ACCC & DSB | CDR Implementation Call Agenda & Meeting Notes | 10th of November 2022
When: Weekly every Thursday at 3pm-4:30pm AEDT
Location: Microsoft Teams
Meeting Details: Join on your computer, mobile app or room device Click here to join the meeting
Meeting ID: 446 019 435 001
Passcode: BU6uFg
Download Teams | Join on the web
Join with a video conferencing device
[email protected]
Video Conference ID: 133 133 341 4
Alternate VTC instructions
Or call in (audio only)
+61 2 9161 1229,,715805177# Australia, Sydney
Phone Conference ID: 715 805 177#
Find a local number | Reset PIN
Learn More | Meeting options
- Introductions
- Actions
- CDR Stream updates
- Presentation
- Q&A
- Any other business
- 5 min will be allowed for participants to join the call.
We acknowledge the Traditional Custodians of the various lands on which we work today and the Aboriginal and Torres Strait Islander people participating in this call.
We pay our respects to Elders past, present and emerging, and recognise and celebrate the diversity of Aboriginal peoples and their ongoing cultures and connections to the lands and waters of Australia.
The Consumer Data Right Implementation Calls are recorded for note taking purposes. All recordings are kept securely, as are the transcripts which may be made from them. No identifying material shall be provided without the participant's consent. Participants may [email protected] should they have any further questions or wish to have any material redacted from the record.
By participating in the Consumer Data Right Implementation Call you agree to the Community Guidelines. These guidelines intend to provide a safe and constructive space for members to discuss implementation topics with other participants and members of the ACCC and Data Standards Body.
| Type | Topic | Update |
|---|---|---|
| Standards | Version 1.20.0 Published on 3rd of November 2022 | Link to change log here |
| Maintenance | Maintenance Iteration 13 underway | Met 26th of October 2022 and the agenda for the meet is here) |
| Maintenance | Decision Proposal 272 - Maintenance Iteration 13 | Changes, meeting notes and updates for the iteration can be found here |
| TSY Newsletter | To subscribe to TSY Newsletter | Link here |
| DSB Newsletter | To subscribe to DSB Newsletter | Link here |
| TSY Newsletter | 3rd of November 2022 | View in browser here |
| DSB Newsletter | 4th of November 2022 | View in browser here |
| Consultation | Normative Standards Review (2021) | No Close Date Link to consultation |
| Consultation | Decision Proposal 229 - CDR Participant Representation | Placeholder: no close date Link to consultation |
| Noting Paper | Noting Paper 255 - Approach to Telco Sector Standards | Link to consultation |
| Noting Paper | Noting Paper 258 - Independent Information Security Review | Link to consultation |
| Consultation | Decision Proposal 267- CX Standards Telco Data Language Feedback closed: 15th of September 2022 Thanks to those who provided feedback on DP267 by 15th September. With the v5 rules out for consultation, the DSB will leave this issue open for comments while considering existing feedback and developing version 2 of DP267, which is expected to be published for consultation in October. |
Link to consultation |
| Survey | The Data Standards Body invite the CDR Community to provide feedback on the different Engineering Tools and platforms. | Link to survey |
| Workshop | Save the date, for a workshop! Treasury and the DSB are considering opportunities to simplify the rules and standards to support a better CDR consumer experience while maintaining key consumer protections. To support this work, a virtual workshop will be held on Tuesday 22nd November, and an accompanying noting paper will be available on GitHub (see Noting Paper 273). This workshop will be of interest to current and prospective data recipients, data holders, consumer advocates, industry representatives, and other parties interested in the evolution of the consent model. Participants will be given the opportunity to comment on possible consent model changes in an interactive session. This workshop will be conducted virtually using Miro to support remote participation. We encourage stakeholders to save the date and ensure they can access the Miro platform on the day. |
Register here for the workshop. |
Provides a weekly update on the activities of each of the CDR streams and their stream of work
| Organisation | Stream | Member |
|---|---|---|
| ACCC | CDR Register | Emma Harvey |
| ACCC | CTS | Andrea Gibney |
| DSB | CX Standards | Michael Palmyre |
| DSB | Technical Standards - Banking & InfoSec | Mark Verstege |
| DSB | Technical Standards - Energy | Hemang Rathod |
| DSB | Technical Standards - Telecommunications | Brian Kirkpatrick |
| DSB | Technical Standards - Register | James Bligh |
| DSB | Engineering | Sumaya Hasan |
No planned presentation this week.
Questions will be received by the community via WebEx chat before the questions are opened to the floor. Participants can submit questions outside of the CDR Implementation Call to the CDR Support Portal.
