Updated @May 1, 2024
These guidelines provide examples for how to implement collection and use consents for common scenarios.
On this page
Overview
In accordance with Rule 4.11(1)(Note 1), an accredited person cannot infer consent, or seek to rely on an implied consent. Consent must be voluntary, express, informed, specific as to purpose, time limited, and easily withdrawn.
When asking a CDR consumer to give consent, a data recipient must:
- accord with the data standards;
- have regard to any consumer experience guidelines developed by the Data Standards Body
- be as easy to understand as practicable, including by use of concise language and, where appropriate, visual aids;
Data recipients should make the consent process as easy to understand as possible by using appropriate interventions to mitigate cognitive overload, facilitate comprehension, and provide transparency and consumer control.
This section provides examples illustrating how the guidelines may be implemented.
These types of consents contain several steps, which may include:
- Provider selection At this step, the consumer selects who they want to share data from, such as their data holder.
- Terms of consent At this step, the consumer is asked for their consent and can do so by choosing the types of CDR data they will allow the ADR to access, the access period, and the specific uses of their data.
Wireframes and guidelines
Collection and use consents - default example
The following wireframes show a basic example of a collection and use consent.
Wireframe ref | Type | Requirement level | Statement | Reference | Checklist ref | Focus area |
---|---|---|---|---|---|---|
01 | CDR Rule | MAY | Note 1: An accredited person might need to make consumer data requests to several CDR participants in order to provide the goods or services requested by the CDR consumer, and might need to make regular consumer data requests over a period of time in order to provide those goods or services.
Note 2: These rules will progressively permit consumer data requests to be made in relation to CDR data held by a broader range of data holders within the banking sector, and in relation to a broader range of CDR data, according to the timetable set out in Part 6 of Schedule 3. | CDR Rule 4.4(2)(Note 1), (Note 2) | 1CO.01.01 | |
02 | CDR Rule | MUST NOT | (3) An accredited person must not ask for a consent:
(a) that is not in a category of consents; or
(b) subject to subrule (4), for using the CDR data, including by aggregating the data, for the purpose of:
(i) identifying; or
(ii) compiling insights in relation to; or
(iii) building a profile in relation to;
any identifiable person who is not the CDR consumer who made the consumer data request.
(4) Paragraph (3)(b) does not apply in relation to a person whose identity is readily apparent from the CDR data, if the accredited person is seeking consent to:
(a) derive, from that CDR data, CDR data about that person’s interactions with the CDR consumer; and
(b) use that derived CDR data in order to provide the requested goods or services. | CDR Rule 4.12(3), (4) | 1CO.00.02 | |
03 | CDR Rule | MUST | (1) An accredited person’s processes for asking a CDR consumer to give or amend a consent:
(a) must:
(i) accord with any relevant data standards; and
(ii) having regard to any consumer experience guidelines developed by the Data Standards Body, be as easy to understand as practicable, including by use of concise language and, where appropriate, visual aids; | CDR Rule 4.10(1)(a) | 1CO.00.03 | |
04 | CDR Rule | MUST NOT | (1) An accredited person’s processes for asking a CDR consumer to give or amend a consent:
(b) must not:
(i) include or refer to the accredited person’s CDR policy or other documents so as to reduce comprehensibility; or
(ii) bundle consents with other directions, permissions, consents or agreements. | CDR Rule 4.10(1)(b) | 1CO.00.04 | |
05 | CDR Rule | MUST | (3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information:
(a) its name;
(b) its accreditation number; | CDR Rule 4.11(3)(a), (b) | 1CO.00.05 | |
06 | CDR Rule | MUST | (1) When asking a CDR consumer to give a consent, an accredited person must:
(a) allow the CDR consumer to choose the types of CDR data to which the consent will apply by enabling the CDR consumer to actively select or otherwise clearly indicate:
(ii) in the case of a use consent―the specific uses of collected data to which they are consenting; | CDR Rule 4.11(1)(a)(ii) | CX Research 2, 6 | 1CO.02.06 | |
07 | CDR Rule | MUST | (3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information:
(c) in the case of a collection consent or a use consent―how the collection or use (as applicable) indicated in accordance with subrule (1) complies with the data minimisation principle, including how:
(i) in the case of a collection consent―that collection is reasonably needed, and relates to no longer a time period than is reasonably needed; and
(ii) in the case of a use consent―that use would not go beyond what is reasonably needed;
in order to provide the requested goods or services to the CDR consumer or make the other uses consented to; | CDR Rule 4.11(3)(c) | OAIC Chapter C: Consent (Data minimisation principle) | CX Research 1, 3 | 1CO.02.07 | |
08 | CDR Rule | MUST NOT | (2) An accredited person must not ask for a collection consent or a use consent unless it would comply with the data minimisation principle in respect of that collection or those uses. | CDR Rule 4.12(2) | OAIC Chapter C: Consent (Data minimisation principle) | CX Research 1, 3 | 1CO.02.08 | |
09 | CDR Rule | MUST | (1) When asking a CDR consumer to give a consent, an accredited person must:
(a) allow the CDR consumer to choose the types of CDR data to which the consent will apply by enabling the CDR consumer to actively select or otherwise clearly indicate:
(i) in the case of a collection consent or a disclosure consent―the particular types of CDR data to which the consent will apply; | CDR Rule 4.11(1)(a)(i) | 1CO.02.09 | |
10 | CDR Rule | MUST NOT | (2) The accredited person must not present pre-selected options to the CDR consumer for the purposes of subrule (1). | CDR Rule 4.11(2) | 1CO.02.10 | |
11 | CDR Rule | MUST | (1) The Data Standards Chair must make one or more data standards about each of the following:
(d) the types of CDR data and descriptions of those types, to be used by CDR participants in making and responding to requests; | CDR Rule 8.11(1)(d) | 1CO.02.11 | |
12 | CDR Rule | MUST | (1) When asking a CDR consumer to give a consent, an accredited person must:
(b) allow the CDR consumer to choose the period of the collection consent, use consent, or disclosure consent (as appropriate) by enabling the CDR consumer to actively select or otherwise clearly indicate whether the consent would apply:
(i) on a single occasion; or
(ii) over a specified period of time;
Note 2: For paragraph (b), the specified period may not be more than 12 months (or 7 years for certain consents by a CDR business consumer): see subrule 4.12(1). After the end of the period, redundant data would need to be dealt with in accordance with subsection 56EO(2) of the Act (privacy safeguard 12) and rules 7.12 and 7.13. | CDR Rule 4.11(1)(b), Note 2 | CX Research 4, 5 | 1CO.02.12 | |
13 | CDR Rule | MUST NOT | (1) Subject to subrule (1A), an accredited person must not specify a period of time for the purposes of paragraph 4.11(1)(b) that is more than 12 months. | CDR Rule 4.12(1) | CX Research 4, 5 | 1CO.02.13 | |
14 | CDR Rule | MUST | (3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information:
(g) the following information about withdrawal of consents:
(ii) instructions for how the consent can be withdrawn; | CDR Rule 4.11(3)(g)(ii) | CX Research 7 | 1CO.02.14 | |
15 | CDR Rule | MUST | (3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information:
(g) the following information about withdrawal of consents:
(i) a statement that, at any time, the consent can be withdrawn;
(iii) a statement indicating the consequences (if any) to the CDR consumer if they withdraw the consent; | CDR Rule 4.11(3)(g)(i), (iii) | CX Research 7, 32 | 1CO.02.15 | |
16 | CDR Rule | MAY | (1) A CDR consumer who has given a consent to an accredited person for the purposes of this Division may withdraw the consent at any time:
(a) by using the accredited person’s consumer dashboard; | CDR Rule 4.13(1)(a) | 1CO.02.16 | |
17 | CDR Rule | MAY | (1) A CDR consumer who has given a consent to an accredited person for the purposes of this Division may withdraw the consent at any time:
(b) by using a simple alternative method of communication to be made available by the accredited person for that purpose. | CDR Rule 4.13(1)(b) | 1CO.02.17 | |
