01

(2A) The accredited person may also ask a CDR consumer to give a disclosure consent in relation to CDR data, either: (b) after the CDR consumer has given a collection consent requested under subrule (2) in relation to the CDR data whether or not the CDR data has yet been collected. Note 1: Requests for collection consent, use consent and disclosure consent may be bundled together (see subrules 4.3(2) and (2A). Note 2: The CDR data may be disclosed only in accordance with the data minimisation principle: see rule 1.8.

CDR Rule 4.3(2A)(b), (Note 1), (Note 2)

1CO4.00.01

02

(1) When asking a CDR consumer to give a consent, an accredited person must: (ba) in the case of a disclosure consent―either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the persons to whom the CDR data may be disclosed; or (ii) seek the CDR consumer’s agreement to the persons (as presented to the CDR consumer) to whom the CDR data may be disclosed;

CDR Rule 4.11(1)(ba)

1CO4.00.02

03

(4) Despite paragraph 7.5(1)(e), disclosure of a CDR insight under an insight disclosure consent is not a permitted use or disclosure if the CDR insight includes or reveals sensitive information within the meaning of the Privacy Act 1988.

CDR Rule 7.5A(4)

1CO4.00.03

04

(1) When asking a CDR consumer to give a consent, an accredited person must:  (a) in the case of a collection consent or a disclosure consent—either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the particular types of CDR data to which the consent will apply; or (ii) seek the CDR consumer’s agreement to the particular types of CDR data (as presented to the CDR consumer) to which the consent will apply;

CDR Rule 4.11(1)(a)

1CO4.00.04

05

(3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (ca) in the case of an insight disclosure consent—an explanation of the CDR insight that will make clear to the CDR consumer what the CDR insight would reveal or describe;

CDR Rule 4.11(3)(ca)

1CO4.00.05

06

(3) For these rules, an insight disclosure consent in relation to particular CDR data of a CDR consumer held by an accredited data recipient, or a CDR representative that holds the CDR data as service data, is a disclosure consent given by the CDR consumer under these rules that: (a)  authorises the accredited data recipient or CDR representative to disclose the CDR data to a specified person for one or more of the following purposes: (i)  verifying the consumer’s identity; (ii)  verifying the consumer’s account balance; (iii)  verifying the details of credits to or debits from the consumer’s accounts; but (b)  where the CDR data relates to more than one transaction—does not authorise the accredited data recipient or CDR representative to disclose an amount or date in relation to any individual transaction.

CDR Rule 1.10A(3)

1CO4.00.06

07

An accredited person must give the CDR consumer a notice that complies with the data standards as soon as practicable after the CDR consumer: (a) gives the accredited person a collection consent, use consent or disclosure consent;

CDR Rule 4.18(a)

1CO4.00.07

10

Data recipients SHOULD explain the purpose of generating the insight.

Consent Standards, Disclosure Consent: Insight Descriptions, Insight disclosure: Purpose of insight

1CO4.00.10

11

Data recipients MUST use plain and concise language to describe what an insight would reveal or describe. Where possible and practical, the actual insight SHOULD be displayed to the consumer prior to the insight being disclosed. Where it is not possible to display the actual insight, accredited data recipients SHOULD include an example of the insight that demonstrates what the insight may reveal or describe. Accredited data recipients SHOULD make clear that any such examples are hypothetical.

Consent Standards, Disclosure Consent: Insight Descriptions, Insight disclosure: Insight comprehension

1CO4.00.11

12

Data recipients MAY explain how the insight will be generated using plain and concise language, which MAY include: • what method(s) would be used to generate the insight(s); • who would be involved in generating the insight(s), such as the specific actor(s); and • what information sources would be used to generate the insight, such as the specific dataset(s)

Consent Standards, Disclosure Consent: Insight Descriptions, Insight disclosure: Insight generation

1CO4.00.12

13

Data recipients MUST specify the period the insight will refer to and MAY note when the insight will be or is expected to be generated.

Consent Standards, Disclosure Consent: Insight Descriptions, Insight disclosure: Insight timing

1CO4.00.13

14

Data Recipients and Data Holders MUST use data language standards to describe data clusters and permissions in consumer-facing interactions. See the Banking and Non-Bank Lending Language section for language to be used when requesting banking and non-bank lending data; and the Energy Language section for language to be used when requesting energy data. Data language standards MUST be used when CDR data is being requested, reviewed, or access to such data is withdrawn. Data Recipients and Data Holders MUST use the appropriate data standards language for business consumers as denoted with an '*' for the relevant data. Data Recipients and Data Holders SHOULD expand on the proposed language where appropriate to communicate further details of what is being shared. Additional details MAY include additional information in context, such as in-line help or tool tips, and/or additional permissions where they may exist. Examples of permission details that MAY be used and provided as in-line help are denoted with an '†' for the relevant data.