In regards to topics for questions, we ask the participants on the call to consider the Community Guidelines when posing questions to the subject matter experts.
| Ticket # | Question | Answer |
|---|---|---|
| 551 | I would like to get clarification on a few topics related to data correction: 1) In this article https://cdr-support.zendesk.com/hc/en-us/articles/900004795243 it is mentioned that currently there are no standards to support the data holders’ obligation to resend corrected data and that the optimum process for how these re-disclosures will happen is under development. Could you please indicate when this process will be released to CDR participants and how long we will have to implement this process once it is decided? 2) Do the obligations in clauses 7.10 and 7.15 of the CDR Rules relate to one off consents, expired/withdrawn consents and customers who are not eligible anymore? If yes could you detail what is expected from data holders in these cases especially: • Are data holders expected to re-share data when a current consent is not in place? • Are data holders expected to correct data in relation to customers who have meanwhile closed all accounts with the DH and are not a customer anymore? • Are data holders expected to inform ex-customers that data shared when they were customers was incorrect at the time of sharing? • Are data holders expected to notify customers that incorrect data was shared and re-share the data in relation to closed accounts of existing customers? Many of these scenarios are at odds with other clauses of the CDR Rules or are impractical. 3) Do obligations in clauses 7.10 and 7.15 cease after 6 years or how long should a data holder be prepared to meet them? 4) Clause 7.15(b)(ii) requires data holders to include a statement with the data and attach an electronic link with the data. • Are data holders expected to share this statement and a link to the statement when re-disclosing the data to data recipients? If yes, when will data standards be developed to support sharing them? • Could you provide real life examples of such a statement and how an electronic link will be attached |
The optimum process for these re-disclosures is still being considered by CDR agencies. Any changes to the development of the Rules and Standards for Privacy Safeguards 11 and 13 to facilitate this process will be subject to a consultation process. This process would also determine the compliance dates for the relevant Rules and Standards. The obligations arising from Privacy Safeguard 11 and 13 apply to data holders who are required or authorised to disclose CDR data under the CDR Rules. Under the CDR Rules these obligations are not limited in time and are also not limited to open/active accounts, or those with a current authorisation in place. However we note that, in the case of Privacy Safeguard 13, obligations only arise where a consumer has also requested that a data holder correct their CDR data. The requirement to, where practicable, attach an electronic link to a digital record of the data as specified in rule 7.15(b)(ii) helps to ensure that any qualifying statement included with the data is clear to those who access the data. An entity’s systems should be set up so that the data cannot be accessed without the correction statement or a link to that statement being immediately apparent. For more information on Privacy Safeguards 11 and 13, please refer to chapter 11 and chapter 13 of the OAIC’s Privacy Safeguard Guidelines. |
| 1521 | The response from the Office of the Australian Information Commissioner in Feb 2021 was noted. We also note that there is no CX guidance that addresses 1.15(3)(g), as per this article https://cdr-support.zendesk.com/hc/en-us/articles/900004502046-Data-holder-dashboards-disclosure-on-consent. We are reopening this ticket as we seek clarification to the second part of our initial query:- If Rule 1.15(3)(g) is not optional, can you clarify whether the intention [for the rule to update the dashboard] is to provide another method for the customer to view the notice required under s7.10(1)? A Data Holder is unable to push corrected data/info to an accredited person, and relies upon the customer to reauthorise (for one-off consents) or the ADR to call the relevant APIs (for long-lived consent) and this has been reflected in this ACCC guidance (https://cdr-support.zendesk.com/hc/en-us/articles/900004795243-Note-on-privacy-safeguard-11-). Hence a Data Holder will not be able to distinguish or record whether an authorisation/API call is for a correction or for other purpose. |
CDR Rules 1.15(3)(g) and 7.10(1) create distinct data holder obligations. Including the CDR Rule 7.10 notice on the consumer dashboard would not, on its own, satisfy the data holder’s obligation under CDR Rule 1.15(3)(g). This is because the information that must be included on the dashboard under CDR Rule 1.15(3)(g) is different from the information required in a CDR Rule 7.10 (Privacy Safeguard 11) notice. The obligations in CDR Rules 1.15(3) and 7.10 also arise at different times (i.e. after and before the disclosure of corrected data respectively). As noted in the previous response to this ticket, CDR Rule 1.15(3) creates an obligation for data holders to provide all CDR consumers with a dashboard that contains certain information (this is not optional). In particular, CDR Rule 1.15(3)(g) requires the dashboard to contain the fact that a disclosure related to an authorisation was made pursuant to a request under subsection 56EN(4) (i.e. Privacy Safeguard 11). In other words, where the data holder has disclosed CDR data in response to a request from a CDR consumer under Privacy Safeguard 11 (and the related CDR Rules), the data holder must include that fact on the consumer dashboard. This obligation arises when corrected data is re-disclosed. Separately, CDR Rule 7.10 requires data holders who have disclosed CDR data that was incorrect at the time of disclosure to provide the consumer with a compliant written notice. Among other things, that notice must advise the consumer that they can request the corrected data be re-disclosed to the original recipient of the incorrect data. Providing this CDR Rule 7.10 notice on the consumer dashboard could not satisfy CDR Rule 1.15(3)(g). This is because the CDR Rule 7.10 notice will not include the fact that corrected data has been re-disclosed (because such re-disclosure is only with required on the consumer’s request, after the consumer has been informed that incorrect data was disclosed). |
View a number of informative and useful links in the Consumer Data Standards Guide on Information Links.
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
 |
 |