01

(1) An accredited person may invite a CDR consumer to amend a consent given in accordance with this Division only in accordance with this rule.

CDR Rule 4.12B(1)

1CO2.00.01

02

(2) The accredited person may give the invitation: (a) if its consumer dashboard allows a consent amendment in accordance with subrule 1.14(2A)―via its consumer dashboard; or (b) in writing directly to the CDR consumer.

CDR Rule 4.12B(2)

1CO2.00.02

03

(3) The accredited person may invite a CDR consumer to amend a current consent if: (a) the amendment would better enable the accredited person to provide the goods or services referred to in paragraph 4.3(1)(a); or (b) the amendment would: (i) be consequential to an agreement between the accredited person and the CDR consumer to modify those goods or services; and (ii) enable the accredited person to provide the modified goods or services.

CDR Rule 4.12B(3)

1CO2.00.03

04

(4) The accredited person must not, for an invitation to amend the period referred to in paragraph 4.11(1)(b): (a) give the invitation any earlier than a reasonable period before the current consent is expected to expire;

CDR Rule 4.12B(4)(a)

1CO2.00.04

06

(4) The accredited person must not, for an invitation to amend the period referred to in paragraph 4.11(1)(b): (b) give more than a reasonable number of such invitations within this period.

CDR Rule 4.12B(4)(b)

1CO2.00.06

07

(1) Subject to this rule, if an accredited person allows CDR consumers to amend consents, it must allow them to do so in the same manner that it asks for CDR consumers to give consents. Example: If an accredited person asks a CDR consumer who gave a consent as a CDR business consumer to amend a consent of a kind mentioned in paragraph 1.10A(10)(a), the accredited person must invite the CDR consumer to provide a further business consumer statement: see paragraph 4.11(1)(bb).

CDR Rule 4.12C(1)

1CO2.00.07

08

(3) An accredited person must not ask for a consent: (a) that is not in a category of consents; or (b) subject to subrule (4), for using the CDR data, including by aggregating the data, for the purpose of: (i) identifying; or (ii) compiling insights in relation to; or (iii) building a profile in relation to; any identifiable person who is not the CDR consumer who made the consumer data request. (4) Paragraph (3)(b) does not apply in relation to a person whose identity is readily apparent from the CDR data, if the accredited person is seeking consent to: (a) derive, from that CDR data, CDR data about that person’s interactions with the CDR consumer; and (b) use that derived CDR data in order to provide the requested goods or services.

CDR Rule 4.12(3), (4)

1CO2.00.08

09

A request by an accredited person for a CDR consumer to give or amend a consent: (a) must comply with any relevant data standards; and (b) having regard to any consumer experience guidelines made by the Data Standards Body—must be reasonably easy to understand, including by use of plain concise language and, where appropriate, visual aids;

CDR Rule 4.10(1)(a), (b)

1CO2.00.09

10

A request by an accredited person for a CDR consumer to give or amend a consent: (c) must not include or refer to the accredited person’s CDR policy or other documents in a way that reduces understandability; and (d) must not be combined with other requests except for a consent under these rules (other than a request for direct marketing or de-identification consent).

CDR Rule 4.10(1)(c), (d)

1CO2.00.10

11

(3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (a) its name; (b) its accreditation number;

CDR Rule 4.11(3)(a), (b)

1CO2.00.11

12

(3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (c) in the case of a collection consent, use consent or disclosure consent—information about how the collection, use or disclosure indicated in a manner consistent with the requirements set out in subrule (1) complies with the data minimisation principle, including: (i) in the case of a collection consent in relation to the provision of requested goods or services—an explanation of why that collection is reasonably needed, and relates to a time period that is no longer than is reasonably needed; and (ii) in the case of a use consent or disclosure consent—an explanation of why that use or disclosure does not go beyond what is reasonably needed; in order to provide the requested goods or services to the CDR consumer, or to effect the permitted uses or disclosures consented to;

CDR Rule 4.11(3)(c) | OAIC Chapter C: Consent (Data minimisation principle) | CX Research 1, 3

1CO2.01.12

13

(1) When asking a CDR consumer to give a consent, an accredited person must: (aa) in the case of a use consent—either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the specific uses of collected data to which the consent will apply; or (ii) seek the CDR consumer’s agreement to the specific uses of collected data (as presented to the CDR consumer) to which the consent will apply;

CDR Rule 4.11(1)(aa) | CX Research 2, 6

1CO2.01.13

14

(3) In the case of an amendment to a consent, in addition to the information referred to in subrule 4.11(3), the accredited person must give the CDR consumer: (a) a statement that indicates the consequences of amending a consent; and (b) a statement that the accredited person will be able to continue to use any CDR data that has already been disclosed to it to the extent allowed by the amended consent.

CDR Rule 4.12C(3)(a), (b)

1CO2.01.14

15

(1) When asking a CDR consumer to give a consent, an accredited person must: (a) in the case of a collection consent or a disclosure consent—either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the particular types of CDR data to which the consent will apply; or (ii) seek the CDR consumer’s agreement to the particular types of CDR data (as presented to the CDR consumer) to which the consent will apply;

CDR Rule 4.11(1)(a)

1CO2.01.15

16

(2) The accredited person must not request direct marketing consents or de-identification consents by means of pre-selected options for the purposes of subrule (1).

CDR Rule 4.11(2)

1CO2.01.16

17

(1) The Data Standards Chair must make one or more data standards about each of the following: (d) the types of CDR data and descriptions of those types, to be used by CDR participants in making and responding to requests;

CDR Rule 8.11(1)(d)

1CO2.01.17

19

(1) When asking a CDR consumer to give a consent, an accredited person must: (b) in relation to the period of the collection consent, use consent, or disclosure consent (as appropriate)—either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the period of consent; or (ii) seek the CDR consumer’s agreement to the period of consent (as presented to the CDR consumer) to which the consent will apply; where the period of consent is either: (iii) a single occasion; or (iv) a specified period of time; Note 2: For paragraph (b), the specified period may not be more than 12 months: see subrule 4.12(1). After the end of the period, redundant data would need to be dealt with in accordance with subsection 56EO(2) of the Act (privacy safeguard 12) and rules 7.12 and 7.13. 

CDR Rule 4.11(1)(b), (Note 2) | CX Research 4, 5

1CO2.01.19

20

(1) Subject to subrule (1A), an accredited person must not specify a period of time for the purposes of paragraph 4.11(1)(b) that is more than 12 months.

CDR Rule 4.12(1) | CX Research 4, 5

1CO2.01.20

22

(3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (g) a statement that, at any time, the consent can be withdrawn.

CDR Rule 4.11(3)(g) | CX Research 7, 32

1CO2.01.22

25

(3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (h) the following information about redundant data: (i) a statement, in accordance with rule 4.17, regarding the accredited person’s intended treatment of redundant data;

CDR Rule 4.11(3)(h)(i)

1CO2.01.25

26

(1) For subparagraph 4.11(3)(h)(i), the accredited person must state whether they have a general policy, when collected CDR data becomes redundant data, of: (a) deleting the redundant data; or (b) de-identifying the redundant data; or (c) deciding, when the CDR data becomes redundant data, whether to delete it or de-identify it.

CDR Rule 4.17(1) | CX Research 18

1CO2.01.26

29

(1) When asking a CDR consumer to give a consent, an accredited person must: (c) ask for the CDR consumer’s express consent to the choices referred to in paragraphs (a), (b) and (ba) for each relevant category of consents;

CDR Rule 4.11(1)(c)

1CO2.01.29

31

An accredited person must give the CDR consumer a notice that complies with the data standards as soon as practicable after the CDR consumer: (b) amends a collection consent, use consent or disclosure consent given to an accredited person in accordance with this Division;

CDR Rule 4.18(b)

1CO2.00.31

33

Data Recipients and Data Holders MUST use data language standards to describe data clusters and permissions in consumer-facing interactions. See the Banking and Non-Bank Lending Language section for language to be used when requesting banking and non-bank lending data; and the Energy Language section for language to be used when requesting energy data. Data language standards MUST be used when CDR data is being requested, reviewed, or access to such data is withdrawn. Data Recipients and Data Holders MUST use the appropriate data standards language for business consumers as denoted with an '*' for the relevant data. Data Recipients and Data Holders SHOULD expand on the proposed language where appropriate to communicate further details of what is being shared. Additional details MAY include additional information in context, such as in-line help or tool tips, and/or additional permissions where they may exist. Examples of permission details that MAY be used and provided as in-line help are denoted with an '†' for the relevant data.

Data Language Standards: Common, Data Language Standards: Language to be used

1CO2.01.33

34

If a scenario requires it, Data Holders and Data Recipients MUST merge and amend Basic and Detailed data cluster and permission language to show that Detailed scopes include Basic data. Data Holders and Data Recipients MUST use the alternative language denoted with an '‡' for the relevant scope(s). See the Banking and Non-Bank Lending Language section for banking and non-bank lending data and the Energy Language section for energy data. Example: A Data Recipient presents the Detailed data cluster in a data request to a consumer but does not present the Basic data cluster. The Detailed scope includes Basic data, but this is not apparent to the consumer based on the data cluster language and permissions used for the Detailed scope.

Data Language Standards: Common, Data Language Standards: Detailed scope requests

1CO2.01.34

35

Data recipients MUST notify consumers of redirection prior to authentication.

Consent Standards, Consent: Redirection

1CO2.01.35

36

Data recipients should present the realised benefits of data sharing as part of amending consent requests so consumers can assess the material value of providing consent.

CX Research: 2020 Phase 3, Round 3 report

1CO2.00.36

37

Data recipients should communicate that consent will expire if request is not actioned.

CX Research: 2020 Phase 3, Round 4 and 5 report

1CO2.01.37

38

Data recipients should outline the consequences of not continuing to consent - such as service or data loss. This should include information about how data will be handled if re-consent is not provided.

CX Research: 2020 Phase 3, Round 4 and 5 report

1CO2.01.38

39

Data recipients should provide multiple reminders to warn consumers that their consent is about to expire. Such reminders should not be sent at unnecessarily high frequencies so as to cause notification fatigue.

CX Research: 2020 Phase 3, Round 4 and 5 report

1CO2.01.39

40

Data recipients should provide a clear ‘withdraw consent’ option in addition to allowing expiry by default.

CX Research: 2020 Phase 3, Round 4 and 5 report

1CO2.01.40

42

Data recipients should also include a link to their specific page on www.cdr.gov.au/find-a-provider for accreditation verification purposes.

CX Research: 2019 Phase 2, Stream 1 report; 2020 Phase 3, Round 3 report

1CO2.00.42

43

Data recipients will need to explain how the time period complies with the data minimisation principle (DMP). This is required for data that is yet to be generated (e.g. for an ongoing consent) as well as historical data (e.g. for collection on a 'single occasion'). Example DMP statement for data that is yet to be generated: We need to collect and use your data for 12 months so [we can update your financial position in real-time] to [deliver accurate and tailored personal financial management]. Example DMP statement for historical data: We need to collect the last 12 months of your data so [we can assess seasonal changes] to [provide an accurate energy comparison].

CDR Rule 4.11(3)(c), 1.8 | OAIC Chapter C: Consent (Data minimisation principle) | CX Research 1, 3

1CO2.01.43

44

Data recipients should present the purpose of the consent request in relation to each data cluster unless this statement applies equally to all datasets. If the statement applies equally to all datasets, data recipients should present this to the consumer clearly in relation to all of the datasets.

CDR Rule 4.11(3)(c), 1.8

1CO2.01.44

45

ADRs should present attributes to be amended in a way that is clearly distinct to attributes that have already been consented to. This may require specific design patterns and/or the use of signifiers, such as 'new' labels, to denote the change being requested.

Consent Standards, Amending consent: Changing Attributes

1CO2.01.45

46

Data recipients should make the consent process as easy to understand as possible. Data recipients should nudge consumers to be more privacy conscious and should use appropriate interventions to mitigate cognitive overload, facilitate comprehension, and provide transparency and consumer control. This can be done in a variety of ways, including through the use of design patterns like progressive disclosure, micro and/or descriptive copy, and with the use of microinteractions.

CX Research 8, 19

1CO2.01.46

49

Amendments to collection duration or dataset collection require data holder authentication and authorisation. Amendments to disclosure consents, use consents, including adding/removing uses or amending disclosure and/or use durations, do not require data holder authentication and authorisation.

1CO2.01.49

55

Data recipients are encouraged to provide information in relation to complaint handling at appropriate points throughout the Consent Model, such as during Pre-consent; within the Consent Flow; and/or within the CDR Receipt and/or Consumer Dashboards.

CX Research: 2020 Phase 3, Round 8 summary; 2021 Disclosure Consent report

1CO2.01.55

56

To build consumer trust and confidence, data recipients should surface information about data deletion. This may include details from their CDR policy, as stated in CDR Rule 7.2(4)(k), and a link to read the policy.