Data Language Standards: Common, Data Language Standards: Language to be used

1CO4.00.14

15

In the course of seeking a consumer’s consent to disclose data as part of a disclosure consent: 1. Data Recipients MUST specify which CDR Participant(s) they collected the associated CDR data from. 2. Data Recipients SHOULD specify the sector(s) the data was collected from or associated with. Note: • Point (1) only requires the Data Recipient to refer to the CDR Participant(s) immediately preceding them in the disclosure chain, which may not always include a consumer’s Data Holder(s). • This standard is proposed to apply to all data to be disclosed by a Data Recipient, including unmodified, aggregated, derived, and transformed CDR data. • Where applicable, the existing data language standards apply to descriptions of CDR data that have not been modified.

Consent Standards, Disclosure consent: Collection source

1CO4.00.15

16

If: 1. An accredited person is seeking a collection consent to collect CDR data from a particular accredited data recipient; or 2. An accredited data recipient is seeking a disclosure consent from a consumer to disclose CDR data; and the data subject to the disclosure or collection is not within the data language standards as it does not relate to a relevant data cluster, then that data MUST be described in language that is as easy to understand as practicable.

Consent Standards, Disclosure consent: Descriptions of Data to be Collected and Disclosed

1CO4.00.16

17

When seeking an insight disclosure consent, data recipients MUST provide instructions for how the consumer can access further records, including the actual insights (as per Rules 1.14 and 9.5).

Consent Standards, Disclosure Consent: Non-Accredited Person Disclosure Notification, Disclosure consent: Insight records

1CO4.00.17

18

Data recipients MUST state that data disclosed to a non-accredited person will not be regulated as part of the Consumer Data Right. This information SHOULD be immediately viewable by the consumer without further interaction. Data recipients MAY include a plain and concise explanation of what this means, which MAY include information on the Consumer Data Right, and MAY include a link to the Office of the Australian Information Commissioner guidance on the Consumer Data Right.

Consent Standards, Disclosure Consent: Non-Accredited Person Disclosure Notification, Disclosure consent: CDR protections

1CO4.00.18

19

Data recipients MUST provide plain and concise information on dispute resolution and making a complaint. This SHOULD reflect the process and information contained in the data recipient’s CDR policy related to complaints. This MAY also include a link to the accredited data recipient’s CDR policy.

Consent Standards, Disclosure Consent: Non-Accredited Person Disclosure Notification, Disclosure consent: Complaints

1CO4.00.19

20

Data recipients MUST advise the consumer to review how the non-accredited person will handle their data.

Consent Standards, Disclosure Consent: Non-Accredited Person Disclosure Notification, Disclosure consent: Review

1CO4.00.20

21

If available, data recipients MAY include a link to any relevant data handling policies of the non-accredited person, such as their Privacy Policy.

Consent Standards, Disclosure Consent: Non-Accredited Person Disclosure Notification, Disclosure consent: Data handling

1CO4.00.21

22

Data recipients MUST provide the information contained in the disclosure notification otherwise than in the consent flow. This SHOULD be contained in the consumer’s CDR Receipt. This SHOULD also be accessible in the consumer dashboard as part of the data sharing arrangement details. Note 1: The information to be included is limited to the following standards: CDR Protections; Review; Data Handling; Complaints; and Insight Records. The scope of information to include will depend on the accredited person’s specific implementation. Note 2: This standard does not alter any existing rules obligations for CDR receipts or dashboards.

Consent Standards, Disclosure Consent: Non-Accredited Person Disclosure Notification, Disclosure consent: Notification record

1CO4.00.22

23

Data recipients should consider providing upfront information to onboard consumers to the insight disclosure process. CX research suggested that the inclusion of clear information increased confidence and the ability for the consumer to be informed.

CX Research: 2021 Disclosure Consent report

1CO4.00.23

27

Data recipients should explain what information will not be shared with the non-accredited person. Research suggested that clarifying this supported informed consent and confidence in the process.

CX Research: 2021 Disclosure Consent report

1CO4.00.27

28

Where appropriate, data recipients should provide assurance that actual or permission-level data will only be accessed to generate insights and won't be disclosed to the non-accredited person or any other parties.

CX Research: 2021 Disclosure Consent report

1CO4.00.28

29

As a matter of best practice, where possible, accredited data recipients and CDR representatives should show the consumer the CDR insight prior to it being disclosed. This will be unworkable in certain scenarios. However, as CX research suggested, doing this will aid comprehension and trust, and can also mitigate errors and incorrect outputs where the consumer is aware of incorrect details or insights being used.

OAIC Consumer Data Right insights | CX Research: 2021 Disclosure Consent report

1CO4.00.29

30

CX standards require data recipients to use plain and concise language to describe insights. As a guide, data recipients may consider a reading grade of at least 7, and no more than 10, using the Flesch-Kincaid formula or the Automated Readability Index.

Consent Standards, Disclosure Consent: Insight Descriptions, Insight disclosure: Insight comprehension

1CO4.00.30

31

The common disclosure consent data standards may also apply to insight disclosure consents. For more information, see the CX guidelines about 'Disclosing modified data' (in 'Accredited Persons disclosure consents')

Data Language Standards: Common | Consent Standards | CX Guidelines: Disclosure Consents, Accredited Persons disclosure consents

1CO4.00.31

32

When data is requested and accessed, language used to describe the data must be described in accordance with the relevant CX standards; • ‘Data Language Standards: Language to be used’ and ‘Data Language Standards: Detailed scope requests’ applies when describing unmodified data from data holder(s). • ‘Consent Standards, Disclosure consent: Collection source’ applies when data is from multiple parties or sources. • ‘Consent Standards, Disclosure Consent: Descriptions of Data to be Collected and Disclosed’ applies when describing any dataset.

Data Language Standards: Common | Consent Standards

1CO4.00.32

33

To describe data in easy to understand language, data recipients should have regard to the Accessibility Standards on reading experiences, with specific reference to WCAG 3.1.5, and draw from the Australian Government Style Manual on literacy and access. Data recipients should seek to, for example, describe data concisely, in plain language, with an Australian year 7 or lower readability level, and in a way that limits the use of unusual words, phrases, idioms, and jargon.

Australian Government Style Manual: Literacy and access

1CO4.00.33

34

As per the CX standards, data recipients should explain the insight's purpose. This explanation may be done at a high-level or, where known, based on how the data recipient expects the insight will be used.

CDR Rule 1.10A(3) | Consent Standards, Disclosure Consent: Insight Descriptions, Insight disclosure: Insight comprehension

1CO4.00.34

35

Where applicable, data recipients should surface external links to '.gov.au' websites to allow consumers to further read about the CDR, if desired.

CX Research: 2021 Disclosure Consent report

1CO4.00.35

36

Data recipients are encouraged to provide simple summaries, developed with the insight recipient, explaining how the disclosed insights will be handled. This summary may, for example, highlight differences between CDR and non-CDR protections

CX Research: 2021 Disclosure Consent report

1CO4.00.36

37

If the non-accredited person does not have a Privacy Policy, data recipients are encouraged to provide the consumer with other details; • to contact the non-accredited person; or • to review up-to-date information on the non-accredited person's data handling policies.

CX Research: 2021 Disclosure Consent report

1CO4.00.37

38

Data recipients are encouraged to provide links to the non-accredited person’s data handling information for the consumer to review. CX research and consultation suggested that accurate information on data handling provided by the non-accredited person would increase trustworthiness and consumer comfort.

CX Research: 2021 Disclosure Consent report

1CO4.00.38

39

Data recipients should surface information about the data deletion process: • when data will be deleted; • why data may need to be retained (e.g. business or legal reasons); • how the data will be deleted, this may include timeframes.

CDR Rule 7.2(4)(k) | CX Research: 2020 Phase 3, Round 3 report; 2021 Disclosure Consent report

1CO4.00.39

40

CX research suggested that further information on data handling, including from government sources, can aid comprehension and confidence for Sceptics, Assurance Seekers and Sensemakers. Based on these insights, data recipients are encouraged to provide a link to OAIC’s guidance on Privacy Safeguard 12, which outlines information on data security and redundant data handling.

CDR Privacy Safeguard Guidelines: Privacy Safeguard 12 | CX Research: 2021 Disclosure Consent report

1CO4.00.40

41

Data recipients should provide a message to consumers that insight generation was successful, and that the insights were successfully shared. This message should be clearly visible and shown as soon as the action has taken place. This may also be an appropriate location to display the actual insights prior to or immediately following their disclosure.

10 Usability Heuristics for User Interface Design: Visibility of system status (Nielsen)

1CO4.00.41

44

(4) An accredited person must not make: (a) the giving of an insight disclosure consent; or (b) the specification of a particular person for the purposes of paragraph (3)(a); a condition for supply of the goods or services requested by the CDR consumer.

CDR Rule 1.10A(4)

1CO4.00.44

45

(7) To avoid doubt, paragraphs (4)(a), (5)(a) and (6)(a) do not apply where the only good or service that is requested by the CDR consumer is for CDR data to be collected from a data holder and CDR insights disclosed in accordance with the insight disclosure consent.

CDR Rule 1.10A(7)

1CO4.00.45

46

CDR Representatives seeking an Insight disclosure consent should refer to CDR Rules 1.10A(5), 1.10A(6) and Division 4.3A of the CDR Rules.

CDR Rules 1.10A(5), 1.10A(6), Division 4.3A

1CO4.00.46

47

(3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information:   (c) in the case of a collection consent, use consent or disclosure consent—information about how the collection, use or disclosure indicated in a manner consistent with the requirements set out in subrule (1) complies with the data minimisation principle, including: (ii) in the case of a use consent or disclosure consent—an explanation of why that use or disclosure does not go beyond what is reasonably needed; in order to provide the requested goods or services to the CDR consumer, or to effect the permitted uses or disclosures consented to;

CDR Rule 4.11(3)(c)(ii)

1CO4.00.47

48

(1) When asking a CDR consumer to give a consent, an accredited person must: (c) seek the CDR consumer’s express consent to the matters referred to in paragraphs (a), (aa), (b) and (ba) for each relevant category of consents;

CDR Rule 4.11(1)(c)

1CO4.00.48

49

Rule 4.18 of the principal rules, as in force immediately before the commencement of the amending rules, continues to apply, on and after that commencement, to an accredited person until the coming into effect of data standards made for the purposes of paragraph 8.11(1)(fa) of the principal rules in relation to rule 4.18.

CDR Rule 503

1CO4.00.49

50

Effective from 14 July 2025: A CDR receipt provided by a data recipient MUST be given in writing otherwise than through the consumer dashboard.

Notification Standards, CDR Receipts: Delivery

1CO4.00.50

51

Data recipients should use their discretion to determine whether a step to select a non-Accredited Person is required for their service. For example, the selection step may be necessary where the data recipient offers a range persons to whom the consumer can disclose. By contrast, the selection step may not be necessary where the consumer has a pre-existing relationship with a non-Accredited Person and the data recipient can reasonably assume that the consumer is engaging their service to disclose their data to this non-AP.

CDR Rule 4.11(1)(ba)

1CO4.00.51

52

Data recipients should send CDR receipts via the consumer's preferred delivery channels, other than through the consumer dashboard.

1CO4.00.52

53

The CX Standards for CDR Receipts take effect on 14 July 2025. The existing requirements regarding CDR receipts will continue to apply until the relevant data standards are made and in effect, as per the transitional provision outlined in CDR Rule 503 (and 506 for CDR representatives). Data recipients should refer to the CDR Rules as they were in effect from 22 July 2023 to 11 November 2024 for details of their obligations with regards to CDR receipts until this date.

CDR Rules 4.18 and 503; 4.20O and 506 | Notification Standards, CDR Receipts

1CO4.00.53

01

(2A) The accredited person may also ask a CDR consumer to give a disclosure consent in relation to CDR data, either: (a) at the same time the accredited person asks the CDR consumer to give a collection consent under subrule (2) in relation to the CDR data; Note 1: Requests for collection consent, use consent and disclosure consent may be bundled together (see subrules 4.3(2) and (2A). Note 2: The CDR data may be disclosed only in accordance with the data minimisation principle: see rule 1.8.

CDR Rule 4.3(2A)(a), (Note 1), (Note 2)

1CO4.01.01

02

(4) Despite paragraph 7.5(1)(e), disclosure of a CDR insight under an insight disclosure consent is not a permitted use or disclosure if the CDR insight includes or reveals sensitive information within the meaning of the Privacy Act 1988.

CDR Rule 7.5A(4)

1CO4.01.02

03

(1) When asking a CDR consumer to give a consent, an accredited person must: (ba) in the case of a disclosure consent―either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the persons to whom the CDR data may be disclosed; or (ii) seek the CDR consumer’s agreement to the persons (as presented to the CDR consumer) to whom the CDR data may be disclosed;

CDR Rule 4.11(1)(ba)

1CO4.01.03

04

(4) An accredited person must not make: (a) the giving of an insight disclosure consent; or (b) the specification of a particular person for the purposes of paragraph (3)(a); a condition for supply of the goods or services requested by the CDR consumer.

CDR Rule 1.10A(4)

1CO4.01.04

05

(7) To avoid doubt, paragraphs (4)(a), (5)(a) and (6)(a) do not apply where the only good or service that is requested by the CDR consumer is for CDR data to be collected from a data holder and CDR insights disclosed in accordance with the insight disclosure consent.

CDR Rule 1.10A(7)

1CO4.01.05

06

(1) When asking a CDR consumer to give a consent, an accredited person must: (b) in relation to the period of the collection consent, use consent, or disclosure consent (as appropriate)—either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the period of consent; or (ii) seek the CDR consumer’s agreement to the period of consent (as presented to the CDR consumer) to which the consent will apply; where the period of consent is either: (iii) a single occasion; or (iv) a specified period of time; Note 2: For paragraph (b), the specified period may not be more than 12 months (or 7 years for certain consents by a CDR business consumer): see subrule 4.12(1). After the end of the period, redundant data would need to be dealt with in accordance with subsection 56EO(2) of the Act (privacy safeguard 12) and rules 7.12 and 7.13.

CDR Rule 4.11(1)(b), (Note 2) | CX Research 4, 5

1CO4.01.06

07

(1) Subject to subrule (1A), an accredited person must not specify a period of time for the purposes of paragraph 4.11(1)(b) that is more than 12 months.

CDR Rule 4.12(1) | CX Research 4, 5

1CO4.01.07

08

(3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (c) in the case of a collection consent, use consent or disclosure consent—information about how the collection, use or disclosure indicated in a manner consistent with the requirements set out in subrule (1) complies with the data minimisation principle, including: (i) in the case of a collection consent in relation to the provision of requested goods or services—an explanation of why that collection is reasonably needed, and relates to a time period that is no longer than is reasonably needed; in order to provide the requested goods or services to the CDR consumer, or to effect the permitted uses or disclosures consented to;

CDR Rule 4.11(3)(c)(i)

1CO4.01.08

09

(1) When asking a CDR consumer to give a consent, an accredited person must:  (a) in the case of a collection consent or a disclosure consent—either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the particular types of CDR data to which the consent will apply; or (ii) seek the CDR consumer’s agreement to the particular types of CDR data (as presented to the CDR consumer) to which the consent will apply;

CDR Rule 4.11(1)(a)

1CO4.01.09

10

(1) When asking a CDR consumer to give a consent, an accredited person must: (aa) in the case of a use consent—either: (i) allow the CDR consumer to actively select or otherwise clearly indicate the specific uses of collected data to which the consent will apply; or (ii) seek the CDR consumer’s agreement to the specific uses of collected data (as presented to the CDR consumer) to which the consent will apply;

CDR Rule 4.11(1)(aa) | CX Research 2, 6

1CO4.01.10

11

(3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (ca) in the case of an insight disclosure consent—an explanation of the CDR insight that will make clear to the CDR consumer what the CDR insight would reveal or describe;

CDR Rule 4.11(3)(ca)

1CO4.01.11

12

(3) For these rules, an insight disclosure consent in relation to particular CDR data of a CDR consumer held by an accredited data recipient, or a CDR representative that holds the CDR data as service data, is a disclosure consent given by the CDR consumer under these rules that: (a)  authorises the accredited data recipient or CDR representative to disclose the CDR data to a specified person for one or more of the following purposes: (i)  verifying the consumer’s identity; (ii)  verifying the consumer’s account balance; (iii)  verifying the details of credits to or debits from the consumer’s accounts; but (b)  where the CDR data relates to more than one transaction—does not authorise the accredited data recipient or CDR representative to disclose an amount or date in relation to any individual transaction.

CDR Rule 1.10A(3)

1CO4.01.12

13

(3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information:   (c) in the case of a collection consent, use consent or disclosure consent—information about how the collection, use or disclosure indicated in a manner consistent with the requirements set out in subrule (1) complies with the data minimisation principle, including: (ii) in the case of a use consent or disclosure consent—an explanation of why that use or disclosure does not go beyond what is reasonably needed; in order to provide the requested goods or services to the CDR consumer, or to effect the permitted uses or disclosures consented to;

CDR Rule 4.11(3)(c)(ii)

1CO4.01.13

14

(3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information:  (a) its name;  (b) its accreditation number; 

CDR Rule 4.11(3)(a)–(b)

1CO4.01.14

15

(3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (g) a statement that, at any time, the consent can be withdrawn;

CDR Rule 4.11(3)(g) | CX Research 7, 32

1CO4.01.15

16

(3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information: (h) the following information about redundant data: (i) a statement, in accordance with rule 4.17, regarding the accredited person’s intended treatment of redundant data;

CDR Rule 4.11(3)(h)(i)

1CO4.01.16

17

(1) For subparagraph 4.11(3)(h)(i), the accredited person must state whether they have a general policy, when collected CDR data becomes redundant data, of: (a) deleting the redundant data; or (b) de-identifying the redundant data; or (c) deciding, when the CDR data becomes redundant data, whether to delete it or de-identify it.

CDR Rule 4.17(1) | CX Research 18

1CO4.01.17

18

(1) When asking a CDR consumer to give a consent, an accredited person must: (c) seek the CDR consumer’s express consent to the matters referred to in paragraphs (a), (aa), (b) and (ba) for each relevant category of consents;

CDR Rule 4.11(1)(c)

1CO4.01.18

19

An accredited person must give the CDR consumer a notice that complies with the data standards as soon as practicable after the CDR consumer: (a) gives the accredited person a collection consent, use consent or disclosure consent;

CDR Rule 4.18(a)

1CO4.01.19

20

Rule 4.18 of the principal rules, as in force immediately before the commencement of the amending rules, continues to apply, on and after that commencement, to an accredited person until the coming into effect of data standards made for the purposes of paragraph 8.11(1)(fa) of the principal rules in relation to rule 4.18.

CDR Rule 503

1CO4.01.20

21

In the course of seeking a consumer’s consent to disclose data as part of a disclosure consent: 1. Data Recipients MUST specify which CDR Participant(s) they collected the associated CDR data from. 2. Data Recipients SHOULD specify the sector(s) the data was collected from or associated with. Note: • Point (1) only requires the Data Recipient to refer to the CDR Participant(s) immediately preceding them in the disclosure chain, which may not always include a consumer’s Data Holder(s). • This standard is proposed to apply to all data to be disclosed by a Data Recipient, including unmodified, aggregated, derived, and transformed CDR data. • Where applicable, the existing data language standards apply to descriptions of CDR data that have not been modified.

Consent Standards, Disclosure consent: Collection source

1CO4.01.21

22

Data Recipients and Data Holders MUST use data language standards to describe data clusters and permissions in consumer-facing interactions. See the Banking and Non-Bank Lending Language section for language to be used when requesting banking and non-bank lending data; and the Energy Language section for language to be used when requesting energy data. Data language standards MUST be used when CDR data is being requested, reviewed, or access to such data is withdrawn. Data Recipients and Data Holders MUST use the appropriate data standards language for business consumers as denoted with an '*' for the relevant data. Data Recipients and Data Holders SHOULD expand on the proposed language where appropriate to communicate further details of what is being shared. Additional details MAY include additional information in context, such as in-line help or tool tips, and/or additional permissions where they may exist. Examples of permission details that MAY be used and provided as in-line help are denoted with an '†' for the relevant data.

Data Language Standards: Common, Data Language Standards: Language to be used

1CO4.01.22

23

Data recipients MAY explain how the insight will be generated using plain and concise language, which MAY include: • what method(s) would be used to generate the insight(s); • who would be involved in generating the insight(s), such as the specific actor(s); and • what information sources would be used to generate the insight, such as the specific dataset(s)

Consent Standards, Disclosure Consent: Insight Descriptions, Insight disclosure: Insight generation

1CO4.01.23

24

Data recipients SHOULD explain the purpose of generating the insight.

Consent Standards, Disclosure Consent: Insight Descriptions, Insight disclosure: Purpose of insight

1CO4.01.24

25

When seeking an insight disclosure consent, data recipients MUST provide instructions for how the consumer can access further records, including the actual insights (as per Rules 1.14 and 9.5).

Consent Standards, Disclosure Consent: Non-Accredited Person Disclosure Notification, Disclosure consent: Insight records

1CO4.01.25

26

Data recipients MUST state that data disclosed to a non-accredited person will not be regulated as part of the Consumer Data Right. This information SHOULD be immediately viewable by the consumer without further interaction. Data recipients MAY include a plain and concise explanation of what this means, which MAY include information on the Consumer Data Right, and MAY include a link to the Office of the Australian Information Commissioner guidance on the Consumer Data Right.

Consent Standards, Disclosure Consent: Non-Accredited Person Disclosure Notification, Disclosure consent: CDR protections

1CO4.01.26

27

Data recipients MUST notify consumers of redirection prior to authentication.

Consent Standards, Consent: Redirection

1CO4.01.27

28

Data recipients MUST use plain and concise language to describe what an insight would reveal or describe. Where possible and practical, the actual insight SHOULD be displayed to the consumer prior to the insight being disclosed. Where it is not possible to display the actual insight, accredited data recipients SHOULD include an example of the insight that demonstrates what the insight may reveal or describe. Accredited data recipients SHOULD make clear that any such examples are hypothetical.

Consent Standards, Disclosure Consent: Insight Descriptions, Insight disclosure: Insight comprehension

1CO4.01.28

29

Data recipients MUST specify the period the insight will refer to and MAY note when the insight will be or is expected to be generated.

Consent Standards, Disclosure Consent: Insight Descriptions, Insight disclosure: Insight timing

1CO4.01.29

30

Data recipients MUST provide plain and concise information on dispute resolution and making a complaint. This SHOULD reflect the process and information contained in the data recipient’s CDR policy related to complaints. This MAY also include a link to the accredited data recipient’s CDR policy.

Consent Standards, Disclosure Consent: Non-Accredited Person Disclosure Notification, Disclosure consent: Complaints

1CO4.01.30

31

Data recipients MUST advise the consumer to review how the non-accredited person will handle their data.

Consent Standards, Disclosure Consent: Non-Accredited Person Disclosure Notification, Disclosure consent: Review

1CO4.01.31

32

If available, data recipients MAY include a link to any relevant data handling policies of the non-accredited person, such as their Privacy Policy.

Consent Standards, Disclosure Consent: Non-Accredited Person Disclosure Notification, Disclosure consent: Data handling

1CO4.01.32

33

Data recipients MUST provide the information contained in the disclosure notification otherwise than in the consent flow. This SHOULD be contained in the consumer’s CDR Receipt. This SHOULD also be accessible in the consumer dashboard as part of the data sharing arrangement details. Note 1: The information to be included is limited to the following standards: CDR Protections; Review; Data Handling; Complaints; and Insight Records. The scope of information to include will depend on the accredited person’s specific implementation. Note 2: This standard does not alter any existing rules obligations for CDR receipts or dashboards.

Consent Standards, Disclosure Consent: Non-Accredited Person Disclosure Notification, Disclosure consent: Notification record

1CO4.01.33

34

Effective from 14 July 2025: A CDR receipt provided by a data recipient MUST be given in writing otherwise than through the consumer dashboard.

Notification Standards, CDR Receipts: Delivery

1CO4.01.34

35

Data recipients should consider providing upfront information to onboard consumer to the insight disclosure process. CX research suggested that the inclusion of clear information increased confidence and the ability for the consumer to be informed.

CX Research: 2021 Disclosure Consent report

1CO4.01.35

36

Data recipients should use their discretion to determine whether a step to select a non-Accredited Person is required for their service. For example, the selection step may be necessary where the data recipient offers a range persons to whom the consumer can disclose. By contrast, the selection step may not be necessary where the consumer has a pre-existing relationship with a non-Accredited Person and the data recipient can reasonably assume that the consumer is engaging their service to disclose their data to this non-AP.

CDR Rule 4.11(1)(ba)

1CO4.01.36

37

Data recipients should explain what information will not be shared with the non-accredited person. Research suggested that clarifying this supported informed consent and confidence in the process.

CX Research: 2021 Disclosure Consent report

1CO4.01.37

38

Where appropriate, data recipients should provide assurance that actual or permission-level data will only be accessed to generate insights and won't be disclosed to the non-accredited person or any other parties.

CX Research: 2021 Disclosure Consent report

1CO4.01.38

39

Data recipients may choose to present data holder selection screens before or after the terms of consent.

1CO4.01.39

40

While data recipients may choose to present the data holder selection screens before or after the terms of consent, for disclosure consents recipients must ensure they meet the CX Standard Disclosure consent: Collection source as part of the terms of consent. In some instances, this may require the data holder selection to be presented upfront.

Consent Standards, Disclosure consent: Collection source

1CO4.01.40

41

Data recipients should present data holder brands in a way that is intuitive and allows consumers to search, sort and filter.

CX Research: Other 2025 (unpublished) | 10 Usability Heuristics for User Interface Design (Nielsen): Match Between the System and the Real World; Flexibility and efficiency of use

1CO4.01.41

42

Data recipients should list data holder brands in an easily scannable way. This can be done alphabetically or contextually (for example, starting with popular data holders).

10 Usability Heuristics for User Interface Design: Flexibility and efficiency of use (Nielsen)

1CO4.01.42

44

CDR Representatives seeking an Insight disclosure consent should refer to rules 1.10A(5), 1.10A(6) and Division 4.3A of the CDR Rules.

CDR Rules 1.10A(5), 1.10A(6), Division 4.3A

1CO4.01.44

45

Data recipients will need to explain how the time period complies with the data minimisation principle (DMP). This is required for data that is yet to be generated (e.g. for an ongoing consent) as well as historical data (e.g. for collection on a 'single occasion'). Example DMP statement for data that is yet to be generated: We need to collect and use your data for 12 months so [we can update your financial position in real-time] to [deliver accurate and tailored personal financial management]. Example DMP statement for historical data: We need to collect the last 12 months of your data so [we can assess seasonal changes] to [provide an accurate energy comparison].

CDR Rule 4.11(3)(c), 1.8 | OAIC Chapter C: Consent (Data minimisation principle) | CX Research 1, 3

1CO4.01.45

46

CX standards require data recipients to use plain and concise language to describe insights. As a guide, data recipients may consider a reading grade of at least 7, and no more than 10, using the Flesch-Kincaid formula or the Automated Readability Index.

Consent Standards, Disclosure Consent: Insight Descriptions, Insight disclosure: Insight comprehension

1CO4.01.46

47

As per the CX standards, data recipients should explain the insight's purpose. This explanation may be done at a high-level or, where known, based on how the data recipient expects the insight will be used.

CDR Rule 1.10A(3) | Consent Standards, Disclosure Consent: Insight Descriptions, Insight disclosure: Insight comprehension

1CO4.01.47

48

Data recipients should also include a link to their specific page on www.cdr.gov.au/find-a-provider for accreditation verification purposes.

1CO4.01.48

49

Data recipients should make the consent process as easy to understand as possible. Data recipients should nudge consumers to be more privacy conscious and should use appropriate interventions to mitigate cognitive overload, facilitate comprehension, and provide transparency and consumer control. This can be done in a variety of ways, including through the use of design patterns like progressive disclosure, micro and/or descriptive copy, and with the use of microinteractions.

CX Research 8, 19

1CO4.01.49

50

Data recipients are encouraged to provide simple summaries, developed with the insight recipient, explaining how the disclosed insights will be handled. This summary may, for example, highlight differences between CDR and non-CDR protections

CX Research: 2021 Disclosure Consent report

1CO4.01.50

51

When data is requested and accessed, language used to describe the data must be described in accordance with the relevant CX standards; • ‘Data Language Standards: Language to be used’ and ‘Data Language Standards: Detailed scope requests’ applies when describing unmodified data from data holder(s). • ‘Consent Standards, Disclosure consent: Collection source’ applies to any data collected, but can be stated once where the collection source is the same for all data. • ‘Consent Standards, Disclosure Consent: Descriptions of Data to be Collected and Disclosed’ applies when describing any dataset. 

Data Language Standards: Common | Consent Standards

1CO4.01.51

52

To build consumer trust and confidence, data recipients should surface information about data deletion. This may include details from their CDR policy, as stated in CDR Rule 7.2(4)(k), and a link to read the policy. CX research highlighted the importance of including: • when data will be deleted; • why data may need to be retained (e.g. business or legal reasons); • how the data will be deleted, this may include timeframes.

CDR Rule 7.2(4)(k) | CX Research: 2019 Phase 1 report; 2019 Phase 2, Stream 3 report; 2020 Phase 3, Round 3 report; 2021 Disclosure Consent report

1CO4.01.52

53

Where applicable, data recipients should surface external links to '.gov.au' websites to allow consumers to further read about the CDR, if desired.

CX Research: 2021 Disclosure Consent report

1CO4.01.53

54

CX research suggested that further information on data handling, including from government sources, can aid comprehension and confidence for Sceptic, Assurance Seeker and Sensemaker behavioural archetypes. Based on these insights, data recipients are encouraged to provide a link to OAIC’s guidance on Privacy Safeguard 12, which outlines information on data security and redundant data handling.

CDR Privacy Safeguard Guidelines: Privacy Safeguard 12 | CX Research: 2021 Disclosure Consent report

1CO4.01.54

55

If the non-accredited person does not have a Privacy Policy, data recipients are encouraged to provide the consumer with other details; • to contact the non-accredited person; or • to review up-to-date information on the non-accredited person's data handling policies.

CX Research: 2021 Disclosure Consent report

1CO4.01.55

56

Data recipients are encouraged to provide links to the non-accredited person’s data handling information for the consumer to review. CX research and consultation suggested that accurate information on data handling provided by the non-accredited person would increase trustworthiness and consumer comfort.

CX Research: 2021 Disclosure Consent report

1CO4.01.56

57

Data recipients should provide a message to consumers that insight generation was successful, and that the insights were successfully shared. This message should be clearly visible and shown as soon as the action has taken place. This may also be an appropriate location to display the actual insights prior to or immediately following their disclosure.

10 Usability Heuristics for User Interface Design: Visibility of system status (Nielsen)

1CO4.01.57

58

As a matter of best practice, where possible, accredited data recipients and CDR representatives should show the consumer the CDR insight prior to it being disclosed. This will be unworkable in certain scenarios. However, as CX research suggested, doing this will aid comprehension and trust, and can also mitigate errors and incorrect outputs where the consumer is aware of incorrect details or insights being used. When possible and practical, data recipients should allow the consumer to review their actual insight(s) before it is disclosed to the non-accredited person. Data recipients should also provide the consumer with the option to: • deny disclosure; • amend insights or data clusters; • confirm disclosure.

OAIC Consumer Data Right insights | CX Research: 2021 Disclosure Consent report

1CO4.01.58

59

Data recipients should send CDR receipts via the consumer's preferred delivery channels, other than through the consumer dashboard.

1CO4.01.59

60

As per CDR Rule 4.18, data recipients are required to provide CDR receipts. Where separate consents are granted in a single flow, data recipients may provide a single CDR receipt that contains the details of each consent, or separate CDR receipts per consent. The CX Guidelines demonstrate two examples of intuitive groupings for CDR receipts: 1. collection and use consent details in one CDR receipt, and disclosure consent details in a separate CDR receipt; 2. consolidated receipt for collection, use and disclosure. Data recipients should use their discretion when grouping CDR receipts. Data recipients may consider aligning to how the consents were granted to match the consumers' mental model.

CDR Rule 4.18

1CO4.01.60

61

The CX Standards for CDR Receipts take effect on 14 July 2025. The existing requirements regarding CDR receipts will continue to apply until the relevant data standards are made and in effect, as per the transitional provision outlined in CDR Rule 503 (and 506 for CDR representatives). Data recipients should refer to the CDR Rules as they were in effect from 22 July 2023 to 11 November 2024 for details of their obligations with regards to CDR receipts until this date.

CDR Rules 4.18 and 503; 4.20O and 506 | Notification Standards, CDR Receipts

1CO4.01.61

62

Data holders and data recipients MUST state in consumer-facing interactions and communications that third parties do not need consumer passwords to access CDR data. The exact phrasing of this is at the discretion of the data holder and data recipient. Note: In this context, 'third parties' refers to entities on the ADR-side and does not include any third parties that the data holder may engage.

Authentication Standards, Common Authentication Standards, Authentication: Passwords

1CO4.01.62

63

Data recipients MUST implement Redirect to App in accordance with the relevant consumer experience authentication and security profile standards. Data recipients MAY implement Redirect to App ahead of the date specified in the Future Dated Obligations schedule. Note: As per the future dated obligation schedule, data recipients subject to this standard are required to implement Redirect to App on and from 10 May 2027.

Authentication Schedule, Redirect to App, Data Recipients

1CO4.01.63

64

Where Redirect to App is unable to be used for the purposes of CDR authentication: • Data recipients MAY provide decoupled consent experiences that facilitate separation of the Consumption Device from the authorisation flow. • Data holders MAY provide decoupled authorisation experiences that facilitate separation of the Consumption Device from the Authentication Device. If implemented, data holders and data recipients MUST support decoupled authentication in accordance with any relevant consumer experience authentication and security profile standards.

Authentication Schedule, Decoupled Authentication

1CO4.01.64

65

Data recipients should populate the data holder/provider selection list using the data holder brandName field provided in the CDR Register APIs. For additional guidance on surfacing brand names and brand groups, see the CX Guidelines on Consent: Collection and use consents - Provider selection for white labeled brands.

CDR Support Portal: Brands in the CDR ecosystem

1CO4.01.65