18 | CDR Rule | MUST | (3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information:
(h) the following information about redundant data:
(i) a statement, in accordance with rule 4.17, regarding the accredited person’s intended treatment of redundant data; | CDR Rule 4.11(3)(h)(i) | 1CO.02.18 | |
19 | CDR Rule | MUST | (1) For subparagraph 4.11(3)(h)(i), the accredited person must state whether they have a general policy, when collected CDR data becomes redundant data, of:
(a) deleting the redundant data; or
(b) de-identifying the redundant data; or
(c) deciding, when the CDR data becomes redundant data, whether to delete it or de-identify it. | CDR Rule 4.17(1) | CX Research 18 | 1CO.02.19 | |
20 | CDR Rule | MUST | For these rules, the CDR data deletion process in relation to a person that holds CDR data that is to be deleted consists of the following steps:
(a) delete, to the extent reasonably practicable, that CDR data and any copies of that CDR data;
(b) make a record to evidence the deletion; and
(c) where another person holds the CDR data on its behalf and will perform those steps—direct that person to notify it when those steps have been performed. | CDR Rule 1.18 | 1CO.02.20 | |
21 | CDR Rule | MUST | (4) In addition to the information referred to in subsection 56ED(5) of the Act, an accredited data recipient’s CDR policy must:
(k) include the following information about deletion of redundant CDR data:
(i) when it deletes redundant data;
(ii) how a CDR consumer may elect for this to happen;
(iii) how it deletes redundant data; | CDR Rule 7.2(4)(k) | 1CO.02.21 | |
22 | CDR Rule | MUST | (1) When asking a CDR consumer to give a consent, an accredited person must:
(c) ask for the CDR consumer’s express consent to the choices referred to in paragraphs (a), (b) and (ba) for each relevant category of consents; | CDR Rule 4.11(1)(c) | 1CO.02.22 | |
23 | CDR Rule | MUST | (1) An accredited person must give the CDR consumer a notice that complies with this rule (a CDR receipt) as soon as practicable after:
(a) the CDR consumer gives the accredited person a collection consent, a use consent or a disclosure consent; | CDR Rule 4.18(1)(a) | 1CO.02.23 | |
24 | CDR Rule | MUST | (4) A CDR receipt must be given in writing otherwise than through the CDR consumer’s consumer dashboard. | CDR Rule 4.18(4) | 1CO.02.24 | |
25 | CDR Rule | MUST | (2) A CDR receipt given for the purposes of paragraph (1)(a) must set out:
(a) the details that relate to the consent that are listed in paragraphs 1.14(3)(a) to (f); and
(b) in the case of a collection consent―the name of each CDR participant the CDR consumer has consented to the collection of CDR data from; and
(c) any other information the accredited person provided to the CDR consumer when obtaining the consent (see rule 4.11). | CDR Rule 4.18(2)(a), (b), (c) | 1CO.02.25 | |
26 | CX Standard | MUST | Data Recipients and Data Holders MUST use data language standards to describe data clusters and permissions in consumer-facing interactions. See the Banking Language section for language to be used when requesting banking data; and the Energy Language section for language to be used when requesting energy data.
Data language standards MUST be used when CDR data is being requested, reviewed, or access to such data is withdrawn.
Data Recipients and Data Holders MUST use the appropriate data standards language for business consumers as denoted with an '*' for the relevant data.
Data Recipients and Data Holders SHOULD expand on the proposed language where appropriate to communicate further details of what is being shared.
Additional details MAY include additional information in context, such as in-line help or tool tips, and/or additional permissions where they may exist.
Examples of permission details that MAY be used and provided as in-line help are denoted with an '†' for the relevant data. | 1CO.02.26 | ||
27 | CX Standard | MUST | If a scenario requires it, Data Holders and Data Recipients MUST merge and amend Basic and Detailed data cluster and permission language to show that Detailed scopes include Basic data.
Data Holders and Data Recipients MUST use the alternative language denoted with an '‡' for the relevant scope(s). See the Banking Language section for banking data and the Energy Language section for energy data.
