Wireframe ref | Type | Requirement level | Statement | Reference | Checklist ref | Focus area |
|---|---|---|---|---|---|---|
01 | CDR Rule | MUST | (2A) The accredited person may also ask a CDR consumer to give a disclosure consent in relation to CDR data, either: (b) after the CDR consumer has given a collection consent requested under subrule (2) in relation to the CDR data whether or not the CDR data has yet been collected. Note 1: Requests for collection consent, use consent and disclosure consent may be bundled together (see subrules 4.3(2) and (2A). Note 2: The CDR data may be disclosed only in accordance with the data minimisation principle: see rule 1.8. | CDR Rule 4.3(2A)(b), (Note 1), (Note 2) | 1CO5.00.01 | |
02 | CDR Rule | MUST | (11) For these rules, a business consumer disclosure consent in relation to particular CDR data of a CDR business consumer held by an accredited data recipient is a disclosure consent given by the CDR business consumer under these rules that: (a) authorises the accredited data recipient to disclose the CDR data to a specified person; and (b) includes a business consumer statement. | CDR Rule 1.10A(11) | 1CO5.00.02 | |
03 | CDR Rule | MUST NOT | (12) An accredited person must not make: (c) the specification of a particular person for the purposes of paragraph (11)(a); a condition for supply of the goods or services requested by the CDR business consumer. | CDR Rule 1.10A(12)(c) | 1CO5.00.03 | |
04 | CDR Rule | MUST | (1) When asking a CDR consumer to give a consent, an accredited person must:(ba) in the case of a disclosure consent―either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the persons to whom the CDR data may be disclosed; or (ii) seek the CDR consumer’s agreement to the persons (as presented to the CDR consumer) to whom the CDR data may be disclosed; | CDR Rule 4.11(1)(ba) | 1CO5.00.04 | |
05 | CDR Rule | MUST | (9) For these rules, a CDR consumer is taken to be a CDR business consumer in relation to a consumer data request to be made by an accredited person if the accredited person has taken reasonable steps to confirm that: (a) the CDR consumer is not an individual; or (b) the CDR consumer has an active ABN. | CDR Rule 1.10A(9) | 1CO5.00.05 | |
06 | CDR Rule | MUST | (2) An accredited data recipient must keep and maintain records that record and explain the following: (eg) any steps taken for the purposes of subrule 1.10A(9) to confirm that a CDR consumer is a CDR business consumer; | CDR Rule 9.3(2)(eg) | 1CO5.00.06 | |
07 | CDR Rule | MUST | (10) For these rules, a business consumer statement is a statement made by a CDR business consumer that: (a) is given in relation to a consent in one of the following categories: (i) use consents relating to the goods or services requested by the CDR business consumer; (ii) TA disclosure consents; (iii) insight disclosure consents; (iv) business consumer disclosure consents; and (b) certifies that the consent is given for the purpose of enabling the accredited person to provide goods or services to the CDR business consumer in its capacity as a business (and not as an individual). Note: Only an accredited person is able to deal with a CDR consumer in the CDR consumer’s capacity as a CDR business consumer, and is hence able to invite a CDR consumer to provide a business consumer statement. | CDR Rule 1.10A(10), (Note) | 1CO5.00.07 | |
08 | CDR Rule | MUST | (1) When asking a CDR consumer to give a consent, an accredited person must: (bb) where the accredited person proposes, or is offering, to deal with a person in their capacity as a CDR business consumer in relation to a consent of a kind mentioned in paragraph 1.10A(10)(a)―invite the CDR business consumer to provide the business consumer statement | CDR Rule 4.11(1)(bb) | 1CO5.00.08 | |
09 | CDR Rule | MUST NOT | (12) An accredited person must not make: (b) the giving of a business consumer statement; a condition for supply of the goods or services requested by the CDR business consumer. | CDR Rule 1.10A(12)(b) | 1CO5.00.09 | |
10 | CDR Rule | MUST | (13) To avoid doubt, paragraphs (12)(a) and (b) do not apply where the only good or service that is requested by the CDR business consumer is for CDR data to be collected from a data holder and provided to a specified person. | CDR Rule 1.10A(13) | 1CO5.00.10 | |
11 | CDR Rule | MUST | (1) When asking a CDR consumer to give a consent, an accredited person must: (b) in relation to the period of the collection consent, use consent, or disclosure consent (as appropriate)—either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the period of consent; or (ii) seek the CDR consumer’s agreement to the period of consent (as presented to the CDR consumer) to which the consent will apply; where the period of consent is either: (iii) a single occasion; or (iv) a specified period of time; and Note 2: For paragraph (b), the specified period may not be more than 12 months (or 7 years for certain consents by a CDR business consumer): see subrule 4.12(1). After the end of the period, redundant data would need to be dealt with in accordance with subsection 56EO(2) of the Act (privacy safeguard 12) and rules 7.12 and 7.13. | CDR Rule 4.11(1)(b), (Note 2) | 1CO5.00.11 | |
12 | CDR Rule | MUST NOT | (1) Subject to subrule (1A), an accredited person must not specify a period of time for the purposes of paragraph 4.11(1)(b) that is more than 12 months. | CDR Rule 4.12(1) | 1CO5.00.12 | |
13 | CDR Rule | MUST | (1A) In the case of a consent given by a CDR business consumer that includes a business consumer statement, an accredited person must: (a) not specify a period of time that is more than 7 years; and (b) if specifying a period of time of more than 12 months, give the CDR business consumer the option of choosing a period for the consent of 12 months or less. | CDR Rule 4.12(1A) | 1CO5.00.13 | |
14 | CDR Rule | MUST | (1) When asking a CDR consumer to give a consent, an accredited person must:(a) in the case of a collection consent or a disclosure consent—either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the particular types of CDR data to which the consent will apply; or (ii) seek the CDR consumer’s agreement to the particular types of CDR data (as presented to the CDR consumer) to which the consent will apply; | CDR Rule 4.11(1)(a) | 1CO5.00.14 | |
15 | CDR Rule | MUST | An accredited person must give the CDR consumer a notice that complies with the data standards as soon as practicable after the CDR consumer: (a) gives the accredited person a collection consent, use consent or disclosure consent; | CDR Rule 4.18(a) | 1CO5.00.15 | |
18 | CX Standard | MUST | Data recipients MUST use plain and concise language when inviting a consumer to give a business consumer statement. | 1CO5.00.18 | ||
19 | CX Standard | MUST | When seeking a business consumer statement, data recipients MUST invite the business consumer to give the business consumer statement in a manner that is explicit, express, and through an active selection or declaration. The giving of a business consumer statement MUST be clearly separated from any other interaction or information provided to the consumer and MUST NOT be implied or bundled with any other permission. | 1CO5.00.19 | ||
20 | CX Standard | MUST | Data Recipients and Data Holders MUST use data language standards to describe data clusters and permissions in consumer-facing interactions. See the Banking and Non-Bank Lending Language section for language to be used when requesting banking and non-bank lending data; and the Energy Language section for language to be used when requesting energy data. Data language standards MUST be used when CDR data is being requested, reviewed, or access to such data is withdrawn. Data Recipients and Data Holders MUST use the appropriate data standards language for business consumers as denoted with an '*' for the relevant data. Data Recipients and Data Holders SHOULD expand on the proposed language where appropriate to communicate further details of what is being shared. Additional details MAY include additional information in context, such as in-line help or tool tips, and/or additional permissions where they may exist. Examples of permission details that MAY be used and provided as in-line help are denoted with an '†' for the relevant data. | Data Language Standards: Common, Data Language Standards: Language to be used | 1CO5.00.20 | |
21 | CX Standard | MUST | If a scenario requires it, Data Holders and Data Recipients MUST merge and amend Basic and Detailed data cluster and permission language to show that Detailed scopes include Basic data. Data Holders and Data Recipients MUST use the alternative language denoted with an '‡' for the relevant scope(s). See the Banking and Non-Bank Lending Language section for banking and non-bank lending data and the Energy Language section for energy data. Example: A Data Recipient presents the Detailed data cluster in a data request to a consumer but does not present the Basic data cluster. The Detailed scope includes Basic data, but this is not apparent to the consumer based on the data cluster language and permissions used for the Detailed scope. | Data Language Standards: Common, Data Language Standards: Detailed scope requests | 1CO5.00.21 | |
22 | CX Standard | MUST | In the course of seeking a consumer’s consent to disclose data as part of a disclosure consent: 1. Data Recipients MUST specify which CDR Participant(s) they collected the associated CDR data from. 2. Data Recipients SHOULD specify the sector(s) the data was collected from or associated with. Note: • Point (1) only requires the Data Recipient to refer to the CDR Participant(s) immediately preceding them in the disclosure chain, which may not always include a consumer’s Data Holder(s). • This standard is proposed to apply to all data to be disclosed by a Data Recipient, including unmodified, aggregated, derived, and transformed CDR data. • Where applicable, the existing data language standards apply to descriptions of CDR data that have not been modified. | 1CO5.00.22 | ||
