Photo by Curtis MacNewton on Unsplash

Consumer Data Standards: Overview

The Australian government is introducing a Consumer Data Right to give consumers greater control over their personal data.

Data61 has been appointed as the Consumer Data Standards (CDS) team by Treasury to develop standards for the Consumer Data Right (CDR). These standards will enable consumers to access and direct the sharing of data about them with third parties flexibly and simply, and in ways that ensure security and trust in how that data is being accessed and used. The Australian Competition and Consumer Commission (ACCC) will be the lead regulator for the CDR with support from Data61 and the Office of the Australian Information Commissioner (OAIC). Data61’s work includes validating the technical workstreams and putting into effect the ACCC’s Rules.

Introducing a Consumer Data Right requires the creation of common technical standards that make it easier and safer for consumers to access data held about them by businesses, and — if they choose to — share this data via application programming interfaces (APIs) with trusted, accredited third parties. The Consumer Data Right will first be implemented in the financial sector before expanding into the energy sector, followed by telecommunications, and then intended to apply sector by sector before applying economy-wide. A precedent for the Consumer Data Right was set with the implementation of Open Banking in the UK, and the Consumer Data Right has looked to their implementation for reference.

The Consumer Data Standards Workstreams

The work on technical standards is supported by an interim Advisory Committee. The Advisory Committee, spanning representatives from the financial sector, FinTechs, consumer groups, energy and telecommunications representatives and software vendors, has been appointed for a period of 12 months commencing in July 2018. Its role has been to provide guidance and feedback on the development of the technical standards, while rules and legislation are developed in parallel.

The Data61 workstreams currently underway are:

• API standards: drafting and validating API standards being developed
• Information security: defining the information security profile supporting API standards, and authentication and authorisation flows
• Consumer Experience: articulating best practice language and design patterns for organisations seeking consent from consumers to access their data, and providing guidance on the user experience of authentication and authorisation.
• Engineering: technical delivery including a functional demonstration of the Standards using Reference Implementations; a Conformance tool for data holders; and a Sandbox for developers.

The Consumer Experience Workstream

The API standards, Engineering, and Information Security workstreams have operated primarily through GitHub. The Consumer Experience (CX) workstream will rely more heavily on publication through consumerdatastandards.org.au and our Medium publication to help make the work more accessible to non-technical audiences and the general public.

The ultimate aim of the CX workstream is to help organisations provide consumers accessing their rights under the CDR with a trusted and usable consent experience. This involves the development of design requirements and guidelines for organisations seeking consent from consumers and facilitating authorisation and authentication under the Consumer Data Right that meet the ACCC’s standards for consent.

The ultimate aim of the CX Workstream is to help organisations provide consumers with a trusted and usable data sharing experience.

A successful consumer experience will result in a clear way in which consumers can:

• Understand what they are consenting to and why their data is being requested
• Understand the scope and meaning of the data they are sharing, and how it will be used
• Understand and trust who will have access to their data and the duration of that access
• Understand how data sharing can be managed and revoked
• Understand the implications of revocation
• Feel confident and informed about the sharing of their data
• Understand how to navigate authentication, revocation, management, and reauthorisation

The ACCC sets the rules surrounding the implementation of the Consumer Data Right and provides the framework within which the Data Standards Body and the Consumer Experience Workstream operates. The ACCC has proposed requiring the Data Standards Body to develop standards relating to the design of consent screens and permissions, the experience of authentication and authorisation, and making testing of consumer comprehension of consent be required as part of the standards-setting process.

Scope of the CX Workstream

The key output of the CX Workstream will come in the form of CX Guidelines, which will provide data recipients and data holders with standards and guidance for seeking and receiving consent from consumers. The Consent Model represents the current scope of the CX Workstream. ‘Consent Model’ refers to:

The Consent Flow

• Consent (the data recipient requesting that consumer data be shared)
• Authentication (the consumer authenticating with the data holder)
• Authorisation (the consumer authorising the data holder to share the requested data with the data recipient)

Consent Management

• A consent management dashboard hosted by the data recipient
• An authorisation management dashboard hosted by the data holder
• A dashboard may manage both consent and authorisation if the host is a data holder and a data recipient
• A 90 day notification alerting the consumer to ongoing consent.

Revocation

• Withdrawing the consent/authorisation of data sharing
• It is expected that this will occur via the consent/authorisation management dashboard(s)

Reauthorisation

• Consent durations will last up to 12 months, and consumers will need to reauthorise data sharing prior to the agreement expiring if they wish to continue sharing CDR data with a data recipient.
• It is expected that a simplified version of the Consent Flow will be presented to the consumer to achieve this.

The CX Workstream will provide guidance and advice on interrelated items within this scope, but this work will also help inform the broader consent ecosystem. While trust and privacy are not the remit of the Consumer Data Standards body, it is expected that this research will reveal insights into these areas that may inform other CDR programs and developments.

Following advice in the the Farrell report, the CX Workstream has looked to the UK implementation of Open Banking and their accompanying CX Guidelines for reference. Drafts of the CX Guidance will be published for feedback as they are developed.

The ACCC Rules on Consent

The ACCC Rules propose a number of requirements in relation to consent, within which the practical guidance on consent design must sit.

For consent to be valid, it must meet the following requirements:
a. Consent must be voluntary, express, informed, specific as to purpose, time limited and easily withdrawn.
b. An accredited data recipient must not make consent a precondition to obtaining another unrelated product or service. The collection of CDR data must be reasonably necessary or required to provide the service the accredited data recipient is offering.
c. An accredited data recipient must not bundle consent with other directions, permissions, consents or agreements.
d. An accredited data recipient must present each consumer with an active choice to give consent, and consent must not be the result of default settings, pre-selected options, inactivity or silence.

A request for consent must be presented to a consumer using language and/or visual aids that are concise and easy to understand. An accredited data recipient must provide consumers with a straightforward process to withdraw consent and provide information about that process to each consumer prior to receiving the consumer’s consent.

Consent must also be voluntary and consistent with the OAIC’s Australian Privacy Principles guidelines on voluntary consent. Consent is voluntary if an individual has a genuine opportunity to provide or withhold consent. Consent is not voluntary where duress, coercion or pressure is applied by any party involved in the transaction.

Factors relevant to deciding whether consent is voluntary include:
- the alternatives open to the individual if they choose not to consent
- the seriousness of any consequences to the individual if they choose not to consent
- any adverse consequences for family members or associates of the individual if the individual chooses not to consent.

Breaches of the specific ACCC Rules, in addition to any of the privacy safeguards, can attract civil penalties up to an amount specified in the Rules, capped at, for individuals, $500,000, or for corporations, the greater of $10,000,000; three times the total value of benefits that have been obtained; or 10% of the annual turnover of the entity committing the breach.

The CX Workstream Approach

To put the ACCC Rules into effect and to achieve the CX objectives, the CX workstream will be research-driven and informed by community consultation. We will engage with consumer groups, data holders and data recipients using email newsletters, blog posts, workshops, and ongoing sharing of research findings and preliminary recommendations for wider feedback.

The CX Workstream will also engage with participants considered to be vulnerable or in vulnerable circumstances, and seek diversity in research recruitment so that a wide range of scenarios, participants, and needs can be better understood and inform the development of the CX Guidelines.

A human-centred design approach will be adopted to create solutions that are useful, usable, and that will be used. This means that where timeframes and process allow it, we will begin with an investigation of the problem space to generate insights; solutions will be co-designed through community consultation; and any proposed solutions will be tested and refined before they are recommended as a standard. This approach will often be non-linear. More information on the human-centred design approach can be found here.

Keep in touch

These blog posts will provide you with a variety of updates on the Consumer Experience (CX) Workstream. The focus will be on outwardly communicating the work we’re doing to create standards for the Consumer Data Right.

You can sign up to our mailing lists here; find past updates here; and find other information on the Consumer Data Standards website. The other technical workstreams also have an online presence on GitHub.

If you would like to participate in any of our discussions across the four streams or provide any feedback, you can do so via email to cdr-data61@csiro.au.

The Consumer Data Standards Team have a very busy year ahead and we look forward to your participation and support!