Wireframe ref | Type | Requirement level | Statement | Reference | Checklist ref | Focus area |
|---|---|---|---|---|---|---|
01 | CDR Rule | MUST | (1) Subject to subrule (5), an accredited person must provide each eligible CDR consumer on whose behalf the accredited person makes a consumer data request with an online service that: (a) can be used by the CDR consumer to manage: (i) such requests; and (ii) associated consents; and (b) contains the details of each consent specified in subrule (3) and the information specified in subrule (3A); | CDR Rule 1.14(1)(a), (b) | 4CM1.01.01 | |
02 | CDR Rule | MUST | (2) Such a service is the accredited person’s consumer dashboard for that consumer. | CDR Rule 1.14(2) | 4CM1.01.02 | |
03 | CDR Rule | MUST | (3) For paragraph (1)(b), the information is the following for each consent: (g) if the consent is not current—when it expired; | CDR Rule 1.14(3)(g) | 4CM1.01.03 | |
04 | CDR Rule | MUST | (3) For paragraph (1)(b), the information is the following for each consent: (c) when the CDR consumer gave the consent; | CDR Rule 1.14(3)(c) | 4CM1.01.04 | |
05 | CDR Rule | MUST | (3) For paragraph (1)(b), the information is the following for each consent: (f) if the consent is current—when it is scheduled to expire; Note 1: For paragraph (f), consents expire at the latest 12 months (or 7 years for certain consents by a CDR business consumer) after they are given or, in some circumstances, amended: see paragraph 4.14(1)(c). | CDR Rule 1.14(3)(f), (Note 1) | 4CM1.01.05 | |
06 | CDR Rule | MUST | (3) For paragraph (1)(b), the information is the following for each consent: (e) if a collection consent or disclosure consent applies over a period of time: (i) what that period is; and (ii) how often data has been, and is expected to be, collected or disclosed over that period; | CDR Rule 1.14(3)(e) | 4CM1.01.06 | |
08 | CDR Rule | MUST | (8) For paragraph 56ED(7)(b) of the Act, the CDR entity must make its CDR policy readily available through each online service by means of which the CDR entity, or a CDR representative of the CDR entity, ordinarily deals with CDR consumers. (9) For subsection 56ED(8) of the Act, if a copy of the CDR entity’s policy is requested by a CDR consumer, the CDR entity must give the CDR consumer a copy: (a) electronically; or (b) in hard copy; as directed by the consumer. | CDR Rule 7.2(8), (9) | 4CM1.01.08 | |
09 | CDR Rule | MUST | (1) Subject to subrule (5), an accredited person must provide each eligible CDR consumer on whose behalf the accredited person makes a consumer data request with an online service that: (c) has a functionality that: (i) allows a CDR consumer, at any time, to: (A) withdraw current consents; and (B) elect that redundant data be deleted in accordance with these rules and withdraw such an election; and (ii) is simple and straightforward to use; and (iii) is prominently displayed. | CDR Rule 1.14(1)(c) | 4CM1.01.09 | |
10 | CDR Rule | MUST | (3) For paragraph (1)(b), the information is the following: (a) details of the CDR data to which the consent relates; | CDR Rule 1.14(3)(a) | 4CM1.01.10 | |
11 | CDR Rule | MUST | (3) For paragraph (1)(b), the information is the following for each consent: (h) information relating to CDR data that was collected or disclosed pursuant to the consent (see rules 7.4 and 7.9); | CDR Rule 1.14(3)(h) | 4CM1.01.11 | |
12 | CDR Rule | MUST | (2) For subsection 56EM(2) of the Act, an accredited data recipient that discloses CDR data to an accredited person must, as soon as practicable, update each consumer dashboard that relates to the request to indicate: (a) what CDR data was disclosed; and (b) when the CDR data was disclosed; and (c) the accredited person, identified in accordance with any entry on the Register of Accredited Persons specified as being for that purpose. | CDR Rule 7.9(2) | CDR Privacy Safeguard Guidelines: Privacy Safeguard 10 | 4CM1.01.12 | |
13 | CDR Rule | MUST | (3) For paragraph (1)(b), the information is the following for each consent: (d) whether the consent applies: (i) on a single occasion; or (ii) over a period of time; | CDR Rule 1.14(3)(d) | 4CM1.01.13 | |
14 | CX Standard | MUST | In the course of seeking a consumer’s consent to disclose data as part of a disclosure consent: 1. Data Recipients MUST specify which CDR Participant(s) they collected the associated CDR data from; 2. Data Recipients SHOULD specify the sector(s) the data was collected from or associated with. Note: • Point (1) only requires the Data Recipient to refer to the CDR Participant(s) immediately preceding them in the disclosure chain, which may not always include a consumer’s Data Holder(s); • This standard is proposed to apply to all data to be disclosed by a Data Recipient, including unmodified, aggregated, derived, and transformed CDR data; • Where applicable, the existing data language standards apply to descriptions of CDR data that have not been modified. | 4CM1.01.14 | ||
15 | CX Standard | MUST | If: 1. An accredited person is seeking a collection consent to collect CDR data from a particular accredited data recipient; or 2. An accredited data recipient is seeking a disclosure consent from a consumer to disclose CDR data; and the data subject to the disclosure or collection is not within the data language standards as it does not relate to a relevant data cluster, then that data MUST be described in language that is as easy to understand as practicable. | Consent Standards, Disclosure Consent: Descriptions of Data to be Collected and Disclosed | 4CM1.01.15 | |
16 | CX Guideline | MAY | Data recipients should prioritise information that is important to consumers. This may include using tabs (e.g. active, pending, inactive), or presenting key details up front, such as when consent was granted. | 4CM1.01.16 | ||
17 | CX Guideline | MAY | Data recipients should allow consumers to search, sort, and filter their data sharing arrangements in a way that is aligned to the outcomes consumers are seeking. For example, a consumer may want to sort by data recipient, data cluster, or by a user-defined tag. | 10 Usability Heuristics for User Interface Design: Flexibility and efficiency of use (Nielsen) | 4CM1.01.17 | |
18 | CX Guideline | MAY | Data recipients should organise disclosures to accredited persons using the brand and software product name. The logo held at the brand level should also be presented in relation to the consent to aid recognition and management. | 4CM1.01.18 | ||
19 | CX Guideline | MAY | Data recipients should surface the legal entity of the ADR being disclosed to for the AP Disclosure. | 4CM1.01.19 | ||
20 | CX Guideline | MAY | Data recipients should provide a link for consumers to verify a data recipient's accreditation via the CDR website. The following link could be used for this purpose: https://www.cdr.gov.au/find-a-provider | CX Research: 2019 Phase 2, Stream 1 report; 2020 Phase 3, Round 3 report | 4CM1.01.20 | |
21 | CX Guideline | MAY | Data recipients should show the status of the consent, which may refer to it being 'active', 'cancelled', 'expired', or relating to a 'once-off’ instance of sharing. | 4CM1.01.21 | ||
22 | CX Guideline | MAY | Data recipients should communicate that certain information may not be available on their consumer dashboard and should advise consumers to check with the data recipient for additional information. | 4CM1.01.22 | ||
23 | CX Guideline | MAY | Data recipients should prioritise information that is important to consumers and structure the presentation in a way that reduces cognitive overload. This may include progressive disclosure design patterns (e.g. accordion menus), UX writing (e.g. microcopy), and visual aids (e.g. to display time-based qualities of consent). | 4CM1.01.23 | ||
24 | CX Guideline | MAY | Data recipients should allow consumers to download and/or request a record of the sharing arrangement, and/or a copy of their Receipt(s). | 4CM1.01.24 | ||
25 | CX Guideline | MAY | Consumers may be allowing a data recipient to collect, use, and disclose their data according to the varying types of consents. This means 'sharing' may not always be the most appropriate or flexible language to use. Data recipients should tailor language to the consent type, but may consider using generic terms such as 'access' to apply to the range of consent types. CX research suggested this language was comprehensible. If a generic term is used to apply to an array of consent types or actions, data recipients should provide additional explanations to clarify what the precise consent types or actions mean in the context of that term. | 4CM1.01.25 | ||
26 | CX Guideline | MAY | The details of CDR data associated with the disclosure consent should include the collection source, sector reference, and any other data descriptions presented to the consumer as outlined in the disclosure consent standards. | 4CM1.01.26 | ||
27 | CX Guideline | MAY | Privacy Safeguard 10 For ongoing data sharing: Data recipients may include the date range between which CDR data will be disclosed (dates of initial and final disclosure). For single or ‘once-off’ disclosure: Data recipients may include the date on which the CDR data was disclosed (date of initial disclosure). If a data recipient is unsure of the date of final disclosure they may put the date consent expires. This date of final disclosure should be updated as soon as practicable after it becomes known. Note 1: The example provided is context dependent. Please refer to Privacy Safeguard 10 for more guidance. | CDR Rule 7.9 | CDR Privacy Safeguards Guidelines: Privacy Safeguard 10 | 4CM1.01.27 | |
28 | CX Guideline | MAY | Data recipients should state the extent of historical data that was disclosed as part of the disclosure consent. | 4CM1.01.28 | ||
29 | CDR Rule | MUST | (2) A CDR consumer may request an accredited data recipient for copies of records relating to the information referred to in: (a) paragraphs 9.3(2)(a), (b), (c), (d), (da), (e), (ea), (eb), (ec), (ed), (ee), (ef), (eg), (f) and (m); and (b) paragraphs 9.3(2A)(d), (e), (f), (g), (ga), (h), (ha), (hb), (hc), (i) and (o); that relates to the CDR consumer. | CDR Rule 9.5(2) | 4CM1.01.29 | |
30 | CDR Rule | MUST | (1) Subject to subrule (5), an accredited person must provide each eligible CDR consumer on whose behalf the accredited person makes a consumer data request with an online service that: (f) is simple and straightforward to use; and (g) is prominently displayed and readily accessible to the CDR consumer. | CDR Rule 1.14(1)(f)–(g) | 4CM1.01.30 | |
31 | CX Guideline | MAY | In addition to the CX Standards for CDR receipt delivery, data recipients should also make the CDR receipt available on the dashboard. | 4CM1.01.31 | ||
32 | CX Guideline | MAY | Data recipients are encouraged to surface information on dispute resolution and making a complaint. This may include: • a link to the complaints section of the ADR’s CDR policy; and/or • a summary of the complaint handling process. | CX Research: 2020 Phase 3, Round 4 and 5 report | 4CM1.01.32 |