Example: A Data Recipient presents the Detailed data cluster in a data request to a consumer, but does not present the Basic data cluster. The Detailed scope includes Basic data, but this is not apparent to the consumer based on the data cluster language and permissions used for the Detailed scope. | 1CO.02.27 | ||
28 | CX Standard | MUST | Data recipients MUST notify consumers of redirection prior to authentication. | 1CO.02.28 | ||
29 | CX Guideline | MAY | Data recipients may choose to present data holder selection screens before or after the data request occurs. | 1CO.01.29 | ||
30 | CX Guideline | MAY | Data recipients should make the data holder list searchable if the number of data holders exceeds what can be displayed on the screen. | 1CO.01.30 | ||
31 | CX Guideline | MAY | Data recipients should list data holders in an easily scannable way. This can be done alphabetically or contextually (for example, starting with popular data holders). | 1CO.01.31 | ||
32 | CX Guideline | MAY | Data recipients should refer to data holder brand names in the provider selection list. | 1CO.01.32 | ||
33 | CX Guideline | MAY | Data recipients should also include a link to their specific page on www.cdr.gov.au/find-a-provider for accreditation verification purposes. | 1CO.02.33 | ||
34 | CX Guideline | MAY | Data recipients will need to explain how the time period complies with the data minimisation principle (DMP). This is required for data that is yet to be generated (e.g. for an ongoing consent) as well as historical data (e.g. for collection on a 'single occasion').
Example DMP statement for data that is yet to be generated:
We need to collect and use your data for 12 months so [we can update your financial position in real-time] to [deliver accurate and tailored personal financial management].
Example DMP statement for historical data:
We need to collect the last 12 months of your data so [we can assess seasonal changes] to [provide an accurate energy comparison]. | CDR Rule 4.11(3)(c) | OAIC Chapter C: Consent (Data minimisation principle) | CX Research 1, 3 | 1CO.02.34 | |
35 | CX Guideline | MAY | Data recipients should identify whether a consumer is an individual or business consumer in order to surface the correct data language. | CX of error handling workshop | 1CO.02.35 | |
36 | CX Guideline | MAY | Data recipients should present purpose in relation to each data cluster unless this statement applies equally to all datasets.
If the statement applies equally to all datasets, data recipients should present this to the consumer clearly in relation to all of the datasets.
This information should clearly communicate the purposes and benefits of data sharing to the consumer. | 1CO.02.36 | ||
37 | CX Guideline | MAY | Data recipients should make the consent process as easy to understand as possible.
Data recipients should nudge consumers to be more privacy conscious and should use appropriate interventions to mitigate cognitive overload, facilitate comprehension, and provide transparency and consumer control.
This can be done in a variety of ways, including through the use of design patterns like progressive disclosure, micro and/or descriptive copy, and with the use of microinteractions. | 1CO.00.37 | ||
38 | CX Guideline | MAY | Data recipients should outline how often data is expected to be collected over that period. | 1CO.02.38 | ||
39 | CX Guideline | MAY | Most research participants expected their data to be deleted when sharing was withdrawn or expired. Data recipients can avoid the election step within the consent flow if they have general policy of deletion.
