Updated @April 9, 2024
This section provides guidelines for data holder dashboards, where consumers manage their authorisations.
On this page
Overview
The consumer dashboard enables a consumer to review and manage their authorisations, which are also referred to as sharing arrangements in some consumer-facing designs.
The consumer dashboard allows consumers to see a list of all the CDR participants they are sharing data with, and the specific sharing arrangements they have with them.
Wireframes and guidelines
Default example
The following wireframes show a basic example of a data holder dashboard. Variations can be found in the below sections.
Note: Some interactions and screens have been omitted for simplicity.
Single occasion disclosure
The following wireframes show an example of how authorisations for single occasion and on-going collection may be displayed in data holder dashboards.
Wireframe ref | Type | Requirement level | Statement | Reference | Checklist ref | Focus area |
---|---|---|---|---|---|---|
01 | CDR Rule | MUST | (3) For paragraph (1)(b) and paragraph (5)(a), the information is the following for each authorisation:
(b) when the CDR consumer gave the authorisation;
(c) the period for which the CDR consumer gave the authorisation;
(d) if the authorisation is current—when it is scheduled to expire;
(e) if the authorisation is not current—when it expired; | CDR Rule 1.15(3)(b),(c),(d),(e) | 5CM1.01.01 | |
02 | CX Guideline | MAY | If the duration of an authorisation request is absent or 0, data holders are to assume that the ADR is collecting the data on a 'single occasion' as per CDR Rule 4.23(1)(d).
For the purposes of dashboards, data holders may consider communicating the sharing period as a single disclosure instance, where the start and end dates are the same. | 5CM1.01.02 | ||
03 | CX Guideline | MAY | If the duration of an authorisation request is greater than 0 but less than 24 hours, data holders are to assume that the ADR is collecting the data on a 'single occasion' as per CDR Rule 4.23(1)(d).
For the purposes of dashboards, data holders may consider communicating the sharing period as a single disclosure instance within a specific timeframe, where the start and end dates may be on different days. | 5CM1.01.03 |
Amended authorisations
The following wireframes show an example of how data holders can provide information for previous authorisations on the consumer dashboard.
Wireframe ref | Type | Requirement level | Statement | Reference | Checklist ref | Focus area |
---|---|---|---|---|---|---|
01 | CDR Rule | MUST | A data holder must update a CDR consumer’s consumer dashboard as soon as practicable after the information required to be contained on the dashboard changes. | CDR Rule 4.27 | 5CM1.02.01 | |
03 | CDR Rule | MUST | (3) For paragraph (1)(b) and paragraph (5)(a), the information is the following for each authorisation:
(h) details of each amendment (if any) that has been made to the authorisation
(3A) Paragraph (3)(h) applies on and after 1 July 2024. | CDR Rules 1.15(3)(h), (3A) | 5CM1.02.03 | |
04 | CX Standard | MUST | Effective from July 1st 2024:
When a consumer amends an authorisation in accordance with rule 4.22A, which is linked to a cdr_arrangement_id supplied by the data recipient as per the amending authorisation standards, data holders MUST display the details of each authorisation’s amendment on the consumer’s dashboard.
Note: this requirement gives effect to rule 1.15(3)(h) | 5CM1.02.04 | ||
05 | CX Guideline | MAY | Data holders should provide a CDR receipt to the consumer after they have authorised to share data. Receipts should be given in writing otherwise than through the consumer dashboard, such as via email or SMS, and should be made available on the consumer dashboard.
The receipt should provide the consumer with a record of their sharing arrangement, including details that relate to the authorisation.
CDR Receipts should be provided in writing, such as in an email, when:
1. Authorisations are successfully established
2. Authorisations are withdrawn
3. Authorisations expire
4. Authorisations are amended
CDR receipts should also outline details on complaint handling and resolution processes. Dashboards should provide a way for consumers to request a copy of their CDR receipts. | 5CM1.02.05 | ||
06 | CX Guideline | MAY | In line with the Amending Authorisation Standards: Changing Attributes, data holders should indicate changed attributes when outlining the details of amended authorisations on the consumer dashboard.
How a changed attribute is signified is at the data holder's discretion. | 5CM1.02.06 | ||
07 | CX Guideline | MAY | Dashboards should provide a way for consumers to request a copy of their CDR receipts. | 5CM1.02.07 | ||
08 | CX Guideline | MAY | Data holders should provide signposting and clear explanatory text to help consumers understand the relationship between previous and more recent authorisations. | 5CM1.02.08 |
Offline customers
‘Offline customers’ are eligible energy consumers without online access to their energy account(s). The following wireframes show one example for how to implement consumer dashboards for ‘offline customers’.
This example is not prescriptive, and data holders may choose to offer and provide dashboards to offline customers using alternative methods. It is at the data holder's discretion to determine the actual process of providing a dashboard to an offline customer for the purposes per rule 2.3(2).
For more information please refer to the Offline Customer Guidance on our CDR Support Portal.
Wireframe ref | Type | Requirement level | Statement | Reference | Checklist ref | Focus area |
---|---|---|---|---|---|---|
01 | CX Guideline | MAY | Data holders should provide a CDR receipt to the consumer after they have authorised to share data.
The receipt should provide the consumer with a record of their sharing arrangement, including details that relate to the authorisation.
The CDR receipt should be given in writing and available through the data holder consumer dashboard.
CDR Receipts should be provided in writing, such as in an email, when:
1. Authorisations are successfully established
2. Authorisations are withdrawn
3. Authorisations expire
4. Authorisations are amended
CDR receipts should also outline details on complaint handling and resolution processes. Dashboards should provide a way for consumers to request a copy of their CDR receipts. | 5CM1.03.01 | ||
02 | CX Guideline | MAY | As per Schedule 4, Rule 2.3(1), data holders are required to provide consumer dashboards to CDR consumers who have online access to the relevant account(s).
Where a consumer does not have online access to the relevant account(s), Schedule 4, Rule 2.3(2) requires data holders to offer a consumer dashboard and provide one if the CDR consumer accepts. | CDR Rule 2.3(1) and 2.3(2) (Schedule 4) | CDR Support Portal: Offline Customer Guidance | 5CM1.03.02 | |
03 | CX Guideline | MAY | For the purposes of Schedule 4, Rule 2.3(2), data holders could provide an (optional) CDR Receipt that contains the details of the dashboard offer. While authorisation withdrawal instructions must be provided in the authorisation flow itself, dashboards are expected to be offered to offline customers external to the authorisation flow after authorisation has been granted. | CDR Rule 2.3(2) (Schedule 4) | CDR Support Portal: Offline Customer Guidance | 5CM1.03.03 | |
04 | CX Guideline | MAY | It is at the data holder's discretion to determine the actual process of providing a dashboard to an offline customer for the purposes per Schedule 4, Rule 2.3(2). These guidelines demonstrate one possible approach, where the data holder relies on existing authentication credentials and channels successfully used by the offline customer, along with an access code that is unique to the consumer for greater security.
In this example, the offline consumer could be provided with a standalone dashboard without needing to register for an online account. A data holder could offer or activate online account registration as part of this process.
A data holder could also require registration for an online account for dashboard access where, for example, the dashboard is only available through an existing online portal or mobile app.
A data holder may choose to make the dashboard accessible via an online account or another mechanism. The actual implementation of dashboards for offline customers is at the data holder's discretion and may be contingent on a number of factors, including the data holder's security posture. | CDR Rule 2.3(2) (Schedule 4) | CDR Support Portal: Offline Customer Guidance | 5CM1.03.04 |
Joint accounts
The following wireframes show an example of how authorisation arrangements containing joint accounts should be displayed on the dashboards of:
- Account holder A (AH-A), the initiating account holder. AH-A is the ‘requester’ as described in CDR Rule 1.7(1).
- Account holder B (AH-B), the non-initiating account holders. AH-B is the ‘relevant account holder’ as described in CDR Rule 4A.3(b)(ii).
The wireframes show two scenarios, where an arrangement contains either:
- one or more joint accounts that are actively sharing data
- all joint accounts are not actively sharing data
- Either AH-A or AH-B has applied a non-disclosure option, which means joint account data cannot be shared at all. An example of this is on Consent Management (Data holder): Account permissions, Joint account disclosure option management service, Change to a non-disclosure option.
- AH-A has withdrawn the relevant authorisation. An example of this is on Consent Management (Data holder): Withdrawal, Default example.
- AH-B has withdrawn the approval. An example of this is on Consent Management (Data holder): Withdrawal, Withdrawing approvals.
- Another provision of the CDR Rules applies – for example, an authorisation expires or a consumer ceases to be ‘eligible’
Wireframe ref | Type | Requirement level | Statement | Reference | Checklist ref | Focus area |
---|---|---|---|---|---|---|
01 | CDR Rule | MUST | (1) If a data holder receives a consumer data request from an accredited person on behalf of a CDR consumer, the data holder must, in the circumstances specified in a sector Schedule, ensure that it provides the CDR consumer with an online service that:
(c) has a functionality that:
(i) allows for withdrawal, at any time, of authorisations to disclose CDR data; and
(ii) is simple and straightforward to use; and
(iii) is no more complicated to use than the process for giving the authorisation to disclose CDR data; and
(iv) is prominently displayed; and
(v) as part of the withdrawal process, displays a message relating to the consequences of the withdrawal in accordance with the data standards; | CDR Rule 1.15(1)(c) | 5CM1.04.01 | |
02 | CDR Rule | MUST | A data holder must update a CDR consumer’s consumer dashboard as soon as practicable after the information required to be contained on the dashboard changes. | CDR Rule 4.27 | 5CM1.04.02 | |
03 | CDR Rule | MUST | (1) Where:
(a) this Division applies in relation to a consumer data request; and
(b) either the co‑approval option or the pre‑approval option applies, or has applied, to the joint account;
the data holder must provide each relevant account holder with an online service that:
(d) has a functionality that:
(i) can be used by the relevant account holder to manage approvals in relation to each authorisation to disclose joint account data made by a requester; and
(ii) allows for withdrawal, at any time, of such an approval; and
(iii) is simple and straightforward to use; and
(iv) is prominently displayed; and
(v) as part of the withdrawal process, displays a message relating to the consequences of the withdrawal in accordance with the data standards. | CDR Rule 4A.13(1)(a), (b), (d) | 5CM1.04.03 | |
04 | CDR Rule | MUST | (1) Where:
(a) this Division applies in relation to a consumer data request; and
(b) either the co‑approval option or the pre‑approval option applies, or has applied, to the joint account;
the data holder must provide each relevant account holder with an online service that:
(c) contains the details referred to in paragraph 1.15(1)(b) that relate to the joint account data; | CDR Rule 4A.13(1)(a)–(c) | 5CM1.04.04 | |
05 | CDR Rule | MUST | (3) For paragraph (1)(b) and paragraph (5)(a), the information is the following for each authorisation:
(a) details of the CDR data that has been authorised to be disclosed;
(b) when the CDR consumer gave the authorisation;
(c) the period for which the CDR consumer gave the authorisation;
(d) if the authorisation is current—when it is scheduled to expire;
(e) if the authorisation is not current—when it expired;
(f) information relating to CDR data that was disclosed pursuant to the authorisation (see rule 7.9);
(g) for a disclosure of CDR data that relates to the authorisation but that was pursuant to a request under subsection 56EN(4) of the Act—that fact;
(h) details of each amendment (if any) that has been made to the authorisation. | CDR Rule 1.15(3) | 5CM1.04.05 | |
06 | CDR Rule | MUST | (5) For paragraph 1.15(1)(d), if a relevant account holder’s consumer dashboard contains details of approvals under this Division, the dashboards of the other joint account holders must contain those details. | CDR Rule 4A.13(1)(c) | 5CM1.04.06 | |
07 | CDR Rule | MUST | (2) Any relevant account holder may withdraw an approval given under this Division at any time, using their consumer dashboard. | CDR Rule 4A.12(2) | 5CM1.04.07 | |
08 | CDR Rule | MUST | (3) The data holder must, in accordance with any relevant data standards:
(a) provide for alternative notification schedules (including reducing the frequency of notifications or not receiving notifications); and
(b) give each joint account holder a means of selecting such an alternative, and of changing a selection. | CDR Rule 4A.14(3) | 5CM1.04.08 | |
09 | CDR Rule | MUST | (1) For each joint account to which this Part applies, the data holder must provide a service to each joint account holder that allows the joint account holder to:
(a) change the disclosure option that applies to the account in accordance with rule 4A.7; and
(b) propose a change in the disclosure option to the other joint account holders in accordance with rule 4A.8; and
(c) respond to a proposal by another joint account holder to change the disclosure option.
(2) Such a service is a disclosure option management service. | CDR Rule 4A.6(1),(2) | 5CM1.04.09 | |
10 | CX Guideline | MAY | Data holders must show the account(s) shared as part of the authorisation. Whereby:
• The initiating account holder has visibility of all accounts shared within the authorisation.
• Non-initiating account holders only have visibility of their shared accounts within the authorisation. | 5CM1.04.10 | ||
11 | CX Guideline | MAY | Inline with CDR Rule 1.15(1)(c), the initiating account holder can withdraw the authorisation, including all accounts. An example of this, on the CX Guidelines website, is Withdrawal: Default example. | CDR Rule 1.15(1)(c); Withdrawal: Default example | 5CM1.04.11 | |
12 | CX Guideline | MAY | As per CDR Rule 4A.13(1)(d), data holders are required to allow account holders to withdraw one approval at a time.
In addition to this functionality, data holders may allow the relevant account holder(s) to withdraw approvals in bulk using the equivalent withdrawal mechanism the requester would use to withdraw an authorisation. This would allow the flow to be more intuitive and streamlined for the relevant account holder(s), rather than withdrawing approvals one by one. An example of this, on the CX Guidelines website, is Withdrawal: Withdrawing approvals, Pathway 2: Ability to withdraw approvals in bulk. | CDR Rule 4A.13(1)(d), Withdrawal: Withdrawing approvals, Pathway 2: Ability to withdraw approvals in bulk | 5CM1.04.12 | |
13 | CX Guideline | MAY | Inline with CDR Rule 4A.13(1)(d) and CDR Rule 4A.12(2), non-initiating account holders can withdraw approvals for their joint accounts within an authorisation, but cannot withdraw the other accounts shared by the initiating account holder. | CDR Rule 4A.13(1)(d), CDR Rule 4A.12(2) | 5CM1.04.13 | |
14 | CX Guideline | MAY | Accounts that are no longer shared as part of an authorisation should be displayed as inactive. The precise wording is at the data holder’s discretion. | 5CM1.04.14 | ||
15 | CX Guideline | MAY | Inline with CDR Rule 4A.14(3) and CX Notification Standards, data holders may offer an alternative notification schedule to apply at the account level and the customer level. Any account holder(s) may control the frequency and channel of their joint account notifications. An example of this, on the CX Guidelines website, is Joint account notification settings. | CDR Rule 4A.14(3), CX Notification Standards, Joint account notification settings | 5CM1.04.15 | |
16 | CX Guideline | MAY | Inline with CDR Rule 4A.6, the data holder must provide joint account holders with a disclosure option management service (DOMS). Any joint account holder can manage account sharing permissions, such as to stop all sharing from an account, through DOMS. An example of this, on the CX Guidelines website, is Account permissions, Joint account disclosure option management service. | 5CM1.04.16 | ||
17 | CX Guideline | MAY | Inline with CDR Rule 4A.12 and 4A.13, non-initiating account holders can withdraw approval for an account using their consumer dashboard. An example of this, on the CX Guidelines website, is Withdrawal: Withdraw an approval, Pathway 1: Withdrawing one approval at a time. | 5CM1.04.17 | ||
18 | CX Guideline | MAY | Sharing arrangements where no joint accounts are being shared should be displayed as inactive on the non-initiating account holder’s dashboard. The precise wording is at the data holder’s discretion. | 5CM1.04.18 |
Download open source asset
We're currently addressing an issue related to importing individually downloaded files into Figma. As an interim solution, we've compiled all 'Active' design assets into a single zip file.
- 1CO. Collection and use consents v1.30.0.2024.05.01
- 1CO1. AP disclosure consents v1.29.1.2024.03.06
- 1CO2. Amending consents v1.30.0.2024.05.01
- 1CO3. Trusted Adviser disclosure consent v1.29.1.2024.03.06
- 1CO4. Insights disclosure consent v1.29.1.2024.03.06
- 1CO5. Business consumer disclosure consents v1.30.0.2024.05.01
- 2AU. Redirect with One Time Password v1.29.0.2024.02.22
- 3AU. Authorisation to disclose v1.29.0.2024.02.22
- 3AU1. Amending authorisations v1.29.0.2024.02.22
- 3AU2. Authorisation to disclose joint account data v1.16.0.2022.03.17
- 4CM1. Disclosure consents v1.30.0.2024.05.01
- 4CM1. Collection and use consents v1.29.1.2024.03.06
- 4CM2. Withdrawal v1.29.1.2024.03.06
- 5CM1. Authorisations v1.29.1.2024.04.09
- 5CM2. Withdrawals v1.29.1.2024.04.09
- 5CM3. Joint account disclosure option management service v1.17.0.2022.06.08
- 5CM4. Secondary Users v1.17.0.2022.06.08
- 5CM5. Joint account notification settings v1.17.0.2022.06.08
Download design asset zip file
We appreciate your patience as we resolve this issue. If you have any questions, please reach out to cx@consumerdatastandards.gov.au.
Open sources design assets are created in Figma for the purposes of assisting implementation. This Figma file contains annotated wireframes and working prototypes for the data holder dashboard, including:
- Default example
- Single occasion disclosure
- Amended authorisations
- Offline customers
- Joint accounts
Item | File | Date released | Version introduced |
---|---|---|---|
April 9, 2024 | 1.29.1 |
For past versions, refer to
Open sources design assets are provided in the form of version-controlled Figma files. These assets contain the annotated wireframe and working prototype published on this page, and have been reviewed for accessibility compliance. Assets are partially conformant to Web Content Accessibility Guidelines (WCAG) 2.1 level AA. These assets do not tend to accessible code and instead focus on visual presentation and readability.
The assets use the GOLD Design System; component rationale, accessibility support, and code documentation is available in the GOLD Design System website.
For more details, see
References
These CX Guidelines were informed by consultations and research conducted in 2019 to 2022, including the following:
- Consultations
- DSB 2019, CX Workshop: Manage and withdraw
- ACCC 2020, Draft v2 Rules consultation (see concept 7.5 Data Holder Dashboard)
- DSB 2021, Noting Paper 157 - CX Standards Arising from v2 Rules
- DSB 2024, Decision Proposal 334 - Data Holder Dashboards
- DSB 2024, Change Request 557 - Withdrawal of a SUI by an Account Holder leaving an "Empty" Authorisation
- CX research
- Tobias 2019, Phase 1 CX report
- GippsTech 2019, Phase 2, Stream 1 report
- Tobias 2019, Phase 2, Stream 3 report
- Other
- DSB, Technical Standards: Request Object
- Nielsen Norman Group 2019, 10 Usability Heuristics for User Interface Design (Flexibility and efficiency of use)
- ACCC 2022, CDR Support Portal: Offline Customer Guidance
- OAIC 2022, Privacy Safeguard 1
- OAIC 2022, Privacy Safeguard 10
- OAIC 2022, Guide to developing a CDR policy
- DSB 2023, Authorisation States for Joint Account and Secondary User Sharing
Quick links to CX Guidelines: