Disclosure Consent Research Report (Q4 2021, R1-2)

Published

Apr 4, 2022

‣

Table of Contents

Executive summary

This report contains findings and recommendations based on two rounds of qualitative CX research conducted in November 2021. Fourteen participant consumers were engaged in 1:1 research sessions that ran for 90 minutes each. Prototypes of the Insight Disclosure Consent flow were used to facilitate discussion and generate insights in relation to disclosure consents more generally. The purpose of this research was to inform standards development for Insights and Trusted Adviser Disclosure Consents.

It was hypothesised that if we present the below information to the consumer in relation to insights, data clusters, and data handling statements, then we can support informed disclosure consents:

‣

Hypothesis 1 - Insight descriptions

‣

Hypothesis 2 - Disclosure notifications

The CX research in both rounds strongly validated the hypotheses that underpinned the DP222 options.

This research was informed by earlier consultation and research conducted in 2020 and 2021 including the following:

Noting Paper 207 consultation
Draft v2 Rules consultation (see concepts 5.1: TA disclosures and 5.2: Insight disclosures)
Draft v3 Rules consultation
CX research (see research brief and summary of preliminary research on draft v2 rules)
Consumer Policy Research Centre (CPRC) report: Vulnerability, capability, opportunity

Full details on the public consultation and final decision proposal outcome can be found on Decision Proposal 222 - CX Standards | Insights and Trusted Adviser Disclosure Consents.

‣

About the Consumer Data Right

‣

CX resources and engagement

Research approach

As part of our work to provide intuitive, informed, and trustworthy data sharing experiences, we tested concepts that explored how consumers might consent to disclosing data to a non-accredited person. Participants were given the scenario of applying for a new rental property, where they were offered the option to consent to sharing data insights from their bank with a real estate agent in an effort to bypass a number of manual processes.

‣

Goals

‣

Approach

‣

Hypothesis

‣

Key objectives

‣

Who did we research with?

‣

What did we do?

‣

What did we test?

Findings

What did we learn?

The participants in our research demonstrated various expectations and needs relating to comprehension and transparency.

The CX research in both rounds strongly validated the hypotheses that underpinned the DP222 options.

These findings strongly validated the DP222 hypotheses and generated significant insights in relation to key research questions, summarised below.

Hypothesis 1 - Insight descriptions

What will the insight tell the non-AP?

‣

Insight definition

‣

Insight example and actual insights

‣

Transparency and choice

Recommendations

Insights should be described using plain and concise language that seeks to achieve year 7 readability level. Where possible, the actual insight should be displayed.

ADRs should provide an insight example for consumers. When appropriate, the insight example may reflect use case criteria or be genericised, i.e.

Use case specific- "Based on the last 6 months, average monthly income is over $5,000."
Generic- "Based on [timeframe], average [criteria] is [value]."

ADRs should explain what information will not be disclosed to the non-accredited person.

ADRs should provide options or other means for the consumer to provide context or supply additional information around their insights. This may be provided as:

additional text field;
option to manually upload or email other documents;
option to build insights using multiple DHs.

When will the insight be generated and what period will it refer to?

‣

Time of generation

‣

Data relating to a specified time period

‣

How and when actual insights will be disclosed

Recommendations

The period the insight will refer to and when the insight will or is expected to be generated should be noted.

ADRs should provide upfront information regarding:

when insights might be generated and disclosed;
why insights require data from specified time period;
what is the required time period;
how actual insights might be reviewed and disclosed.

ADRs should provide assurance that consent is always required before generating and disclosing insights.

Why will the insight be generated?

‣

Purpose

Recommendations

Where known, ADRs should explain why the non-accredited person requires the insight.

ADRs should provide transparency around:

why insights would be generated;
how non-accredited persons may use the insight

How will the insight be generated?

‣

Questions raised

‣

What method would be used

‣

What sources would be used

‣

Who would generate the insights

Recommendations

An explanation should be included regarding how the insight will be generated. Where possible, the method used (e.g. AI), who will generate the insight (e.g. actor), and sources used to generate the insight (e.g. datasets, ledger) should be specified.

ADRs should provide upfront and contextual information about how insights are generated. This may include:

what method would be used;
what sources would be used;
who would generate the insights;
why data clusters and permissions are needed for insight generation.

ADRs should provide assurance that actual or permission-level data will only be accessed by them to generate insights and won't be disclosed to the non-accredited person or any other parties.

Hypothesis 2 - Disclosure notifications

What regulations and protections do or do not apply to disclosed data?

‣

Overall

‣

ADR vs non-accredited person regulations and protections

‣

Non-accredited person data handling

‣

Data handling and access

‣

Stopping data sharing and data deletion

‣

External references

Recommendations

Information on the Consumer Data Right should be included. Also, the fact that data disclosed to non-accredited persons will not be regulated as part of the Consumer Data Right should be provided, with advice that the consumer review how their data will be handled when available. This could include privacy policy links and information about the Privacy Act.

ADRs should surface information about CDR protections. This may include:

how data is being stored;
who would have access to it

ADRs could also provide a summary of the differences between the ADR and non-accredited person protections.

ADRs should surface information about the data deletion process:

when data will be deleted;
why data may need to be retained (e.g. business or legal reasons);
how the data will be deleted, this may include timeframes

Where applicable, ADRs should surface external links to '.gov.au' websites to allow consumers to do further reading about the CDR.

Where can insights be reviewed and accessed?

‣

Where to review and access insights

‣

Where to review insights

Recommendations

Instructions for how the consumer can access records pertaining to insights via their consumer dashboard should be provided. The information contained in the disclosure notification should also be contained in the consumer’s CDR Receipt.

Whenever possible, ADRs should provide the consumer with the ability to review the actual insights within the Consent Flow, before they are disclosed to the non-accredited person. ADRs should also provide the consumer with the option to amend insights and/or data clusters.

Where can someone go for help if there’s a problem?

‣

Where to make a complaint

‣

Turning to the CDR

Recommendations

Information on making a complaint and dispute resolution should be provided, and should include a link to the ADR’s CDR policy related to complaints.

ADRs should provide information around how complaints can be made. This may be presented once or multiple times throughout the Consent Model:

during Pre-consent, where consumers might have the option to select the CDR process;
during Consent, contextually alongside data protection and/or data deletion information;
within the Consent Flow, prior to disclosure to the non-accredited person;
within the CDR receipt.

‣

Informed Consent and Comprehension

‣

Behavioural Archetypes

‣

Fogg Behaviour Model

Takeaways

The findings from this research strongly validated the hypotheses that underpinned the DP222 consultation. These findings were published to the community as part of the DP222 consultation and informed the development of insight and trusted adviser consent standards.

Consumer Experience Guidelines for insights and trusted adviser disclosure consents were also shaped by this research, including insights and recommendations that may not have been incorporated into the final standards but nevertheless reflect best practice and consumer expectations.

NB: This report does not necessarily reflect the position or direction of the government or the Data Standards Body. Recommendations found within these reports represent a set of possibilities that will be reviewed and considered and are subject to change. Reports will inform rules and data standards development but should not be seen as indicative of the CDR’s direction.

Quick links to CX Guidelines:

Overview

Consent

Authenticate

Authorise

Consent Management

Notifications

Accessibility statement

→ cx@dsb.gov.au → cx.dsb.gov.au | cds.gov.au

The Consumer Data Standards Program is part of Treasury. Copyright © Commonwealth of Australia 2023. The information provided on this website is licensed for re-distribution and re-use in accordance with Creative Commons Attribution 4.0 International (CC-BY 4.0) Licence.