If data recipients need to include this in-flow election, they should allow the consumer to elect that they ‘remember’ their preference for subsequent requests. | 1CO.02.39 | ||
40 | CX Guideline | MAY | Data recipients should surface information about data deletion found in their CDR policy along with a link to read this policy. | 1CO.02.40 | ||
42 | CX Guideline | MAY | Data recipient should include their CDR policy in their CDR receipts. | 1CO.02.42 | ||
43 | CX Guideline | MAY | In addition to providing withdrawal instructions, data recipients should provide instructions for how to review sharing arrangements. | 1CO.02.43 | ||
44 | CX Standard | MUST | Data holders and data recipients MUST state in consumer-facing interactions and communications that services utilising the CDR do not need access to consumer passwords for the purposes of sharing data. The exact phrasing of this is at the discretion of the Data Holder and Data Recipient | 1CO.02.44 | ||
45 | CX Standard | MUST | Data holders and data recipients MUST clearly refer to a “One Time Password” in consumer-facing interactions and communications. The use of the term “One Time Password” MAY be presented alongside an existing term used by a data holder (e.g. Netcode, one time pin etc.). | 1CO.02.45 | ||
46 | CX Guideline | MAY | Data recipients should surface information about the data deletion process:
• when data will be deleted;
• why data may need to be retained (e.g. business or legal reasons);
• how the data will be deleted, this may include timeframes. | CDR Rule 7.2(4)(k) | CX Research: 2020 Phase 3, Round 3 report; 2021 Disclosure Consent report | 1CO.02.46 | |
47 | CX Guideline | MAY | Data recipients are encouraged to provide information in relation to complaint handling at appropriate points throughout the Consent Model, such as during Pre-consent; within the Consent Flow; and/or within the CDR Receipt and/or Consumer Dashboards. | CX Research: 2020 Phase 3 Round 8; 2021 Disclosure Consent report | 1CO.02.47 | |
48 | CX Guideline | MAY | CX research suggested that further information on data handling, including from government sources, can aid comprehension and confidence for Sceptics, Assurance Seekers and Sensemakers. Based on these insights, data recipients are encouraged to provide a link to OAIC’s guidance on Privacy Safeguard 12, which outlines information on data security and redundant data handling. | 1CO.02.48 | ||
49 | CDR Rule | MUST | (1A) In the case of a consent given by a CDR business consumer that includes a business consumer statement, an accredited person must:
(a) not specify a period of time that is more than 7 years; and
(b) if specifying a period of time of more than 12 months, give the CDR business consumer the option of choosing a period for the consent of 12 months or less. | CDR Rule 4.12(1A) | 1CO.02.49 | |
50 | CX Guideline | MAY | Data recipients should include information about data sharing with the CDR. | 1CO.02.50 |
Note: Some interactions and screens have been omitted for simplicity.
CDR outsourcing, sponsorship and CDR representative arrangements
Using outsourced service providers
An accredited person or CDR representative may engage outsourced service providers (OSPs) to do one or both of the following: (1) to collect CDR data on their behalf; (2) to use or disclose data to provide specified goods or services to them.
To do so, a written contract, called a CDR outsourcing arrangement, must be in place with the OSP which meets the requirements set out in the CDR Rules. A data recipient may have both direct and indirect OSPs. This can occur where a direct OSP of the data recipient engages further OSPs in their own CDR outsourcing arrangements.
For more information on CDR outsourcing arrangements, see OAIC’s guidance on privacy obligations for principals and outsourced service providers.
Wireframe ref | Type | Requirement level | Statement | Reference | Checklist ref | Focus area |
---|---|---|---|---|---|---|
01 | CDR Rule | MUST | (3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information:
(f) if the CDR data may be disclosed to, or collected by, a direct or indirect OSP (including one that is based overseas) of the accredited person:
(i) a statement of that fact; | CDR Rule 4.11(3)(f)(i) | 1CO.03a.01 | |
02 | CDR Rule | MUST | (3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information:
(f) if the CDR data may be disclosed to, or collected by, a direct or indirect OSP (including one that is based overseas) of the accredited person:
(ii) a link to the accredited person’s CDR policy; and
(iii) a statement that the consumer can obtain further information about such disclosures from the policy if desired; | CDR Rule 4.11(3)(f)(ii), (iii) | 1CO.03a.02 | |
03 | CX Guideline | MAY | Where direct or indirect OSPs are used, CDR Rule 4.11(3)(f)(i) requires the accredited person to specify that fact but do not require specific entities to be surfaced to the consumer. These guidelines recommend that specific OSPs and their roles be surfaced to the consumer in the consent flow; these details may reflect the accredited person’s CDR Policy on service providers' involvement at that point in time.
Consumer research also suggested that consumers expected transparency in this process, and that surfacing details about participants and their roles would facilitate trustworthiness and informed consent. | CX Research: 2020 Phase 3, Round 4 and 5 report | 1CO.03a.03 | |
04 | CX Guideline | MAY | CDR participants may want to note where an OSP is accredited, which the research suggested would facilitate trustworthiness in the process. | 1CO.03a.04 | ||
05 | CX Guideline | MAY | Data recipients should provide a high level of transparency, control, and certainty around all parties who may collect or access the data in any way.
