Wireframe ref | Type | Requirement level | Statement | Reference | Checklist ref | Focus area |
|---|---|---|---|---|---|---|
02 | CDR Rule | MUST NOT | (3) An accredited person must not ask for a consent: (a) that is not in a category of consents; or (b) subject to subrule (4), for using the CDR data, including by aggregating the data, for the purpose of: (i) identifying; or (ii) compiling insights in relation to; or (iii) building a profile in relation to; any identifiable person who is not the CDR consumer who made the consumer data request. (4) Paragraph (3)(b) does not apply in relation to a person whose identity is readily apparent from the CDR data, if the accredited person is seeking consent to: (a) derive, from that CDR data, CDR data about that person’s interactions with the CDR consumer; and (b) use that derived CDR data in order to provide the requested goods or services. | CDR Rule 4.12(3), (4) | 1CO.00.02 | |
03 | CDR Rule | MUST | A request by an accredited person for a CDR consumer to give or amend a consent: (a) must comply with any relevant data standards; and (b) having regard to any consumer experience guidelines made by the Data Standards Body—must be reasonably easy to understand, including by use of plain concise language and, where appropriate, visual aids; | CDR Rule 4.10(a), (b) | 1CO.00.03 | |
04 | CDR Rule | MUST NOT | A request by an accredited person for a CDR consumer to give or amend a consent: (c) must not include or refer to the accredited person’s CDR policy or other documents in a way that reduces understandability; and (d) must not be combined with other requests except for a consent under these rules (other than a request for direct marketing or de-identification consent). | CDR Rule 4.10(c), (d) | 1CO.00.04 | |
05 | CDR Rule | MUST | (3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (a) its name; (b) its accreditation number; | CDR Rule 4.11(3)(a), (b) | 1CO.00.05 | |
06 | CDR Rule | MUST | (1) When asking a CDR consumer to give a consent, an accredited person must: (aa) in the case of a use consent—either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the specific uses of collected data to which the consent will apply; or (ii) seek the CDR consumer’s agreement to the specific uses of collected data (as presented to the CDR consumer) to which the consent will apply; | CDR Rule 4.11(1)(aa) | CX Research 2, 6 | 1CO.02.06 | |
07 | CDR Rule | MUST | (3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (c) in the case of a collection consent, use consent or disclosure consent—information about how the collection, use or disclosure indicated in a manner consistent with the requirements set out in subrule (1) complies with the data minimisation principle, including: (i) in the case of a collection consent in relation to the provision of requested goods or services—an explanation of why that collection is reasonably needed, and relates to a time period that is no longer than is reasonably needed; in order to provide the requested goods or services to the CDR consumer, or to effect the permitted uses or disclosures consented to; | CDR Rule 4.11(3)(c)(i) | OAIC Chapter C: Consent (Data minimisation principle) | CX Research 1, 3 | 1CO.02.07 | |
08 | CDR Rule | MUST NOT | (2) An accredited person must not ask for a collection consent, use consent or disclosure consent unless the collection, use or disclosure of CDR data in accordance with the consent would comply with the data minimisation principle. | CDR Rule 4.12(2) | OAIC Chapter C: Consent (Data minimisation principle) | CX Research 1, 3 | 1CO.02.08 | |
09 | CDR Rule | MUST | (1) When asking a CDR consumer to give a consent, an accredited person must: (a) in the case of a collection consent or a disclosure consent—either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the particular types of CDR data to which the consent will apply; or (ii) seek the CDR consumer’s agreement to the particular types of CDR data (as presented to the CDR consumer) to which the consent will apply; | CDR Rule 4.11(1)(a) | 1CO.02.09 | |
10 | CDR Rule | MUST NOT | (2) The accredited person must not request direct marketing consents or de‑identification consents by means of pre-selected options for the purposes of subrule (1). | CDR Rule 4.11(2) | 1CO.02.10 | |
11 | CDR Rule | MUST | (1) The Data Standards Chair must make one or more data standards about each of the following: (d) the types of CDR data and descriptions of those types, to be used by CDR participants in making and responding to requests; | CDR Rule 8.11(1)(d) | 1CO.02.11 | |
12 | CDR Rule | MUST | (1) When asking a CDR consumer to give a consent, an accredited person must: (b) in relation to the period of the collection consent, use consent, or disclosure consent (as appropriate)—either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the period of consent; or (ii) seek the CDR consumer’s agreement to the period of consent (as presented to the CDR consumer) to which the consent will apply; where the period of consent is either: (iii) a single occasion; or (iv) a specified period of time; Note 2: For paragraph (b), the specified period may not be more than 12 months (or 7 years for certain consents by a CDR business consumer): see subrule 4.12(1). After the end of the period, redundant data would need to be dealt with in accordance with subsection 56EO(2) of the Act (privacy safeguard 12) and rules 7.12 and 7.13. | CDR Rule 4.11(1)(b), (Note 2) | CX Research 4, 5 | 1CO.02.12 | |
