01 | CDR Rule | MUST | (1) Subject to subrule (5), an accredited person must provide each eligible CDR consumer on whose behalf the accredited person makes a consumer data request with an online service that:
(a) can be used by the CDR consumer to manage:
(i) such requests; and
(ii) associated consents; and
(b) contains the details of each consent specified in subrule (3) and the information specified in subrule (3A); | CDR Rule 1.14(1)(a)–(b) | 4CM1.00.01 | |
02 | CDR Rule | MUST | (2) Such a service is the accredited person’s consumer dashboard for that consumer. | CDR Rule 1.14(2) | 4CM1.00.02 | |
03 | CDR Rule | MUST | (1) An accredited person must update a CDR consumer’s consumer dashboard as soon as practicable after the information required to be contained on the dashboard changes. | CDR Rule 4.19(1) | 4CM1.00.03 | |
04 | CDR Rule | MUST | (3) For paragraph (1)(b), the information is the following for each consent:
(g) if the consent is not current—when it expired; | CDR Rule 1.14(3)(g) | 4CM1.00.04 | |
05 | CDR Rule | MUST | (3) For paragraph (1)(b), the information is the following for each consent:
(b) for a use consent―details of the specific use or uses for which the CDR consumer has given their consent; | CDR Rule 1.14(3)(b) | OAIC Chapter C: Consent (Data minimisation principle) | 4CM1.00.05 | |
06 | CDR Rule | MUST | (3) For paragraph (1)(b), the information is the following for each consent:
(c) when the CDR consumer gave the consent; | CDR Rule 1.14(3)(c) | 4CM1.00.06 | |
07 | CDR Rule | MUST | (3) For paragraph (1)(b), the information is the following for each consent:
(f) if the consent is current—when it is scheduled to expire;
Note 1: For paragraph (f), consents expire at the latest 12 months (or 7 years for certain consents by a CDR business consumer) after they are given or, in some circumstances, amended: see paragraph 4.14(1)(c). | CDR Rule 1.14(3)(f), (Note 1) | 4CM1.00.07 | |
09 | CDR Rule | MUST | (1) Subject to subrule (5), an accredited person must provide each eligible CDR consumer on whose behalf the accredited person makes a consumer data request with an online service that:
(c) allows the CDR consumer, at any time, to withdraw a current consent; and
(d) as part of the process of withdrawing a consent, displays a message, in accordance with the data standards, about the consequences of proceeding with withdrawing a consent; | CDR Rule 1.14(1)(c)–(d) | 4CM1.00.09 | |
10 | CDR Rule | MUST | (2A) The consumer dashboard may also allow a CDR consumer to amend a current consent. | CDR Rule 1.14(2A) | 4CM1.00.10 | |
11 | CDR Rule | MUST | (3) For paragraph (1)(b), the information is the following for each consent:
(a) details of the CDR data to which the consent relates; | CDR Rule 1.14(3)(a) | 4CM1.00.11 | |
12 | CDR Rule | MUST | (3) For paragraph (1)(b), the information is the following for each consent:
(h) information relating to CDR data that was collected or disclosed pursuant to the consent (see rules 7.4 and 7.9); | CDR Rule 1.14(3)(h) | 4CM1.00.12 | |
13 | CDR Rule | MUST | (1) For section 56EH of the Act, and subject to subrule (2), an accredited data recipient that collected the CDR data in accordance with section 56EF of the Act as a result of a collection consent must update the person’s consumer dashboard as soon as practicable to indicate:
(a) what CDR data was collected; and
(b) when the CDR data was collected; and
(c) the CDR participant for the CDR data from which the CDR data was collected. | CDR Rule 7.4(1) | CDR Privacy Safeguard Guidelines: Privacy Safeguard 5 | 4CM1.00.13 | |
14 | CDR Rule | MUST | (3) For paragraph (1)(b), the information is the following for each consent:
(d) whether the consent applies:
(i) on a single occasion; or
(ii) over a period of time; | CDR Rule 1.14(3)(d) | 4CM1.00.14 | |
15 | CDR Rule | MUST | (3) For paragraph (1)(b), the information is the following for each consent:
(e) if a collection consent or disclosure consent applies over a period of time:
(i) what that period is; and
(ii) how often data has been, and is expected to be, collected or disclosed over that period; | CDR Rule 1.14(3)(e) | 4CM1.00.15 | |
16 | CDR Rule | MUST | (8) For paragraph 56ED(7)(b) of the Act, the CDR entity must make its CDR policy readily available through each online service by means of which the CDR entity, or a CDR representative of the CDR entity, ordinarily deals with CDR consumers.
(9) For subsection 56ED(8) of the Act, if a copy of the CDR entity’s policy is requested by a CDR consumer, the CDR entity must give the CDR consumer a copy:
(a) electronically; or
(b) in hard copy;
as directed by the consumer. | CDR Rule 7.2(8), (9) | 4CM1.00.16 | |
17 | CX Guideline | MAY | Data recipients and data holders should provide the consumer with a contextual 'walkthrough’ or ‘tutorial' to introduce them to the concept of the dashboard if they are not familiar with it. | | 4CM1.00.17 | |
18 | CX Guideline | MAY | Data recipients should prioritise information that is important to consumers. This may include using tabs (e.g. active, pending, archived), or presenting key details up front, such as when consent was granted. | CX Workshop: Manage and withdraw | 4CM1.00.18 | |
19 | CX Guideline | MAY | Data recipients should allow consumers to search, sort, and filter their data sharing arrangements in a way that is aligned to the outcomes consumers are seeking.
For example, a consumer may want to sort by data recipient, data cluster, or by a user-defined tag. | 10 Usability Heuristics for User Interface Design: Flexibility and efficiency of use (Nielsen) | 4CM1.00.19 | |
20 | CX Guideline | MAY | Data recipients should organise consents by data holder brand names in a way that is consistent with how data holders are referenced in the provider/data holder selection step when consent is first being sought. | 10 Usability Heuristics for User Interface Design: Match Between the System and the Real World (Nielsen) | 4CM1.00.20 | |
21 | CX Guideline | MAY | Data recipients should allow consumers to create user-defined tags, names, and/or descriptions (e.g. home deposit) for each data sharing arrangement. | CX Workshop: Manage and withdraw | 4CM1.00.21 | |
22 | CX Guideline | MAY | Data recipients should include a link to the data holder's specific page on www.cdr.gov.au/find-a-provider for verification purposes. | | 4CM1.00.22 | |
23 | CX Guideline | MAY | Data recipients should organise consents by referring to the use case/purpose, the brand name, and software product name to aid consent and authorisation recognitions and management across dashboards. | 10 Usability Heuristics for User Interface Design: Match Between the System and the Real World (Nielsen) | 4CM1.00.23 | |
24 | CX Guideline | MAY | Data recipients should show the status of the consent, which may refer to it being 'active', 'cancelled', 'expired', or relating to a 'once-off’ instance of sharing. | CX Workshop: Manage and withdraw | 4CM1.00.24 | |
25 | CX Guideline | MAY | Data recipients should prioritise information that is important to consumers and structure the presentation in a way that reduces cognitive overload.
This may include progressive disclosure design patterns (e.g. accordion menus), UX writing (e.g. microcopy), and visual aids (e.g. to display time-based qualities of consent). | CX Research 8, 19 | 4CM1.00.25 | |
26 | CX Guideline | MAY | Data recipient dashboards should display which accounts they are collecting data from to facilitate consumer comprehension and consent management. | | 4CM1.00.26 | |
27 | CX Guideline | MAY | Data recipients should allow consumers to download and/or request a record of the sharing arrangement, and/or a copy of their Receipt(s). | | 4CM1.00.27 | |
28 | CX Guideline | MAY | Consumers may be allowing a data recipient to collect, use, and disclose their data according to the varying types of consents. This means 'sharing' may not always be the most appropriate or flexible language to use.
Data recipients should tailor language to the consent type, but may consider using generic terms such as 'access' to apply to the range of consent types. CX research suggested this language was comprehensible.
If a generic term is used to apply to an array of consent types or actions, data recipients should provide additional explanations to clarify what the precise consent types or actions mean in the context of that term. | CX Research 29 | 4CM1.00.28 | |
29 | CX Guideline | MAY | Data recipients may allow consumers to add or remove accounts from an existing consent.
This process may be initiated by the ADR, such as by inviting them to add new account types to an existing consent, or by allowing the consumer to trigger this process on their ADR consumer dashboard.
The account amendment process should trigger the consent flow and DH authentication/authorisation process to add or remove the account(s) from the associated authorisation.
Data recipients should supply the relevant cdr_arrangement_id to the DH when seeking to have a current authorisation amended. | | 4CM1.00.29 | |
30 | CX Guideline | MAY | Data recipients should explain how the time period complies with the data minimisation principle (DMP) for data that is yet to be generated (e.g. for an ongoing consent) as well as historical data (e.g. for a collection on a 'single occasion').
Example DMP statement for data that is yet to be generated:
We're accessing your data for 12 months so [we can update your financial position in real-time] to [deliver accurate and tailored personal financial management].
Example DMP statement for historical data:
We're accessing data that dates back to [earliest date of record] so [we can assess seasonal changes] to [provide an accurate energy comparison]. | CDR Rule 1.8 | 4CM1.00.30 | |
31 | CX Guideline | MAY | Data recipients should present the purpose in relation to each data cluster unless this statement applies equally to all datasets.
If the statement applies equally to all datasets, data recipients should present this to the consumer clearly in relation to all of the datasets.