Data recipients can do this by surfacing relevant information and obligations regarding such parties and providers that would otherwise be found in CDR policies. | CX Research: 2020 Phase 3, Round 4 and 5 report | 1CO.03a.05 | |
06 | CX Guideline | MAY | These designs demonstrate a consolidated pattern that CDR participants may choose to implement for various sharing models, including where an accredited data recipient uses direct or indirect OSPs; for an affiliate using a sponsor to collect data; and for a CDR representative requesting that a CDR principal collect data on their behalf. Using a consistent pattern will help provide familiar, trustworthy, and intuitive experiences while also providing flexible and reusable designs to support various implementation requirements. | 1CO.03a.06 |
Sponsorship arrangement
The sponsored accreditation model allows a person accredited to the ‘sponsored’ level (an ‘affiliate’) to provide goods or services directly to a consumer. To do so, they must have a written contract with an unrestricted accredited person (a ‘sponsor’) who collect CDR data from data holders on their behalf.
For more information on the sponsored accreditation model, see OAIC’s guidance on privacy obligations of sponsors and affiliates.
Wireframe ref | Type | Requirement level | Statement | Reference | Checklist ref | Focus area |
---|---|---|---|---|---|---|
01 | CDR Rule | MUST | (3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information:
(a) its name;
(b) its accreditation number; | CDR Rule 4.11(3)(a), (b) | 1CO.03b.01 | |
02 | CDR Rule | MUST | (3) When asking a CDR consumer to give consent, the accredited person must give the CDR consumer the following information:
(i)if the accredited person is an affiliate and the CDR data will be collected by a sponsor at its request;
(i) a statement of that fact; and
(ii) the sponsor’s name; and
(iii) the sponsor’s accreditation number; and
(iv) a link to the sponsor’s CDR policy; and
(v) a statement that the CDR consumer can obtain further information about such collections or disclosures from the sponsor’s CDR policy if desired. | CDR Rule 4.11(3)(i) | 1CO.03b.02 | |
03 | CDR Rule | MUST | (2B) If the accredited person is an affiliate and the CDR data will be collected by a sponsor at its request:
(a) the request for a collection consent must specify that fact; and
(b) a consent for the affiliate to collect the CDR data is taken to be consent for the sponsor to so collect it. | CDR Rule 4.3(2B) | 1CO.03b.03 | |
04 | CDR Rule | MUST | 4.20A Application of Subdivision to sponsor and affiliate Where this Subdivision would, if not for this rule, require both an affiliate and the affiliate’s sponsor to give a notice to a CDR consumer, the sponsor and the affiliate may choose which will give the notice. | CDR Rule 4.20A | 1CO.03b.04 | |
05 | CX Guideline | MAY | For sponsorship arrangements, affiliates may display the sponsor's name and accreditation (as per CDR Rule 4.11(3)(i)) where outsourced service provider involvement is surfaced to the consumer (as per CDR Rule 4.11(3)(f)). This should be readily accessible to the consumer as these guidelines demonstrate. | 1CO.03b.05 | ||
06 | CX Guideline | MAY | As per CDR Rule 4.20A, affiliates may provide the notifications specified in subdivision 4.3.5. | 1CO.03b.06 | ||
07 | CX Guideline | MAY | Inline with CDR Rule 4.11(3)(a)(b), the name and accreditation number of the affiliate should be displayed. | 1CO.03b.07 | ||
08 | CX Guideline | MAY | Data recipients should provide a high level of transparency, control, and certainty around all parties who may collect or access the data in any way.
Data recipients can do this by surfacing relevant information and obligations regarding such parties and providers that would otherwise be found in CDR policies. | CX Research: 2020 Phase 3, Round 4 and 5 report | 1CO.03b.08 | |
09 | CX Guideline | MAY | These designs demonstrate a consolidated pattern that CDR participants may choose to implement for various sharing models, including where an accredited data recipient uses an outsourced service provider; for an affiliate using a sponsor to collect data; and for a CDR representative requesting that a CDR principal collect data on their behalf. Using a consistent pattern will help provide familiar, trustworthy, and intuitive experiences while also providing flexible and reusable designs to support various implementation requirements. | 1CO.03b.09 | ||
10 | CX Guideline | MAY | Various rules require specific entities to provide certain items, such as dashboards and notifications, and may also require the sponsor to be referenced. These guidelines demonstrate how this information may generally be displayed so that, where appropriate, the consumer is primarily engaging with the known entity that they have a relationship with, and the sponsor is only noted as a background detail. | 1CO.03b.10 |
CDR representative arrangement
Under CDR Rules 1.10AA, the CDR representative model enables unaccredited persons (a ‘CDR representative’) to provide goods and services to consumers using CDR data, when they are in a CDR representative arrangement with an unrestricted accredited person (’a CDR representative principal’) who is liable for them.
In accordance with CDR Rule 1.10AA(1)(a), CDR representatives cannot deal with consumers in their capacity as a CDR business consumer, and as such can’t invite consumers to give a business consumer statement.
For more information on the CDR representative model, see OAIC’s guidance on privacy obligations for CDR principals and CDR representatives.
Wireframe ref | Type | Requirement level | Statement | Reference | Checklist ref | Focus area |
---|---|---|---|---|---|---|
01 | CDR Rule | MUST | (1) In these rules, a CDR representative arrangement is a written contract between a person with unrestricted accreditation (the CDR representative principal) and a person without accreditation (the CDR representative):
(a) under which the CDR representative will offer goods and services to CDR consumers, but not in their capacity as CDR business consumers, for which it will need to use or disclose CDR data of the CDR consumer; and
(b) under which, where the CDR representative has obtained the consent of a CDR consumer to the collection, use and disclosure of CDR data in accordance with rule 4.3A:
(i) the CDR representative principal will:
(A) make any appropriate consumer data request; and
(B) disclose the relevant CDR data to the CDR representative; and
(ii) the CDR representative will use or disclose the CDR data to provide the relevant goods or services to the CDR consumer; and
(d) under which the CDR representative is required to comply with any rules that are expressed as applying to a CDR representative. | CDR Rule 1.10AA(1)(a),(b),(d) | 1CO.03c.01 | |
02 | CDR Rule | MUST | Note: From the point of view of a CDR consumer who is the customer of a CDR representative, the consumer deals with the CDR representative, as if it were an accredited person, and might not deal with the CDR representative principal at all. The consumer requests the goods or services from the CDR representative; the CDR representative identifies the CDR data that it needs in order to provide the goods and services; the consumer gives their consent to the CDR representative for the collection and use of the CDR data. The consumer is informed that the CDR representative principal will do the actual collecting, but as a background detail.
A CDR representative cannot deal with a person in their capacity as a CDR business consumer. | CDR Rule 1.10AA Note | 1CO.03c.02 | |
03 | CDR Rule | MUST NOT | (4) A CDR representative arrangement must require the CDR representative to comply with the following requirements in relation to any service data:
(c) the CDR representative must not use or disclose the service data other than in accordance with a contract with the CDR representative principal; | CDR Rule 1.10AA(4)(c) | 1CO.03c.03 | |
04 | CDR Rule | MAY | (2) The CDR representative may, in accordance with Division 4.3A, ask the CDR consumer to give:
(a) a collection consent for the CDR representative principal to collect the CDR consumer’s CDR data from the CDR participant and disclose it to the CDR representative; and
(b) a use consent for the CDR representative to use it in order to provide those goods or services.
Note 1: For a collection consent mentioned in paragraph (a), see subrule 1.10A(8).
For consents mentioned in paragraph (b), see rule 1.10A as applied to a CDR representative under subrule 1.10A(5).
Note 2: In order to provide goods or services in accordance with the CDR consumer’s request, it might be necessary for the CDR representative principal to request CDR data from more than 1 CDR participant.