CDR Rule 7.2(4)(k) | CX Research: 2020 Phase 3, Round 3 report; 2021 Disclosure Consent report

1CO2.01.56

57

CX research suggested that further information on data handling, including from government sources, can aid comprehension and confidence for Sceptics, Assurance Seekers and Sensemakers. Based on these insights, data recipients are encouraged to provide a link to OAIC’s guidance on Privacy Safeguard 12, which outlines information on data security and redundant data handling.

CDR Privacy Safeguard Guidelines: Privacy Safeguard 12 | CX Research: 2021 Disclosure Consent report

1CO2.01.57

58

(1A) In the case of a consent given by a CDR business consumer that includes a business consumer statement, an accredited person must: (a) not specify a period of time that is more than 7 years; and (b) if specifying a period of time of more than 12 months, give the CDR business consumer the option of choosing a period for the consent of 12 months or less.

CDR Rule 4.12(1A)

1CO2.00.58

59

CDR Representatives inviting consumers to amend their consent should refer to Subdivision 4.3A.3 of the CDR Rules.

CDR Rules Subdivision 4.3A.3

1CO2.00.59

60

Data recipients should educate consumers about data sharing with the CDR, which may include references to the CDR protections. CX research has found that including this information increases familiarity, trustworthiness, propensity to consent, and increase the chances of adoption and successful completion.

1CO2.00.60

61

When notifying a Data Holder of an amended collection consent as per rules 4.18C or 4.20S, Data Recipients MUST supply the relevant CDR Arrangement ID to the Data Holder according to Specifying an existing arrangement. Providing the CDR Arrangement ID is necessary to trigger the Data Holder authorisation flow simplifications outlined in the Amending Authorisation Standards. Failure to supply the CDR Arrangement ID will result in the full authorisation flow and a disconnected data sharing arrangement history on consumer dashboards.

Consent Standards, Consent: Amendment of Collection Consents and Authorisations

1CO2.01.61

62

Data recipients MUST indicate where datasets, uses, and durations are being amended. Data recipients MAY apply this standard to other changing attributes where the attribute in the amending consent request differs to that of the previous consent. How a changed attribute is signified is at the data recipient’s discretion. 

Consent Standards, Amending consent: Changing Attributes

1CO2.01.62

63

Effective from 14 July 2025: A CDR receipt provided by a data recipient MUST be given in writing otherwise than through the consumer dashboard.

Notification Standards, CDR Receipts: Delivery

1CO2.00.63

64

ADRs should send CDR receipts via the consumer's preferred delivery channels, other than through the consumer dashboard.

1CO2.00.64

66

Data holders and data recipients MUST state in consumer-facing interactions and communications that third parties do not need consumer passwords to access CDR data. The exact phrasing of this is at the discretion of the data holder and data recipient. Note: In this context, 'third parties' refers to entities on the ADR-side and does not include any third parties that the data holder may engage.

Authentication Standards, Common Authentication Standards, Authentication: Passwords

1CO2.01.66

67

Data recipients MUST implement Redirect to App in accordance with the relevant consumer experience authentication and security profile standards. Data recipients MAY implement Redirect to App ahead of the date specified in the Future Dated Obligations schedule. Note: As per the future dated obligation schedule, data recipients subject to this standard are required to implement Redirect to App on and from 10 May 2027.

Authentication Schedule, Redirect to App, Data Recipients

1CO2.01.67

68

Where Redirect to App is unable to be used for the purposes of CDR authentication: • Data recipients MAY provide decoupled consent experiences that facilitate separation of the Consumption Device from the authorisation flow. • Data holders MAY provide decoupled authorisation experiences that facilitate separation of the Consumption Device from the Authentication Device. If implemented, data holders and data recipients MUST support decoupled authentication in accordance with any relevant consumer experience authentication and security profile standards.

Authentication Schedule, Decoupled Authentication

1CO2.01.68

01

(1) An accredited person may invite a CDR consumer to amend a consent given in accordance with this Division only in accordance with this rule.

CDR Rule 4.12B(1)

1CO2.02.01

02

(2) The accredited person may give the invitation: (b) in writing directly to the CDR consumer.

CDR Rule 4.12B(2)(b)

1CO2.02.02

03

(3) The accredited person may invite a CDR consumer to amend a current consent if: (a) the amendment would better enable the accredited person to provide the goods or services referred to in paragraph 4.3(1)(a); or (b) the amendment would: (i) be consequential to an agreement between the accredited person and the CDR consumer to modify those goods or services; and (ii) enable the accredited person to provide the modified goods or services.

CDR Rule 4.12B(3)

1CO2.02.03

04

(4) The accredited person must not, for an invitation to amend the period referred to in paragraph 4.11(1)(b): (a) give the invitation any earlier than a reasonable period before the current consent is expected to expire;

CDR Rule 4.12B(4)(a)

1CO2.02.04

05

(4) The accredited person must not, for an invitation to amend the period referred to in paragraph 4.11(1)(b): (b) give more than a reasonable number of such invitations within this period.

CDR Rule 4.12B(4)(b)

1CO2.02.05

06

(1) Subject to this rule, if an accredited person allows CDR consumers to amend consents, it must allow them to do so in the same manner that it asks for CDR consumers to give consents. Example: If an accredited person asks a CDR consumer who gave a consent as a CDR business consumer to amend a consent of a kind mentioned in paragraph 1.10A(10)(a), the accredited person must invite the CDR consumer to provide a further business consumer statement: see paragraph 4.11(1)(bb).

CDR Rule 4.12C(1)

1CO2.02.06

07

(1) When asking a CDR consumer to give a consent, an accredited person must: (bb) where the accredited person proposes, or is offering, to deal with a person in their capacity as a CDR business consumer in relation to a consent of a kind mentioned in paragraph 1.10A(10)(a)―invite the CDR business consumer to provide the business consumer statement

CDR Rule 4.11(1)(bb)

1CO2.02.07

08

(4) If the CDR consumer gave the consent as a CDR business consumer, the accredited person must take reasonable steps to re‑confirm that: (a) the CDR consumer is not an individual; or (b) the CDR consumer has an active ABN. Note: See subrule 1.10A(9).

CDR Rule 4.12C(4)

1CO2.02.08

09

(2) The accredited person must not request direct marketing consents or de-identification consents by means of pre-selected options for the purposes of subrule (1).

CDR Rule 4.11(2)

1CO2.02.09

10

(3) In the case of an amendment to a consent, in addition to the information referred to in subrule 4.11(3), the accredited person must give the CDR consumer: (a) a statement that indicates the consequences of amending a consent; and (b) a statement that the accredited person will be able to continue to use any CDR data that has already been disclosed to it to the extent allowed by the amended consent.

CDR Rule 4.12C(3)

1CO2.02.10

11

(1) When asking a CDR consumer to give a consent, an accredited person must: (ba) in the case of a disclosure consent―either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the persons to whom the CDR data may be disclosed; or (ii) seek the CDR consumer’s agreement to the persons (as presented to the CDR consumer) to whom the CDR data may be disclosed;

CDR Rule 4.11(1)(ba)

1CO2.02.11

12

(1) When asking a CDR consumer to give a consent, an accredited person must: (b) in relation to the period of the collection consent, use consent, or disclosure consent (as appropriate)—either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the period of consent; or (ii) seek the CDR consumer’s agreement to the period of consent (as presented to the CDR consumer) to which the consent will apply; where the period of consent is either: (iii) a single occasion; or (iv) a specified period of time; Note 2: For paragraph (b), the specified period may not be more than 12 months (or 7 years for certain consents by a CDR business consumer): see subrule 4.12(1). After the end of the period, redundant data would need to be dealt with in accordance with subsection 56EO(2) of the Act (privacy safeguard 12) and rules 7.12 and 7.13.

CDR Rule 4.11(1)(b), (Note 2)

1CO2.02.12

13

(1) Subject to subrule (1A), an accredited person must not specify a period of time for the purposes of paragraph 4.11(1)(b) that is more than 12 months.

CDR Rule 4.12(1)

1CO2.02.13

14

(1A) In the case of a consent given by a CDR business consumer that includes a business consumer statement, an accredited person must: (a) not specify a period of time that is more than 7 years; and (b) if specifying a period of time of more than 12 months, give the CDR business consumer the option of choosing a period for the consent of 12 months or less.

CDR Rule 4.12(1A)

1CO2.02.14

15

(1) When asking a CDR consumer to give a consent, an accredited person must: (a) in the case of a collection consent or a disclosure consent—either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the particular types of CDR data to which the consent will apply; or (ii) seek the CDR consumer’s agreement to the particular types of CDR data (as presented to the CDR consumer) to which the consent will apply;

CDR Rule 4.11(1)(a)

1CO2.02.15

18

An accredited person must give the CDR consumer a notice that complies with the data standards as soon as practicable after the CDR consumer: (b) amends a collection consent, use consent or disclosure consent given to an accredited person in accordance with this Division;

CDR Rule 4.18(b)

1CO2.02.18

20

Data recipients MUST use plain and concise language when inviting a consumer to give a business consumer statement.

Consent Standards, Business consumer statement: Content

1CO2.02.20

21

When seeking a business consumer statement, data recipients MUST invite the business consumer to give the business consumer statement in a manner that is explicit, express, and through an active selection or declaration. The giving of a business consumer statement MUST be clearly separated from any other interaction or information provided to the consumer and MUST NOT be implied or bundled with any other permission.

Consent Standards, Business consumer statement: Method

1CO2.02.21

22

In the course of seeking a consumer’s consent to disclose data as part of a disclosure consent: 1. Data Recipients MUST specify which CDR Participant(s) they collected the associated CDR data from. 2. Data Recipients SHOULD specify the sector(s) the data was collected from or associated with. Note: • Point (1) only requires the Data Recipient to refer to the CDR Participant(s) immediately preceding them in the disclosure chain, which may not always include a consumer’s Data Holder(s). • This standard is proposed to apply to all data to be disclosed by a Data Recipient, including unmodified, aggregated, derived, and transformed CDR data. • Where applicable, the existing data language standards apply to descriptions of CDR data that have not been modified.

Consent Standards, Disclosure consent: Collection source

1CO2.02.22

23

Data Recipients and Data Holders MUST use data language standards to describe data clusters and permissions in consumer-facing interactions. See the Banking and Non-Bank Lending Language section for language to be used when requesting banking and non-bank lending data; and the Energy Language section for language to be used when requesting energy data. Data language standards MUST be used when CDR data is being requested, reviewed, or access to such data is withdrawn. Data Recipients and Data Holders MUST use the appropriate data standards language for business consumers as denoted with an '*' for the relevant data. Data Recipients and Data Holders SHOULD expand on the proposed language where appropriate to communicate further details of what is being shared. Additional details MAY include additional information in context, such as in-line help or tool tips, and/or additional permissions where they may exist. Examples of permission details that MAY be used and provided as in-line help are denoted with an '†' for the relevant data.

Data Language Standards: Common, Data Language Standards: Language to be used

1CO2.02.23

24

If a scenario requires it, Data Holders and Data Recipients MUST merge and amend Basic and Detailed data cluster and permission language to show that Detailed scopes include Basic data. Data Holders and Data Recipients MUST use the alternative language denoted with an '‡' for the relevant scope(s). See the Banking and Non-Bank Lending Language section for banking and non-bank lending data and the Energy Language section for energy data. Example: A Data Recipient presents the Detailed data cluster in a data request to a consumer but does not present the Basic data cluster. The Detailed scope includes Basic data, but this is not apparent to the consumer based on the data cluster language and permissions used for the Detailed scope.

Data Language Standards: Common, Data Language Standards: Detailed scope requests

1CO2.02.24

25

Data recipients MUST state that data disclosed to a non-accredited person will not be regulated as part of the Consumer Data Right. This information SHOULD be immediately viewable by the consumer without further interaction. Data recipients MAY include a plain and concise explanation of what this means, which MAY include information on the Consumer Data Right, and MAY include a link to the Office of the Australian Information Commissioner guidance on the Consumer Data Right.

Consent Standards, Disclosure Consent: Non-Accredited Person Disclosure Notification, Disclosure consent: CDR protections

1CO2.02.25

26

Data recipients MUST provide plain and concise information on dispute resolution and making a complaint. This SHOULD reflect the process and information contained in the data recipient’s CDR policy related to complaints. This MAY also include a link to the accredited data recipient’s CDR policy.

Consent Standards, Disclosure Consent: Non-Accredited Person Disclosure Notification, Disclosure consent: Complaints

1CO2.02.26

27

Data recipients MUST advise the consumer to review how the non-accredited person will handle their data.

Consent Standards, Disclosure Consent: Non-Accredited Person Disclosure Notification, Disclosure consent: Review

1CO2.02.27

28

If available, data recipients MAY include a link to any relevant data handling policies of the non-accredited person, such as their Privacy Policy.