13 | CDR Rule | MUST NOT | (1) Subject to subrule (1A), an accredited person must not specify a period of time for the purposes of paragraph 4.11(1)(b) that is more than 12 months. | CDR Rule 4.12(1) | CX Research 4, 5 | 1CO.02.13 | |
15 | CDR Rule | MUST | (3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (g) a statement that, at any time, the consent can be withdrawn; | CDR Rule 4.11(3)(g) | CX Research 7, 32 | 1CO.02.15 | |
18 | CDR Rule | MUST | (3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (h) the following information about redundant data: (i) a statement, in accordance with rule 4.17, regarding the accredited person’s intended treatment of redundant data; | CDR Rule 4.11(3)(h)(i) | 1CO.02.18 | |
19 | CDR Rule | MUST | (1) For subparagraph 4.11(3)(h)(i), the accredited person must state whether they have a general policy, when collected CDR data becomes redundant data, of: (a) deleting the redundant data; or (b) de-identifying the redundant data; or (c) deciding, when the CDR data becomes redundant data, whether to delete it or de-identify it. | CDR Rule 4.17(1) | CX Research 18 | 1CO.02.19 | |
22 | CDR Rule | MUST | (1) When asking a CDR consumer to give a consent, an accredited person must: (c) seek the CDR consumer’s express consent to the matters referred to in paragraphs (a), (aa), (b) and (ba) for each relevant category of consents; | CDR Rule 4.11(1)(c) | 1CO.02.22 | |
23 | CDR Rule | MUST | An accredited person must give the CDR consumer a notice that complies with the data standards as soon as practicable after the CDR consumer: (a) gives the accredited person a collection consent, use consent or disclosure consent; | CDR Rule 4.18(a) | 1CO.02.23 | |
26 | CX Standard | MUST | Data Recipients and Data Holders MUST use data language standards to describe data clusters and permissions in consumer-facing interactions. See the Banking Language section for language to be used when requesting banking data; and the Energy Language section for language to be used when requesting energy data. Data language standards MUST be used when CDR data is being requested, reviewed, or access to such data is withdrawn. Data Recipients and Data Holders MUST use the appropriate data standards language for business consumers as denoted with an '*' for the relevant data. Data Recipients and Data Holders SHOULD expand on the proposed language where appropriate to communicate further details of what is being shared. Additional details MAY include additional information in context, such as in-line help or tool tips, and/or additional permissions where they may exist. Examples of permission details that MAY be used and provided as in-line help are denoted with an '†' for the relevant data. | Data Language Standards: Common, Data Language Standards: Language to be used | 1CO.02.26 | |
27 | CX Standard | MUST | If a scenario requires it, Data Holders and Data Recipients MUST merge and amend Basic and Detailed data cluster and permission language to show that Detailed scopes include Basic data. Data Holders and Data Recipients MUST use the alternative language denoted with an '‡' for the relevant scope(s). See the Banking Language section for banking data and the Energy Language section for energy data. Example: A Data Recipient presents the Detailed data cluster in a data request to a consumer, but does not present the Basic data cluster. The Detailed scope includes Basic data, but this is not apparent to the consumer based on the data cluster language and permissions used for the Detailed scope. | Data Language Standards: Common, Data Language Standards: Detailed scope requests | 1CO.02.27 | |
28 | CX Standard | MUST | Data recipients MUST notify consumers of redirection prior to authentication. | 1CO.02.28 | ||
29 | CX Guideline | MAY | Data recipients may choose to present data holder selection screens before or after the terms of consent. | 1CO.01.29 | ||
30 | CX Guideline | MAY | Data recipients should make the data holder list searchable if the number of data holders exceeds what can be displayed on the screen. | 10 Usability Heuristics for User Interface Design: Flexibility and efficiency of use (Nielsen) | 1CO.01.30 | |
31 | CX Guideline | MAY | Data recipients should list data holders in an easily scannable way. This can be done alphabetically or contextually (for example, starting with popular data holders). | 10 Usability Heuristics for User Interface Design: Flexibility and efficiency of use (Nielsen) | 1CO.01.31 | |
32 | CX Guideline | MAY | Data recipients should refer to data holder brand names in the provider selection list. | 1CO.01.32 | ||
33 | CX Guideline | MAY | Data recipients should also include a link to their specific page on www.cdr.gov.au/find-a-provider for accreditation verification purposes. | CX Research: 2019 Phase 2, Stream 1 report; 2020 Phase 3, Round 3 report | 1CO.02.33 | |
34 | CX Guideline | MAY | Data recipients will need to explain how the time period complies with the data minimisation principle (DMP). This is required for data that is yet to be generated (e.g. for an ongoing consent) as well as historical data (e.g. for collection on a 'single occasion'). Example DMP statement for data that is yet to be generated: We need to collect and use your data for 12 months so [we can update your financial position in real-time] to [deliver accurate and tailored personal financial management]. Example DMP statement for historical data: We need to collect the last 12 months of your data so [we can assess seasonal changes] to [provide an accurate energy comparison]. | CDR Rule 4.11(3)(c), 1.8 | OAIC Chapter C: Consent (Data minimisation principle) | CX Research 1, 3 | 1CO.02.34 | |
35 | CX Guideline | MAY | Data recipients should identify whether the user is sharing individual or non-individual accounts in order to surface the correct data language. | 1CO.02.35 | ||
36 | CX Guideline | MAY | Data recipients should present the purpose of the consent request in relation to each data cluster unless this statement applies equally to all datasets. If the statement applies equally to all datasets, data recipients should present this to the consumer clearly in relation to all of the datasets. | CDR Rule 4.11(3)(c), 1.8 | 1CO.02.36 | |
37 | CX Guideline | MAY | Data recipients should make the consent process as easy to understand as possible. Data recipients should nudge consumers to be more privacy conscious and should use appropriate interventions to mitigate cognitive overload, facilitate comprehension, and provide transparency and consumer control. This can be done in a variety of ways, including through the use of design patterns like progressive disclosure, micro and/or descriptive copy, and with the use of microinteractions. | 1CO.00.37 | ||
40 | CX Guideline | MAY | To build consumer trust and confidence, data recipients should surface information about data deletion. This may include details from their CDR policy, as stated in CDR Rule 7.2(4)(k), and a link to read the policy. | CDR Rule 7.2(4)(k) | CX Research: 2019 Phase 1 report; 2019 Phase 2, Stream 3 report; 2020 Phase 3, Round 3 report; 2021 Disclosure Consent report | 1CO.02.40 | |
47 | CX Guideline | MAY | Data recipients are encouraged to provide information in relation to complaint handling at appropriate points throughout the Consent Model, such as: • during Pre-consent; • within the Consent Flow; and/or • within the CDR Receipt and/or Consumer Dashboards. | CX Research: 2020 Phase 3, Round 8 summary; 2021 Disclosure Consent report | 1CO.02.47 | |
48 | CX Guideline | MAY | CX research suggested that further information on data handling, including from government sources, can aid comprehension and confidence for Sceptic, Assurance Seeker and Sensemaker behavioural archetypes. Based on these insights, data recipients are encouraged to provide a link to OAIC’s guidance on Privacy Safeguard 12, which outlines information on data security and redundant data handling. | CDR Privacy Safeguard Guidelines: Privacy Safeguard 12 | CX Research: 2021 Disclosure Consent report | 1CO.02.48 | |
49 | CDR Rule | MUST | (1A) In the case of a consent given by a CDR business consumer that includes a business consumer statement, an accredited person must: (a) not specify a period of time that is more than 7 years; and (b) if specifying a period of time of more than 12 months, give the CDR business consumer the option of choosing a period for the consent of 12 months or less. | CDR Rule 4.12(1A) | 1CO.02.49 | |
50 | CX Guideline | MAY | Data recipients should include information about data sharing with the CDR. | 1CO.02.50 | ||
51 | CDR Rule | MUST | (3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (c) in the case of a collection consent, use consent or disclosure consent—information about how the collection, use or disclosure indicated in a manner consistent with the requirements set out in subrule (1) complies with the data minimisation principle, including: (ii) in the case of a use consent or disclosure consent—an explanation of why that use or disclosure does not go beyond what is reasonably needed; in order to provide the requested goods or services to the CDR consumer, or to effect the permitted uses or disclosures consented to; | CDR Rule 4.11(3)(c)(ii) | OAIC Chapter C: Consent (Data minimisation principle) | CX Research 1, 3 | 1CO.02.51 | |
52 | CDR Rule | MUST | Rule 4.18 of the principal rules, as in force immediately before the commencement of the amending rules, continues to apply, on and after that commencement, to an accredited person until the coming into effect of data standards made for the purposes of paragraph 8.11(1)(fa) of the principal rules in relation to rule 4.18. | CDR Rule 503 | 1CO.00.52 | |
53 | CX Standard | MUST | Effective from 14 July 2025: A CDR receipt provided by a data recipient MUST be given in writing otherwise than through the consumer dashboard. | 1CO.00.53 | ||
54 | CX Guideline | MAY | ADRs should send CDR receipts via the consumer's preferred delivery channels. | 1CO.00.54 | ||
55 | CX Guideline | MAY | The CX Standards for CDR Receipts take effect on 14 July 2025. The existing requirements regarding CDR receipts will continue to apply until the relevant data standards are made and in effect, as per the transitional provision outlined in CDR Rule 503 (and 506 for CDR representatives). Data recipients should refer to the CDR Rules as they were in effect from 22 July 2023 to 11 November 2024 for details of their obligations with regards to CDR receipts until this date. | CDR Rules 4.18 and 503; 4.20O and 506 | Notification Standards, CDR Receipts | 1CO.00.55 |