23 | CX Standard | MUST | Data recipients MUST state that data disclosed to a non-accredited person will not be regulated as part of the Consumer Data Right. This information SHOULD be immediately viewable by the consumer without further interaction. Data recipients MAY include a plain and concise explanation of what this means, which MAY include information on the Consumer Data Right, and MAY include a link to the Office of the Australian Information Commissioner guidance on the Consumer Data Right. | 1CO5.00.23 | ||
24 | CX Standard | MUST | Data recipients MUST provide plain and concise information on dispute resolution and making a complaint. This SHOULD reflect the process and information contained in the data recipient’s CDR policy related to complaints. This MAY also include a link to the accredited data recipient’s CDR policy. | 1CO5.00.24 | ||
25 | CX Standard | MUST | Data recipients MUST advise the consumer to review how the non-accredited person will handle their data. | 1CO5.00.25 | ||
26 | CX Standard | MAY | If available, data recipients MAY include a link to any relevant data handling policies of the non-accredited person, such as their Privacy Policy. | 1CO5.00.26 | ||
27 | CX Standard | MUST | Data recipients MUST provide the information contained in the disclosure notification otherwise than in the consent flow. This SHOULD be contained in the consumer’s CDR Receipt. This SHOULD also be accessible in the consumer dashboard as part of the data sharing arrangement details. Note 1: The information to be included is limited to the following standards: CDR Protections; Review; Data Handling; Complaints; and Insight Records. The scope of information to include will depend on the accredited person’s specific implementation. Note 2: This standard does not alter any existing rules obligations for CDR receipts or dashboards. | 1CO5.00.27 | ||
28 | CX Guideline | MAY | Data recipients may invite a consumer to give a use consent to confirm whether they are a business consumer, per the requirements of CDR Rule 1.10A(9). This could be requested in conjunction with a collection consent, or could be requested as a detached use for already collected data. | CDR Rule 1.10A(9) | 1CO5.00.28 | |
29 | CX Guideline | MAY | Data recipients should only request a business consumer statement if they have verified the consumer is a business consumer — per CDR Rule 1.10(9) — and reasonably expect them to be intending to use the service for business purposes. Appropriate pre-consent and onboarding experiences can assist with funnelling consumers towards the most appropriate consent flow for their needs. This can reduce cognitive load for non-business consumers, and prevent consumers from inadvertently providing a business consumer statement. | CDR Rule 1.10(9) | 1CO5.00.29 | |
32 | CX Guideline | MAY | Inline with CDR Rule 1.10A(9), when verifying the consumer is not an individual or has an active ABN, data recipients should be satisfied that the evidence given — such as the ABN — is current and relates to the consumer. | CDR Rule 1.10A(9) | 1CO5.00.32 | |
33 | CX Guideline | MAY | In accordance with CDR Rule 4.11(1)(bb), data recipients must invite a business consumer to give a business consumer statement in the consent flow. This invitation should be presented upfront. Doing so can help data recipients determine the appropriate consent duration and customer data language standards to surface, and whether a business consumer disclosure consent can be requested. | CDR Rule 4.11(1)(bb) | 1CO5.00.33 | |
34 | CX Guideline | MAY | Data recipients must only present business consumers with a pre-selected duration of more than 12 months where the service reasonably requires this and in compliance with the data minimisation principle, CDR Rule 1.8. | CDR Rule 1.8 | 1CO5.00.34 | |
35 | CX Guideline | MAY | Where a data recipient presents a duration over 12 months for a consent that includes a business consumer statement, they must give the consumer at least one option of 12 months or less, to meet CDR Rule 4.12(1A)(b). For example, if a data recipient presents a 3 year duration, they might offer a 12 month option, a 6 month option, or both, but at least one must be offered. Data recipients are not required to allow the consumer to choose an alternative duration where durations of 12 months or less are proposed. However, data recipients may voluntarily provide this choice. When presenting duration options, data recipients should present consumers with a limited selection of duration options to reduce cognitive load. The options presented should represent the most common and/or most appropriate durations for the service being offered and be in compliance with the data minimisation principle. | CDR Rule 4.12(1A)(b) | Nielsen Norman Group: 10 Usability Heuristics for User Interface Design (Error prevention) | 1CO5.00.35 | |
36 | CX Guideline | MAY | Data recipients are encouraged to provide links to the non-accredited person’s data handling information for the consumer to review. CX research and consultation suggested that accurate information on data handling provided by the non-accredited person would increase trustworthiness and consumer comfort. | CX Research: 2021 Disclosure Consent report | 1CO5.00.36 | |
37 | CX Guideline | MAY | If the non-accredited person does not have a Privacy Policy, data recipients are encouraged to provide the consumer with other details; • to contact the non-accredited person; or • to review up-to-date information on the non-accredited person's data handling policies. | CX Research: 2021 Disclosure Consent report | 1CO5.00.37 | |
38 | CDR Rule | MUST | (3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (c) in the case of a collection consent, use consent or disclosure consent—information about how the collection, use or disclosure indicated in a manner consistent with the requirements set out in subrule (1) complies with the data minimisation principle, including: (ii) in the case of a use consent or disclosure consent—an explanation of why that use or disclosure does not go beyond what is reasonably needed; in order to provide the requested goods or services to the CDR consumer, or to effect the permitted uses or disclosures consented to; | CDR Rule 4.11(3)(c)(ii) | 1CO5.00.38 | |
39 | CDR Rule | MUST | (1) When asking a CDR consumer to give a consent, an accredited person must: (c) seek the CDR consumer’s express consent to the matters referred to in paragraphs (a), (aa), (b) and (ba) for each relevant category of consents; | CDR Rule 4.11(1)(c) | 1CO5.00.39 | |
40 | CDR Rule | MUST | Rule 4.18 of the principal rules, as in force immediately before the commencement of the amending rules, continues to apply, on and after that commencement, to an accredited person until the coming into effect of data standards made for the purposes of paragraph 8.11(1)(fa) of the principal rules in relation to rule 4.18. | CDR Rule 503 | 1CO5.00.40 | |
41 | CX Standard | MUST | Effective from 14 July 2025: A CDR receipt provided by a data recipient MUST be given in writing otherwise than through the consumer dashboard. | 1CO5.00.41 | ||
42 | CX Guideline | MAY | The rules do not allow an individual without an active ABN to be treated as a CDR business consumer. | 1CO5.00.42 | ||
43 | CX Guideline | MAY | Data recipients should use their discretion to determine whether a step to select a non-Accredited Person is required for their service. For example, the selection step may be necessary where the data recipient offers a range persons to whom the consumer can disclose. By contrast, the selection step may not be necessary where the consumer has a pre-existing relationship with a non-Accredited Person and the data recipient can reasonably assume that the consumer is engaging their service to disclose their data to this non-AP. | CDR Rule 4.11(1)(ba) | 1CO5.00.43 | |
44 | CX Guideline | MAY | Data recipients should make the consent process as easy to understand as possible. Data recipients should nudge consumers to be more privacy conscious and should use appropriate interventions to mitigate cognitive overload, facilitate comprehension, and provide transparency and consumer control. This can be done in a variety of ways, including through the use of design patterns like progressive disclosure, micro and/or descriptive copy, and with the use of microinteractions. | 1CO5.00.44 | ||
45 | CX Guideline | MAY | When data is requested and accessed, language used to describe the data must be described in accordance with the relevant CX standards; • ‘Data Language Standards: Language to be used’ and ‘Data Language Standards: Detailed scope requests’ applies when describing unmodified data from data holder(s). • ‘Consent Standards, Disclosure consent: Collection source’ applies to any data collected, but can be stated once where the collection source is the same for all data. • ‘Consent Standards, Disclosure Consent: Descriptions of Data to be Collected and Disclosed’ applies when describing any dataset. | 1CO5.00.45 | ||
46 | CX Guideline | MAY | Data recipients should send CDR receipts via the consumer's preferred delivery channels, other than through the consumer dashboard. | 1CO5.00.46 | ||
47 | CX Guideline | MAY | The CX Standards for CDR Receipts take effect on 14 July 2025. The existing requirements regarding CDR receipts will continue to apply until the relevant data standards are made and in effect, as per the transitional provision outlined in CDR Rule 503 (and 506 for CDR representatives). Data recipients should refer to the CDR Rules as they were in effect from 22 July 2023 to 11 November 2024 for details of their obligations with regards to CDR receipts until this date. | CDR Rules 4.18 and 503; 4.20O and 506 | Notification Standards, CDR Receipts | 1CO5.00.47 |