Consent Standards, Disclosure Consent: Non-Accredited Person Disclosure Notification, Disclosure consent: Data handling

1CO2.02.28

29

Data recipients MUST provide the information contained in the disclosure notification otherwise than in the consent flow. This SHOULD be contained in the consumer’s CDR Receipt. This SHOULD also be accessible in the consumer dashboard as part of the data sharing arrangement details. Note 1: The information to be included is limited to the following standards: CDR Protections; Review; Data Handling; Complaints; and Insight Records. The scope of information to include will depend on the accredited person’s specific implementation. Note 2: This standard does not alter any existing rules obligations for CDR receipts or dashboards.

Consent Standards, Disclosure Consent: Non-Accredited Person Disclosure Notification, Disclosure consent: Notification record

1CO2.02.29

30

Data recipients should communicate that consent will expire if request is not actioned.

CX Research: 2020 Phase 3, Round 4 and 5 report

1CO2.02.30

31

Data recipients should outline the consequences of not continuing to consent - such as service or data loss. This should include information about how data will be handled if re-consent is not provided.

CX Research: 2020 Phase 3, Round 4 and 5 report

1CO2.02.31

32

Data recipients should provide multiple reminders to warn consumers that their consent is about to expire. Such reminders should not be sent at unnecessarily high frequencies so as to cause notification fatigue.

CX Research: 2020 Phase 3, Round 4 and 5 report

1CO2.02.32

35

Data recipients MUST indicate where datasets, uses, and durations are being amended. Data recipients MAY apply this standard to other changing attributes where the attribute in the amending consent request differs to that of the previous consent. How a changed attribute is signified is at the data recipient’s discretion. 

Consent Standards, Amending consent: Changing Attributes

1CO2.02.35

36

Effective from 14 July 2025: A CDR receipt provided by a data recipient MUST be given in writing otherwise than through the consumer dashboard.

Notification Standards, CDR Receipts: Delivery

1CO2.02.36

37

The rules do not allow an individual without an active ABN to be treated as a CDR business consumer.

ACCC CDR business consumers - Fact sheet

1CO2.02.37

38

This flow demonstrates an amendment to a business consumer disclosure consent only. Data recipients may propose a consent duration of up to 7 years to business consumers for permitted consents under 1.10A(10). Other consents, such as collection consents (and the corresponding data holder authorisations), are limited to a maximum of 12 months. A detached disclosure consent amendment may occur where the original disclosure consent was given separate to the associated collection and use consents. It may also occur where a bundled collection, use and disclosure consent was given, but different durations were selected for the disclosure consent and the collection consent. If this approach were taken, collection consent renewals would still need to be requested at least every 12 months, inline with the collection duration originally consented to. To avoid detached amendments for consents originally given in a bundled fashion, data recipients may alternatively choose to propose a single duration of up to 12 months for all requested consents when inviting the consumer to give the initial consent. This would allow the data recipient to invite the consumer to renew all the consent types in a single action.

CDR Rules 1.10A(10), 4.11(1)(b), 4.12(1)–(1A)

1CO2.02.38

39

Where a data recipient presents a duration over 12 months for a consent that includes a business consumer statement, they must give the consumer at least one option of 12 months or less, to meet CDR Rule 4.12(1A)(b). For example, if a data recipient presents a 3 year duration, they might offer a 12 month option, a 6 month option, or both, but at least one must be offered. Data recipients are not required to allow the consumer to choose an alternative duration where durations of 12 months or less are proposed. However, data recipients may voluntarily provide this choice. When presenting duration options, data recipients should present consumers with a limited selection of duration options to reduce cognitive load. The options presented should represent the most common and/or most appropriate durations for the service being offered and be in compliance with the data minimisation principle.

CDR Rule 4.12(1A)(b) | 10 Usability Heuristics for User Interface Design: Visibility of system status (Nielsen)

1CO2.02.39

40

ADRs should send CDR receipts via the consumer's preferred delivery channels, other than through the consumer dashboard.

1CO2.02.40

41

The CX Standards for CDR Receipts take effect on 14 July 2025. The existing requirements regarding CDR receipts will continue to apply until the relevant data standards are made and in effect, as per the transitional provision outlined in CDR Rule 503 (and 506 for CDR representatives). Data recipients should refer to the CDR Rules as they were in effect from 22 July 2023 to 11 November 2024 for details of their obligations with regards to CDR receipts until this date.

CDR Rules 4.18 and 503; 4.20O and 506 | Notification Standards, CDR Receipts

1CO2.02.41

01

(1) An accredited person may invite a CDR consumer to amend a consent given in accordance with this Division only in accordance with this rule.

CDR Rule 4.12B(1)

1CO2.03.01

02

(2) The accredited person may give the invitation: (b) in writing directly to the CDR consumer.

CDR Rule 4.12B(2)(b)

1CO2.03.02

03

(3) The accredited person may invite a CDR consumer to amend a current consent if: (a) the amendment would better enable the accredited person to provide the goods or services referred to in paragraph 4.3(1)(a); or (b) the amendment would: (i) be consequential to an agreement between the accredited person and the CDR consumer to modify those goods or services; and (ii) enable the accredited person to provide the modified goods or services.

CDR Rule 4.12B(3)

1CO2.03.03

04

(4) The accredited person must not, for an invitation to amend the period referred to in paragraph 4.11(1)(b): (a) give the invitation any earlier than a reasonable period before the current consent is expected to expire;

CDR Rule 4.12B(4)(a)

1CO2.03.04

05

(4) The accredited person must not, for an invitation to amend the period referred to in paragraph 4.11(1)(b): (b) give more than a reasonable number of such invitations within this period.

CDR Rule 4.12B(4)(b)

1CO2.03.05

06

(1) Subject to this rule, if an accredited person allows CDR consumers to amend consents, it must allow them to do so in the same manner that it asks for CDR consumers to give consents. Example: If an accredited person asks a CDR consumer who gave a consent as a CDR business consumer to amend a consent of a kind mentioned in paragraph 1.10A(10)(a), the accredited person must invite the CDR consumer to provide a further business consumer statement: see paragraph 4.11(1)(bb).

CDR Rule 4.12C(1)

1CO2.03.06

07

(1) When asking a CDR consumer to give a consent, an accredited person must: (bb) where the accredited person proposes, or is offering, to deal with a person in their capacity as a CDR business consumer in relation to a consent of a kind mentioned in paragraph 1.10A(10)(a)―invite the CDR business consumer to provide the business consumer statement

CDR Rule 4.11(1)(bb)

1CO2.03.07

08

(4) If the CDR consumer gave the consent as a CDR business consumer, the accredited person must take reasonable steps to re‑confirm that:(a) the CDR consumer is not an individual; or(b) the CDR consumer has an active ABN. Note: See subrule 1.10A(9).

CDR Rule 4.12C(4)

1CO2.03.08

09

(2) The accredited person must not request direct marketing consents or de-identification consents by means of pre-selected options for the purposes of subrule (1).

CDR Rule 4.11(2)

1CO2.03.09

10

(3) An accredited person must not ask for a consent:  (a) that is not in a category of consents; or  (b) subject to subrule (4), for using the CDR data, including by aggregating the data, for the purpose of:  (i) identifying; or  (ii) compiling insights in relation to; or  (iii) building a profile in relation to;  any identifiable person who is not the CDR consumer who made the consumer data request.  (4) Paragraph (3)(b) does not apply in relation to a person whose identity is readily apparent from the CDR data, if the accredited person is seeking consent to:  (a) derive, from that CDR data, CDR data about that person’s interactions with the CDR consumer; and  (b) use that derived CDR data in order to provide the requested goods or services. 

CDR Rule 4.12(3), (4)

1CO2.03.10

11

A request by an accredited person for a CDR consumer to give or amend a consent: (a) must comply with any relevant data standards; and (b) having regard to any consumer experience guidelines made by the Data Standards Body—must be reasonably easy to understand, including by use of plain concise language and, where appropriate, visual aids; and (c) must not include or refer to the accredited person’s CDR policy or other documents in a way that reduces understandability; and (d) must not be combined with other requests except for a consent under these rules (other than a request for direct marketing or de-identification consent).

CDR Rule 4.10

1CO2.03.11

12

(1) When asking a CDR consumer to give a consent, an accredited person must: (ba) in the case of a disclosure consent―either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the persons to whom the CDR data may be disclosed; or (ii) seek the CDR consumer’s agreement to the persons (as presented to the CDR consumer) to whom the CDR data may be disclosed;

CDR Rule 4.11(1)(ba)

1CO2.03.12

13

(1) When asking a CDR consumer to give a consent, an accredited person must: (b) in relation to the period of the collection consent, use consent, or disclosure consent (as appropriate)—either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the period of consent; or (ii) seek the CDR consumer’s agreement to the period of consent (as presented to the CDR consumer) to which the consent will apply; where the period of consent is either: (iii) a single occasion; or (iv) a specified period of time; Note 2: For paragraph (b), the specified period may not be more than 12 months (or 7 years for certain consents by a CDR business consumer): see subrule 4.12(1). After the end of the period, redundant data would need to be dealt with in accordance with subsection 56EO(2) of the Act (privacy safeguard 12) and rules 7.12 and 7.13.

CDR Rule 4.11(1)(b), (Note 2) | CX Research 4, 5

1CO2.03.13

14

(1) Subject to subrule (1A), an accredited person must not specify a period of time for the purposes of paragraph 4.11(1)(b) that is more than 12 months.

CDR Rule 4.12(1) | CX Research 4, 5

1CO2.03.14

15

(1A) In the case of a consent given by a CDR business consumer that includes a business consumer statement, an accredited person must: (a) not specify a period of time that is more than 7 years; and (b) if specifying a period of time of more than 12 months, give the CDR business consumer the option of choosing a period for the consent of 12 months or less.

CDR Rule 4.12(1A)

1CO2.03.15

16

(3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (c) in the case of a collection consent, use consent or disclosure consent—information about how the collection, use or disclosure indicated in a manner consistent with the requirements set out in subrule (1) complies with the data minimisation principle, including: (i) in the case of a collection consent in relation to the provision of requested goods or services—an explanation of why that collection is reasonably needed, and relates to a time period that is no longer than is reasonably needed; and (ii) in the case of a use consent or disclosure consent—an explanation of why that use or disclosure does not go beyond what is reasonably needed; in order to provide the requested goods or services to the CDR consumer, or to effect the permitted uses or disclosures consented to;

CDR Rule 4.11(3)(c) | OAIC Chapter C: Consent (Data minimisation principle) | CX Research 1, 3

1CO2.03.16

17

(1) When asking a CDR consumer to give a consent, an accredited person must: (a) in the case of a collection consent or a disclosure consent—either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the particular types of CDR data to which the consent will apply; or (ii) seek the CDR consumer’s agreement to the particular types of CDR data (as presented to the CDR consumer) to which the consent will apply;

CDR Rule 4.11(1)(a)

1CO2.03.17

18

(3) In the case of an amendment to a consent, in addition to the information referred to in subrule 4.11(3), the accredited person must give the CDR consumer: (a) a statement that indicates the consequences of amending a consent; and (b) a statement that the accredited person will be able to continue to use any CDR data that has already been disclosed to it to the extent allowed by the amended consent.

CDR Rule 4.12C(3)

1CO2.03.18

19

(1) When asking a CDR consumer to give a consent, an accredited person must: (aa) in the case of a use consent—either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the specific uses of collected data to which the consent will apply; or (ii) seek the CDR consumer’s agreement to the specific uses of collected data (as presented to the CDR consumer) to which the consent will apply;

CDR Rule 4.11(1)(aa) | CX Research 2, 6

1CO2.03.19

20

(3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information:  (a) its name;  (b) its accreditation number; 

CDR Rule 4.11(3)(a), (b)

1CO2.03.20

21

(3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (g) a statement that, at any time, the consent can be withdrawn.

CDR Rule 4.11(3)(g)

1CO2.03.21

22

(3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information:  (h) the following information about redundant data:  (i) a statement, in accordance with rule 4.17, regarding the accredited person’s intended treatment of redundant data; 

CDR Rule 4.11(3)(h)(i)

1CO2.03.22

23

(1) For subparagraph 4.11(3)(h)(i), the accredited person must state whether they have a general policy, when collected CDR data becomes redundant data, of:  (a) deleting the redundant data; or  (b) de-identifying the redundant data; or  (c) deciding, when the CDR data becomes redundant data, whether to delete it or de-identify it. 

CDR Rule 4.17(1) | CX Research 18

1CO2.03.23

24

(1) When asking a CDR consumer to give a consent, an accredited person must:  (c) seek the CDR consumer’s express consent to the matters referred to in paragraphs (a), (aa), (b) and (ba) for each relevant category of consents;

CDR Rule 4.11(1)(c)

1CO2.03.24

25

An accredited person must give the CDR consumer a notice that complies with the data standards as soon as practicable after the CDR consumer: (b) amends a collection consent, use consent or disclosure consent given to an accredited person in accordance with this Division;

CDR Rule 4.18(b)

1CO2.03.25

26

Data recipients MUST use plain and concise language when inviting a consumer to give a business consumer statement.

Consent Standards, Business consumer statement: Content

1CO2.03.26

27

When seeking a business consumer statement, data recipients MUST invite the business consumer to give the business consumer statement in a manner that is explicit, express, and through an active selection or declaration. The giving of a business consumer statement MUST be clearly separated from any other interaction or information provided to the consumer and MUST NOT be implied or bundled with any other permission.

Consent Standards, Business consumer statement: Method

1CO2.03.27

28

When notifying a Data Holder of an amended collection consent as per rules 4.18C or 4.20S, Data Recipients MUST supply the relevant CDR Arrangement ID to the Data Holder according to Specifying an existing arrangement. Providing the CDR Arrangement ID is necessary to trigger the Data Holder authorisation flow simplifications outlined in the Amending Authorisation Standards. Failure to supply the CDR Arrangement ID will result in the full authorisation flow and a disconnected data sharing arrangement history on consumer dashboards.

Consent Standards, Consent: Amendment of Collection Consents and Authorisations

1CO2.03.28

29

In the course of seeking a consumer’s consent to disclose data as part of a disclosure consent: 1. Data Recipients MUST specify which CDR Participant(s) they collected the associated CDR data from. 2. Data Recipients SHOULD specify the sector(s) the data was collected from or associated with. Note: • Point (1) only requires the Data Recipient to refer to the CDR Participant(s) immediately preceding them in the disclosure chain, which may not always include a consumer’s Data Holder(s). • This standard is proposed to apply to all data to be disclosed by a Data Recipient, including unmodified, aggregated, derived, and transformed CDR data. • Where applicable, the existing data language standards apply to descriptions of CDR data that have not been modified.

Consent Standards, Disclosure consent: Collection source

1CO2.03.29

30

Data recipients MUST indicate where datasets, uses, and durations are being amended. Data recipients MAY apply this standard to other changing attributes where the attribute in the amending consent request differs to that of the previous consent. How a changed attribute is signified is at the data recipient’s discretion. 

Consent Standards, Amending consent: Changing Attributes

1CO2.03.30

31

Data Recipients and Data Holders MUST use data language standards to describe data clusters and permissions in consumer-facing interactions. See the Banking and Non-Bank Lending Language section for language to be used when requesting banking and non-bank lending data; and the Energy Language section for language to be used when requesting energy data. Data language standards MUST be used when CDR data is being requested, reviewed, or access to such data is withdrawn. Data Recipients and Data Holders MUST use the appropriate data standards language for business consumers as denoted with an '*' for the relevant data. Data Recipients and Data Holders SHOULD expand on the proposed language where appropriate to communicate further details of what is being shared. Additional details MAY include additional information in context, such as in-line help or tool tips, and/or additional permissions where they may exist. Examples of permission details that MAY be used and provided as in-line help are denoted with an '†' for the relevant data.

Data Language Standards: Common, Data Language Standards: Language to be used

1CO2.03.31

32

If a scenario requires it, Data Holders and Data Recipients MUST merge and amend Basic and Detailed data cluster and permission language to show that Detailed scopes include Basic data. Data Holders and Data Recipients MUST use the alternative language denoted with an '‡' for the relevant scope(s). See the Banking and Non-Bank Lending Language section for banking and non-bank lending data and the Energy Language section for energy data. Example: A Data Recipient presents the Detailed data cluster in a data request to a consumer but does not present the Basic data cluster. The Detailed scope includes Basic data, but this is not apparent to the consumer based on the data cluster language and permissions used for the Detailed scope.

Data Language Standards: Common, Data Language Standards: Detailed scope requests

1CO2.03.32

33

Data recipients MUST state that data disclosed to a non-accredited person will not be regulated as part of the Consumer Data Right. This information SHOULD be immediately viewable by the consumer without further interaction. Data recipients MAY include a plain and concise explanation of what this means, which MAY include information on the Consumer Data Right, and MAY include a link to the Office of the Australian Information Commissioner guidance on the Consumer Data Right.

Consent Standards, Disclosure Consent: Non-Accredited Person Disclosure Notification, Disclosure consent: CDR protections

1CO2.03.33

34

Data recipients MUST notify consumers of redirection prior to authentication.

Consent Standards, Consent: Redirection

1CO2.03.34

35

Data recipients MUST advise the consumer to review how the non-accredited person will handle their data.

Consent Standards, Disclosure Consent: Non-Accredited Person Disclosure Notification, Disclosure consent: Review

1CO2.03.35

36

If available, data recipients MAY include a link to any relevant data handling policies of the non-accredited person, such as their Privacy Policy.

Consent Standards, Disclosure Consent: Non-Accredited Person Disclosure Notification, Disclosure consent: Data handling

1CO2.03.36

37

Data recipients MUST provide plain and concise information on dispute resolution and making a complaint. This SHOULD reflect the process and information contained in the data recipient’s CDR policy related to complaints. This MAY also include a link to the accredited data recipient’s CDR policy.

Consent Standards, Disclosure Consent: Non-Accredited Person Disclosure Notification, Disclosure consent: Complaints

1CO2.03.37

38

Data recipients MUST provide the information contained in the disclosure notification otherwise than in the consent flow. This SHOULD be contained in the consumer’s CDR Receipt. This SHOULD also be accessible in the consumer dashboard as part of the data sharing arrangement details. Note 1: The information to be included is limited to the following standards: CDR Protections; Review; Data Handling; Complaints; and Insight Records. The scope of information to include will depend on the accredited person’s specific implementation. Note 2: This standard does not alter any existing rules obligations for CDR receipts or dashboards.

Consent Standards, Disclosure Consent: Non-Accredited Person Disclosure Notification, Disclosure consent: Notification record

1CO2.03.38

39

Effective from 14 July 2025: A CDR receipt provided by a data recipient MUST be given in writing otherwise than through the consumer dashboard.

Notification Standards, CDR Receipts: Delivery

1CO2.03.39

40

Data recipients should communicate that consent will expire if request is not actioned.

CX Research 35

1CO2.03.40

41

Data recipients should outline the consequences of not continuing to consent - such as service or data loss. This should include information about how data will be handled if re-consent is not provided.

CX Research 38

1CO2.03.41

42

Data recipients should provide multiple reminders to warn consumers that their consent is about to expire. Such reminders should not be sent at unnecessarily high frequencies so as to cause notification fatigue.

CX Research 34

1CO2.03.42

43

Data recipients should provide a clear ‘withdraw consent’ option in addition to allowing expiry by default.

CX Research 37

1CO2.03.43

44

The rules do not allow an individual without an active ABN to be treated as a CDR business consumer.

ACCC CDR business consumers - Fact sheet

1CO2.03.44

45

ADRs should present attributes to be amended in a way that is clearly distinct to attributes that have already been consented to. This may require specific design patterns and/or the use of signifiers, such as 'new' labels, to denote the change being requested.

