These guidelines provide examples for how to implement collection and use consents for common scenarios.
Overview
In accordance with Rule 4.11(1)(Note 1), an accredited person cannot infer consent, or seek to rely on an implied consent. Consent must be voluntary, express, informed, specific as to purpose, time limited, and easily withdrawn.
When asking a CDR consumer to give consent, a data recipient must:
- accord with the data standards;
- have regard to any consumer experience guidelines developed by the Data Standards Body
- be as easy to understand as practicable, including by use of concise language and, where appropriate, visual aids;
Data recipients should make the consent process as easy to understand as possible by using appropriate interventions to mitigate cognitive overload, facilitate comprehension, and provide transparency and consumer control.
This section provides examples illustrating how the guidelines may be implemented.
These types of consents contain several steps, which may include:
- Provider selection At this step, the consumer selects who they want to share data from, such as their data holder.
- Terms of consent At this step, the consumer is asked for their consent and can do so by choosing the types of CDR data they will allow the ADR to access, the access period, and the specific uses of their data.
Wireframes and guidelines
Note: The wireframes shown are examples of how to implement key rules, standards, and guidelines. Use the on-screen functions to adjust zoom level or expand the wireframes to be viewed at full screen.
Collection and use consents - default example
The following wireframes show a basic example of a collection and use consent.
CDR outsourcing, sponsorship and CDR representative arrangements
Using outsourced service providers
An accredited person or CDR representative may engage outsourced service providers (OSPs) to do one or both of the following: (1) to collect CDR data on their behalf; (2) to use or disclose data to provide specified goods or services to them.
To do so, a written contract, called a CDR outsourcing arrangement, must be in place with the OSP which meets the requirements set out in the CDR Rules. A data recipient may have both direct and indirect OSPs. This can occur where a direct OSP of the data recipient engages further OSPs in their own CDR outsourcing arrangements.
For more information on CDR outsourcing arrangements, see OAIC’s guidance on privacy obligations for principals and outsourced service providers.
Sponsorship arrangement
The sponsored accreditation model allows a person accredited to the ‘sponsored’ level (an ‘affiliate’) to provide goods or services directly to a consumer. To do so, they must have a written contract with an unrestricted accredited person (a ‘sponsor’) who collect CDR data from data holders on their behalf.
For more information on the sponsored accreditation model, see OAIC’s guidance on privacy obligations of sponsors and affiliates.
CDR representative arrangement
Under CDR Rules 1.10AA, the CDR representative model enables unaccredited persons (a ‘CDR representative’) to provide goods and services to consumers using CDR data, when they are in a CDR representative arrangement with an unrestricted accredited person (’a CDR representative principal’) who is liable for them.
In accordance with CDR Rule 1.10AA(1)(a), CDR representatives cannot deal with consumers in their capacity as a CDR business consumer, and as such can’t invite consumers to give a business consumer statement.
For more information on the CDR representative model, see OAIC’s guidance on privacy obligations for CDR principals and CDR representatives.
Business consumer statement
An accredited person can treat a consumer as a business consumer if they take reasonable steps to confirm that the consumer is a business, using the criteria specified in CDR Rule 1.10A(9).
CDR Rule 1.10A(10) outlines the circumstances in which a business consumer can be asked to provide a business consumer statement. Importantly, a business consumer statement can’t be given in relation to a Collection consent. Additionally, CDR Representatives cannot deal with consumers in their capacity as a CDR business consumer, as per CDR Rule 1.10AA(1)(a).
The following wireframes provide an example of how an accredited person can invite a business consumer to give a business consumer statement in relation to a Use consent.
Download open source asset
Open sources design assets are created in Figma for the purposes of assisting implementation. This Figma file contains annotated wireframes and working prototypes for the Collection and use consent, including:
- Collection and use consents - default example
- ADR uses outsourced service providers
- Sponsorship arrangements
- CDR representative arrangements
- Business consumer statement
Item | File | Date released | Version introduced |
---|---|---|---|
May 1, 2024 | 1.30.0 |
For past versions, refer to Change log.
About this page
References
The artefacts on this page were informed by the following sources.
Title | Author | Year | URL | Type |
---|---|---|---|---|
DSB | 2020 | Consultations | ||
DSB | 2020 | Consultations | ||
DSB | 2023 | Consultations | ||
DSB | 2023 | Consultations | ||
Tobias | 2019 | Research | ||
GippsTech | 2019 | Research | ||
Greater than X | 2019 | Research | ||
Tobias | 2019 | Research | ||
DSB | 2020 | Research | ||
DSB | 2020 | Research | ||
DSB | 2021 | Research | ||
OAIC | 2022 | Guidance | ||
OAIC | 2022 | Guidance | ||
Nielsen Norman Group | 1994 | Other |
Last updated
This page was updated @May 1, 2024
Have your say
Community consultations and maintenance are part of our ongoing process. Here’s how you can get involved:
- Request new Guidelines or changes to existing Guidelines through the Guidelines Consultation process
- Request new Standards or changes to existing Standards through the Standards Maintenance process
- Log a ticket for any questions about the rules, standards, or guidelines through the CDR Support Portal
- Email your feedback to cx@dsb.gov.au
Quick links to CX Guidelines: