Wireframe ref | Type | Requirement level | Statement | Reference | Checklist ref | Focus area |
---|---|---|---|---|---|---|
02 | CDR Rule | MUST NOT | (3) An accredited person must not ask for a consent: (a) that is not in a category of consents; or (b) subject to subrule (4), for using the CDR data, including by aggregating the data, for the purpose of: (i) identifying; or (ii) compiling insights in relation to; or (iii) building a profile in relation to; any identifiable person who is not the CDR consumer who made the consumer data request. (4) Paragraph (3)(b) does not apply in relation to a person whose identity is readily apparent from the CDR data, if the accredited person is seeking consent to: (a) derive, from that CDR data, CDR data about that person’s interactions with the CDR consumer; and (b) use that derived CDR data in order to provide the requested goods or services. | CDR Rule 4.12(3), (4) | 1CO1.00.02 | |
03 | CDR Rule | MUST | (1) An accredited person’s processes for asking a CDR consumer to give or amend a consent: (a) must: (i) accord with any relevant data standards; and (ii) having regard to any consumer experience guidelines developed by the Data Standards Body, be as easy to understand as practicable, including by use of concise language and, where appropriate, visual aids; | CDR Rule 4.10(1)(a) | 1CO1.00.03 | |
04 | CDR Rule | MUST NOT | (1) An accredited person’s processes for asking a CDR consumer to give or amend a consent: (b) must not: (i) include or refer to the accredited person’s CDR policy or other documents so as to reduce comprehensibility; or (ii) bundle consents with other directions, permissions, consents or agreements. | CDR Rule 4.10(1)(b) | 1CO1.00.04 | |
05 | CDR Rule | MUST | (3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (a) its name; (b) its accreditation number; | CDR Rule 4.11(3)(a), (b) | 1CO1.00.05 | |
06 | CDR Rule | MUST | (1) When asking a CDR consumer to give a consent, an accredited person must: (ba) in the case of a disclosure consent―allow the CDR consumer to select the person to whom the CDR data may be disclosed; | CDR Rule 4.11(1)(ba) | 1CO1.00.06 | |
07 | CDR Rule | MUST | (1) When asking a CDR consumer to give a consent, an accredited person must: (b) allow the CDR consumer to choose the period of the collection consent, use consent, or disclosure consent (as appropriate) by enabling the CDR consumer to actively select or otherwise clearly indicate whether the consent would apply: (i) on a single occasion; or (ii) over a specified period of time; | CDR Rule 4.11(1)(b) | CX Research 4, 5 | 1CO1.00.07 | |
08 | CDR Rule | MUST NOT | (1) Subject to subrule (1A), an accredited person must not specify a period of time for the purposes of paragraph 4.11(1)(b) that is more than 12 months. | CDR Rule 4.12(1) | CX Research 4, 5 | 1CO1.00.08 | |
09 | CDR Rule | MUST | (1) When asking a CDR consumer to give a consent, an accredited person must: (a) allow the CDR consumer to choose the types of CDR data to which the consent will apply by enabling the CDR consumer to actively select or otherwise clearly indicate: (i) in the case of a collection consent or a disclosure consent―the particular types of CDR data to which the consent will apply; | CDR Rule 4.11(1)(a)(i) | 1CO1.01.09 | |
10 | CDR Rule | MUST | (1) The Data Standards Chair must make one or more data standards about each of the following: (d) the types of CDR data and descriptions of those types, to be used by CDR participants in making and responding to requests; | CDR Rule 8.11(1)(d) | 1CO1.01.10 | |
11 | CDR Rule | MUST NOT | (2) The accredited person must not present pre-selected options to the CDR consumer for the purposes of subrule (1). | CDR Rule 4.11(2) | 1CO1.01.11 | |
12 | CDR Rule | MUST | (3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (g) the following information about withdrawal of consents: (ii) instructions for how the consent can be withdrawn; | CDR Rule 4.11(3)(g)(ii) | CX Research 7 | 1CO1.00.12 | |
13 | CDR Rule | MUST | (3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (g) the following information about withdrawal of consents: (i) a statement that, at any time, the consent can be withdrawn; (iii) a statement indicating the consequences (if any) to the CDR consumer if they withdraw the consent; | CDR Rule 4.11(3)(g)(i), (iii) | CX Research 7, 32 | 1CO1.00.13 | |
14 | CDR Rule | MUST | (1) A CDR consumer who has given a consent to an accredited person for the purposes of this Division may withdraw the consent at any time: (a) by using the accredited person’s consumer dashboard; | CDR Rule 4.13(1)(a) | 1CO1.00.14 | |
15 | CDR Rule | MUST | (1) A CDR consumer who has given a consent to an accredited person for the purposes of this Division may withdraw the consent at any time: (b) by using a simple alternative method of communication to be made available by the accredited person for that purpose. | CDR Rule 4.13(1)(b) | 1CO1.00.15 | |
16 | CDR Rule | MUST | (3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (h) the following information about redundant data: (i) a statement, in accordance with rule 4.17, regarding the accredited person’s intended treatment of redundant data; | CDR Rule 4.11(3)(h)(i) | 1CO1.00.16 | |
17 | CDR Rule | MUST | (1) For subparagraph 4.11(3)(h)(i), the accredited person must state whether they have a general policy, when collected CDR data becomes redundant data, of: (a) deleting the redundant data; or (b) de-identifying the redundant data; or (c) deciding, when the CDR data becomes redundant data, whether to delete it or de-identify it. | CDR Rule 4.17(1) | CX Research 18 | 1CO1.00.17 | |
18 | CDR Rule | MUST | For these rules, the CDR data deletion process in relation to a person that holds CDR data that is to be deleted consists of the following steps: (a) delete, to the extent reasonably practicable, that CDR data and any copies of that CDR data; (b) make a record to evidence the deletion; and (c) where another person holds the CDR data on its behalf and will perform those steps—direct that person to notify it when those steps have been performed. | CDR Rule 1.18 | 1CO1.00.18 | |
19 | CDR Rule | MUST | (1) When asking a CDR consumer to give a consent, an accredited person must: (c) ask for the CDR consumer’s express consent to the choices referred to in paragraphs (a), (b) and (ba) for each relevant category of consents; | CDR Rule 4.11(1)(c) | 1CO1.00.19 | |
20 | CDR Rule | MUST | (1) An accredited person must give the CDR consumer a notice that complies with this rule (a CDR receipt) as soon as practicable after: (a) the CDR consumer gives the accredited person a collection consent, a use consent or a disclosure consent; | CDR Rule 4.18(1)(a) | 1CO1.00.20 | |
21 | CDR Rule | MUST | (4) A CDR receipt must be given in writing otherwise than through the CDR consumer’s consumer dashboard. | CDR Rule 4.18(4) | 1CO1.00.21 | |
22 | CDR Rule | MUST | (2) A CDR receipt given for the purposes of paragraph (1)(a) must set out: (a) the details that relate to the consent that are listed in paragraphs 1.14(3)(a) to (f); and (ba) in the case of a disclosure consent―the name of the person the CDR consumer has consented to the disclosure of CDR data to; and (c) any other information the accredited person provided | CDR Rule 4.18(2)(a), (ba), (c) | 1CO1.00.22 | |
23 | CX Standard | MUST | If: 1. An accredited person is seeking a collection consent to collect CDR data from a particular accredited data recipient; and the data subject to the disclosure or collection is not within the data language standards as it does not relate to a relevant data cluster, then that data MUST be described in language that is as easy to understand as practicable. NB: This is a subset of the CX Standard referenced. | Disclosure Consent: Descriptions of Data to be Collected and Disclosed | 1CO1.00.23 | |
24 | CX Standard | MUST | Data Recipients and Data Holders MUST use data language standards to describe data clusters and permissions in consumer-facing interactions. See the Banking Language section for language to be used when requesting banking data; and the Energy Language section for language to be used when requesting energy data. Data language standards MUST be used when CDR data is being requested, reviewed, or access to such data is withdrawn. Data Recipients and Data Holders MUST use the appropriate data standards language for business consumers as denoted with an '*' for the relevant data. Data Recipients and Data Holders SHOULD expand on the proposed language where appropriate to communicate further details of what is being shared. Additional details MAY include additional information in context, such as in-line help or tool tips, and/or additional permissions where they may exist. Examples of permission details that MAY be used and provided as in-line help are denoted with an '†' for the relevant data. | 1CO1.01.24 | ||
25 | CX Standard | MUST | If a scenario requires it, Data Holders and Data Recipients MUST merge and amend Basic and Detailed data cluster and permission language to show that Detailed scopes include Basic data. Data Holders and Data Recipients MUST use the alternative language denoted with an '‡' for the relevant scope(s). See the Banking Language section for banking data and the Energy Language section for energy data. Example: A Data Recipient presents the Detailed data cluster in a data request to a consumer, but does not present the Basic data cluster. The Detailed scope includes Basic data, but this is not apparent to the consumer based on the data cluster language and permissions used for the Detailed scope. | 1CO1.01.25 | ||
26 | CX Standard | MUST | In the course of seeking a consumer’s consent to disclose data as part of a disclosure consent: 1.Data Recipients MUST specify which CDR Participant(s) they collected the associated CDR data from 2. Data Recipients SHOULD specify the sector(s) the data was collected from or associated with Note: • Point (1) only requires the Data Recipient to refer to the CDR Participant(s) immediately preceding them in the disclosure chain, which may not always include a consumer’s Data Holder(s) • This standard is proposed to apply to all data to be disclosed by a Data Recipient, including unmodified, aggregated, derived, and transformed CDR data • Where applicable, the existing data language standards apply to descriptions of CDR data that have not been modified | 1CO1.01.26 | ||
27 | CX Standard | MUST | Data recipients MUST notify consumers of redirection prior to authentication. | 1CO1.00.27 | ||
28 | CX Guideline | MAY | Data recipients should also include a link to their specific page on www.cdr.gov.au/find-a-provider for accreditation verification purposes. | CX Research: 2019 Phase 2, Stream 1; 2020 Phase 3, Round 3 | 1CO1.00.28 | |
29 | CX Guideline | MAY | Data recipients should show the accredited person’s accreditation number to facilitate consumer trust. | CX Research: 2019 Phase 2, Stream 1; 2020 Phase 3, Round 3 | 1CO1.00.29 | |
30 | CX Guideline | MAY | Data recipients should provide a link to their CDR policy. | 1CO1.00.30 | ||
31 | CX Guideline | MAY | Data recipients should make the consent process as easy to understand as possible. Data recipients should nudge consumers to be more privacy conscious and should use appropriate interventions to mitigate cognitive overload, facilitate comprehension, and provide transparency and consumer control. This can be done in a variety of ways, including through the use of design patterns like progressive disclosure, micro and/or descriptive copy, and with the use of microinteractions. | 1CO1.01.31 | ||
32 | CX Guideline | MAY | Data recipients should encourage consumers to check the accredited person’s data handling policies before consenting to have their data disclosed. | 1CO1.00.32 | ||
33 | CX Guideline | MAY | Data recipient should include their CDR policy in their CDR receipts. | 1CO1.00.33 | ||
34 | CDR Rule | MUST | (1A) In the case of a consent given by a CDR business consumer that includes a business consumer statement, an accredited person must: (a) not specify a period of time that is more than 7 years; and (b) if specifying a period of time of more than 12 months, give the CDR business consumer the option of choosing a period for the consent of 12 months or less. | CDR Rule 4.12(1A) | 1CO1.00.34 | |
35 | CX Guideline | MAY | CDR Representatives seeking an AP disclosure consent from a CDR consumer should refer to CDR Rule 4.3B(2) and Division 4.3A of the CDR Rules. | CDR Rules 4.3B(2), Division 4.3A | 1CO1.00.35 |