Consent Standards, Amending consent: Changing Attributes

1CO2.03.45

46

This flow demonstrates an amendment to extend the duration of a bundled collection, use and business consumer disclosure consent. Such a bundled amendment may occur where the original consent was given in a bundled fashion and each consent is due to expire shortly. While data recipients may propose a consent duration of up to 7 years to business consumers for permitted consents under 1.10A(10), other consents, such as collection consents (and the corresponding data holder authorisations), are limited to a maximum of 12 months. To facilitate a streamlined amendment that matches how the original consent was given, data recipients may choose to propose a single duration of up to 12 months for all requested consents when inviting the consumer to give the initial consent. This would allow them to invite the consumer to renew all the consent types in a single action. Alternatively, data recipients can request detached consents of differing durations from the consumer, or a bundled consent with different durations for each consent type, with some consent types enduring for up to 7 years for business consumers. In those circumstances, these consents would be amended in a detached manner. If this approach were taken, collection consent renewals would need to be requested at least every 12 months, inline with the collection duration originally consented to.

CDR Rules 1.10A(10), 4.11(1)(b), 4.12(1)–(1A)

1CO2.03.46

47

Where a data recipient presents a duration over 12 months for a consent that includes a business consumer statement, they must give the consumer at least one option of 12 months or less, to meet CDR Rule 4.12(1A)(b). For example, if a data recipient presents a 3 year duration, they might offer a 12 month option, a 6 month option, or both, but at least one must be offered. Data recipients are not required to allow the consumer to choose an alternative duration where a duration of 12 months or less is proposed. However, data recipients may voluntarily provide this choice. When presenting duration options, data recipients should present consumers with a limited selection of duration options to reduce cognitive load. The options presented should represent the most common and/or most appropriate durations for the service being offered and be in compliance with the data minimisation principle. As business consumer statements cannot be given in relation to collection consents, they have a maximum duration of 12 months. Data recipients wishing to offer durations greater than 12 months for business consumer disclosure consents will need to present 2 different durations for the 2 consent types.

CDR Rule 4.12(1A)(b) | 10 Usability Heuristics for User Interface Design: Visibility of system status (Nielsen)

1CO2.03.47

48

Data recipients will need to explain how the time period complies with the data minimisation principle (DMP). This is required for data that is yet to be generated (e.g. for an ongoing consent) as well as historical data (e.g. for collection on a 'single occasion'). Example DMP statement for data that is yet to be generated: We need to collect and use your data for 12 months so [we can update your financial position in real-time] to [deliver accurate and tailored personal financial management]. Example DMP statement for historical data: We need to collect the last 12 months of your data so [we can assess seasonal changes] to [provide an accurate energy comparison].

CDR Rule 4.11(3)(c), 1.8 | OAIC Chapter C: Consent (Data minimisation principle) | CX Research 1, 3

1CO2.03.48

49

Data recipients should make the consent process as easy to understand as possible. Data recipients should nudge consumers to be more privacy conscious and should use appropriate interventions to mitigate cognitive overload, facilitate comprehension, and provide transparency and consumer control. This can be done in a variety of ways, including through the use of design patterns like progressive disclosure, micro and/or descriptive copy, and with the use of microinteractions.

CX Research 8, 19

1CO2.03.49

50

Data recipients should present the purpose of the consent request in relation to each data cluster unless this statement applies equally to all datasets. If the statement applies equally to all datasets, data recipients should present this to the consumer clearly in relation to all of the datasets.

CDR Rule 4.11(3)(c), 1.8

1CO2.03.50

51

Data recipients should include a link to their specific page on www.cdr.gov.au/find-a-provider for accreditation verification purposes.

1CO2.03.51

52

Where an amendment includes changes to the collection duration or what datasets are being collected, the consumer will need to authenticate and authorise the amendment with the data holder. An amendment that only changes the terms of a disclosure or use consent, such as adding/removing uses, changing what data is disclosed or amending the duration of disclosure and/or use consents, does not require data holder authentication and authorisation.

1CO2.03.52

53

To build consumer trust and confidence, data recipients should surface information about data deletion. This may include details from their CDR policy, as stated in CDR Rule 7.2(4)(k), and a link to read the policy.

CDR Rule 7.2(4)(k) | CX Research: 2019 Phase 1 report; 2019 Phase 2, Stream 3 report; 2020 Phase 3, Round 3 report; 2021 Disclosure Consent report

1CO2.03.53

54

Data recipients should educate consumers about data sharing with the CDR, which may include references to the CDR protections. CX research has found that including this information increases familiarity, trustworthiness, propensity to consent, and increase the chances of adoption and successful completion.

1CO2.03.54

55

CX research suggested that further information on data handling, including from government sources, can aid comprehension and confidence for Sceptic, Assurance Seeker and Sensemaker behavioural archetypes. Based on these insights, data recipients are encouraged to provide a link to OAIC’s guidance on Privacy Safeguard 12, which outlines information on data security and redundant data handling.

CDR Privacy Safeguard Guidelines: Privacy Safeguard 12 | CX Research: 2021 Disclosure Consent report

1CO2.03.55

56

ADRs should send CDR receipts via the consumer's preferred delivery channels, other than through the consumer dashboard.

1CO2.03.56

57

Data holders and data recipients MUST state in consumer-facing interactions and communications that third parties do not need consumer passwords to access CDR data. The exact phrasing of this is at the discretion of the data holder and data recipient. Note: In this context, 'third parties' refers to entities on the ADR-side and does not include any third parties that the data holder may engage.

Authentication Standards, Common Authentication Standards, Authentication: Passwords

1CO2.03.57

58

Data recipients MUST implement Redirect to App in accordance with the relevant consumer experience authentication and security profile standards. Data recipients MAY implement Redirect to App ahead of the date specified in the Future Dated Obligations schedule. Note: As per the future dated obligation schedule, data recipients subject to this standard are required to implement Redirect to App on and from 10 May 2027.

Authentication Schedule, Redirect to App, Data Recipients

1CO2.03.58

59

Where Redirect to App is unable to be used for the purposes of CDR authentication: • Data recipients MAY provide decoupled consent experiences that facilitate separation of the Consumption Device from the authorisation flow. • Data holders MAY provide decoupled authorisation experiences that facilitate separation of the Consumption Device from the Authentication Device. If implemented, data holders and data recipients MUST support decoupled authentication in accordance with any relevant consumer experience authentication and security profile standards.

Authentication Schedule, Decoupled Authentication

1CO2.03.59