterns like progressive disclosure, micro and/or descriptive copy, and with the use of micro-interactions. | 5CM1.00.16 | ||
17 | CX Guideline | MAY | This artefact demonstrates how data holders can comply with Privacy Safeguard 10 for the purposes of CDR Rule 7.9(1). The data holder can use the authorisation expiry date where they do not know the final disclosure date. The date of final disclosure should be updated as soon as practicable when this date is known. This artefact does not demonstrate the requirements for other privacy safeguards referred to in CDR Rule 7.9. | CDR Rule 7.9(1) | CDR Privacy Safeguard Guidelines: Privacy Safeguard 10 | 5CM1.00.17 | |
18 | CX Guideline | MAY | Data holders should use the phrases ‘Granted’, 'Expired', ‘Access period’ and ‘When we've shared your data’ to refer to the time-based qualities of the data sharing arrangement. | 5CM1.00.18 | ||
19 | CX Guideline | MAY | Data holders should show the account(s) shared as part of the data sharing arrangement. It is at the discretion of data holders to provide functionality to add/remove additional accounts from the data sharing arrangement. | 5CM1.00.19 | ||
20 | CX Guideline | MAY | Data holders should prioritise information that is important to consumers and structure the presentation in a way that reduces cognitive overload. This may include progressive disclosure design patterns (e.g. accordion menus), UX writing (e.g. microcopy), and visual aids (e.g. to display time-based qualities of consent). | 5CM1.00.20 | ||
21 | CX Guideline | MAY | Data holders should provide a link for consumers to verify a data recipient’s accreditation via the CDR website (https://www.cdr.gov.au/find-a-provider). | CX Research: 2019 Phase 2, Stream 1 report; 2020 Phase 3, Round 3 report | 5CM1.00.21 | |
23 | CX Guideline | MAY | Data holders should surface the legal entity name of the data recipient associated with the authorisation | 5CM1.00.23 | ||
24 | CX Guideline | MAY | Privacy Safeguard 10 For ongoing data sharing: Data holders may include the date range between which CDR data will be disclosed (dates of initial and final disclosure). For single or ‘once-off’ disclosure: Data holders may include the date on which the CDR data was disclosed (date of initial disclosure). Note 1: The example provided is context dependent. Please refer to Privacy Safeguard 10 for more guidance. Note 2: Refer to the CDR Rules for exceptions to CDR Rule 7.9 for joint accounts | CDR Rule 7.9 | CDR Privacy Safeguard Guidelines: Privacy Safeguard 10 | 5CM1.00.24 | |
25 | CDR Rule | MUST | For paragraph 56ED(7)(b) of the Act, the CDR entity must make its CDR policy readily available through each online service by means of which the CDR entity, or a CDR representative of the CDR entity, ordinarily deals with CDR consumers. (9) For subsection 56ED(8) of the Act, if a copy of the CDR entity’s policy is requested by a CDR consumer, the CDR entity must give the CDR consumer a copy: (a) electronically; or (b) in hard copy; as directed by the consumer. | CDR Rule 7.2(8), (9) | 5CM1.00.25 | |
26 | CX Guideline | MAY | As per CDR Rule 7.2(8), the CDR policy is required to be made available on each online service ordinarily used to deal with consumers, such as their website and mobile applications, including consumer dashboards. | CDR Rule 7.2(8) | OAIC guidance on Privacy Safeguard 1 | OAIC Guide to developing a CDR policy (Step 5) | 5CM1.00.26 | |
27 | CX Guideline | MAY | Data holders can refer to accounts using recognised nicknames, icons, account numbers, and account type. They can also include information on other elements the account may refer to such as any related plans, services, properties, numbers, and products. | 5CM1.00.27 | ||
28 | CX Standard | MUST | Data holders MUST advise consumers to check with the relevant data recipient for information about how their data may be handled. The precise wording of this message is at the discretion of the data holder. The data holder MAY consider using or paraphrasing the following message: • ‘You should check with [ADR brand/the data recipient] for more information on how they are handling your data, and for any other permissions you may have given them. See [ADR]’s CDR policy or their Dashboard for more information.’ | Dashboard Standards, Data Holder Dashboards, Data Holder Dashboard: Data recipient handling details | 5CM1.00.28 | |
29 | CX Guideline | MAY | Data holders should use the Brand Name of the data recipient wherever the data recipient is referenced in consumer-facing processes, on the consumer dashboard and in relation to the requirement Dashboard Standards, Data Holder Dashboards, Data Holder Dashboard: Data recipient handling details. | 5CM1.00.29 | ||
30 | CDR Rule | MUST | (1) If a data holder receives a consumer data request from an accredited person on behalf of a CDR consumer, the data holder must, in the circumstances specified in a sector Schedule, ensure that it provides the CDR consumer with an online service that: (e) is simple and straightforward to use, and is no more complicated to use than the process for giving the authorisation to disclose CDR data; and (f) is prominently displayed and readily accessible to the CDR consumer; | CDR Rule 1.15(1)(e), (f) | 5CM1.00.30 |