This information should clearly communicate the purposes and benefits of data sharing to the consumer. | | 4CM1.00.31 | |
32 | CX Guideline | MAY | Privacy Safeguard 5
For ongoing data sharing: Data recipients may include the date range between which CDR data will be collected (dates of initial and final collection), as well as frequency of data collection.
For single or ‘once-off’ disclosure: Data recipients may include the date on which the CDR data was collected (date of initial collection).
Note: The example provided is context dependent. Please refer to Privacy Safeguard 5 for more guidance. | CDR Rule 7.4 | CDR Privacy Safeguard Guidelines: Privacy Safeguard 5 | 4CM1.00.32 | |
33 | CX Guideline | MAY | Data recipients should use the phrases ‘Granted’, 'Expire' and ‘Sharing period’ to refer to the time-based qualities of the data sharing arrangement. | | 4CM1.00.33 | |
34 | CDR Rule | MUST | (1) Subject to subrule (5), an accredited person must provide each eligible CDR consumer on whose behalf the accredited person makes a consumer data request with an online service that:
(e) allows the CDR consumer to elect that redundant data be deleted in accordance with these rules and be able to withdraw such an election; | CDR Rule 1.14(1)(e) | 4CM1.00.34 | |
35 | CDR Rule | MUST | (3A) For paragraph (1)(b), the other information is:
(a) a statement that the CDR consumer is entitled to request further records in accordance with rule 9.5; and
(b) information about how to make such a request. | CDR Rule 1.14(3A) | 4CM1.00.35 | |
36 | CDR Rule | MUST | (2) A CDR consumer may request an accredited data recipient for copies of records relating to the information referred to in:
(a) paragraphs 9.3(2)(a), (b), (c), (d), (da), (e), (ea), (eb), (ec), (ed), (ee), (ef), (eg), (f) and (m); and
(b) paragraphs 9.3(2A)(d), (e), (f), (g), (ga), (h), (ha), (hb), (hc), (i) and (o);
that relates to the CDR consumer. | CDR Rule 9.5(2) | 4CM1.00.36 | |
37 | CX Guideline | MAY | Data recipients are encouraged to surface information on dispute resolution and making a complaint. This may include:
• a link to the complaints section of the ADR’s CDR policy; and/or
• a summary of the complaint handling process. | CX Research: 2020 Phase 3, Round 4 and 5 report | 4CM1.00.37 | |
38 | CX Guideline | MAY | Data recipients can refer to accounts using recognised nicknames, icons, account numbers, and account type. They can also include any known information on other elements the account may refer to such as any related plans, services, properties, numbers, and products. | | 4CM1.00.38 | |
40 | CX Guideline | MAY | To build consumer trust and confidence, data recipients should surface information about data deletion. This may include details from their CDR policy, as stated in CDR Rule 7.2(4)(k), and a link to read the policy. CX research highlighted the importance of including:
• when data will be deleted;
• why data may need to be retained (e.g. business or legal reasons);
• how the data will be deleted, this may include timeframes. | CDR Rule 7.2(4)(k) | CX Research: 2020 Phase 3, Round 3 report; 2021 Disclosure Consent report | 4CM1.00.40 | |
41 | CX Guideline | MAY | These artefacts demonstrate what a consumer might see where an ADR has a policy to delete redundant data by default.
As per CDR Rule 1.14(1)(e), where an ADR will de-identify redundant data instead of deleting it, the ADR is required to provide the consumer with the ability to elect that redundant data be deleted instead. ADRs should consider providing this functionality in a way that is consistent with any other data handling information and functionality, and may surface the right to delete election in a location similar to the 'Data handling' component found on this screen. | | 4CM1.00.41 | |
42 | CX Guideline | MAY | CX research suggested that further information on data handling, including from government sources, can aid comprehension and confidence for Sceptic, Assurance Seeker and Sensemaker behavioural archetypes. Based on these insights, data recipients are encouraged to provide a link to OAIC’s guidance on Privacy Safeguard 12, which outlines information on data security and redundant data handling. | CDR Privacy Safeguard Guidelines: Privacy Safeguard 12 | CX Research: 2021 Disclosure Consent report | 4CM1.00.42 | |
43 | CDR Rule | MUST | (1) Subject to subrule (5), an accredited person must provide each eligible CDR consumer on whose behalf the accredited person makes a consumer data request with an online service that:
(f) is simple and straightforward to use; and
(g) is prominently displayed and readily accessible to the CDR consumer. | CDR Rule 1.14(1)(f)–(g) | 4CM1.00.43 | |
44 | CX Guideline | MAY | In addition to the CX Standards for CDR receipt delivery, data recipients should also make the CDR receipt available on the dashboard. | Notification Standards, CDR Receipt: Delivery | 4CM1.00.44 | |