Note 3: The CDR data may be collected and used only in accordance with the data minimisation principle: see rule 1.8. | CDR Rule 4.3A(2) | 1CO.03c.04 | |
06 | CDR Rule | MUST | (8) For an accredited person with a CDR representative, a consent given by a CDR consumer under these rules to the CDR representative for the accredited person to collect particular CDR data from a CDR participant for that CDR data and disclose it to the CDR representative is also a collection consent. | CDR Rule 1.10A(8) | 1CO.03c.06 | |
08 | CDR Rule | MAY | (5) Where a CDR representative principal makes a consumer data request at the request of a CDR representative, it may arrange for the CDR representative to provide the consumer dashboard on its behalf. | CDR Rule 1.14(5) | 1CO.03c.08 | |
12 | CX Guideline | MAY | For CDR representative arrangements, CDR representatives are required to display their own name as per rule 4.20E(3)(a), but as an unaccredited participant they are not required to display their accreditation number (as they do not have one).
CDR representatives are required by rules 4.20E(3)(d) and (e) to display the CDR principal's name and accreditation number. The CDR representative may choose to display the principal's accreditation number in relation to the representative's name, and may also surface the principal's name, accreditation number, and other details, such as those specified in rules 4.20E(3)(b), (j) and (l) where outsourced service provider involvement is surfaced to the consumer (as per rule 4.20E(3)(k)). This should be readily accessible to the consumer as these guidelines demonstrate. | 1CO.03c.12 | ||
13 | CX Guideline | MAY | CDR representatives can refer to the Principal as a background detail in the relevant artefacts, e.g. dashboard, withdrawal, notifications etc. | CDR Rule 1.10AA | 1CO.03c.13 | |
14 | CX Guideline | MAY | As noted in CDR Rule 4.20J and 1.14(5), where a CDR principal makes consumer data requests at the request of a CDR representative, the CDR representative may provide the consumer dashboard on the CDR principal's behalf. | 1CO.03c.14 | ||
15 | CX Guideline | MAY | Data recipients should provide a high level of transparency, control, and certainty around all parties who may collect or access the data in any way.
Data recipients can do this by surfacing relevant information and obligations regarding such parties and providers that would otherwise be found in CDR policies. | CX Research: 2020 Phase 3, Round 4 and 5 report | 1CO.03c.15 | |
16 | CX Guideline | MAY | These designs demonstrate a consolidated pattern that CDR participants may choose to implement for various sharing models, including where a data recipient uses an outsourced service provider; for an affiliate using a sponsor to collect data; and for a CDR representative requesting that a CDR principal collect data on their behalf. Using a consistent pattern will help provide familiar, trustworthy, and intuitive experiences while also providing flexible and reusable designs to support various implementation requirements. | 1CO.03c.16 | ||
19 | CX Guideline | MAY | As per rule 4.20M, if a CDR participant does not have a general policy of deleting redundant data, then the consumer may elect that the collected data, and any data derived from it, be deleted when it becomes redundant data. They may do this when giving the consent as per rule or at any other time before the consent expires. The consumer may make this election using their consumer dashboard, or in writing to the CDR principal or CDR representative. | 1CO.03c.19 | ||
20 | CX Guideline | MAY | As per rule 4.20J, withdrawing consents using a simple alternative method of communication can be to the CDR representative principal or the CDR representative.
When seeking to address the requirements of rule 4.20E(3)(m)(ii), recipients should include the method of communication for the party the consumer is most familiar with.
CDR representative principals must include the details of the simple method of communication in their CDR policy.
Where a consumer contacts the CDR representative principal, rather than the CDR representative, the principal may also choose to present contact details that align with the brand, name, or domain of the CDR representative to maintain consistency in the interaction. | 1CO.03c.20 | ||
21 | CDR Rule | MUST | Note: Under rule 4.3A, if a CDR representative asks a CDR consumer for their consent to collect and use their CDR data, it must do so in accordance with this Division, and in particular, rules 4.20D, 4.20E and 4.20F. A failure to do so could result in the CDR representative principal being liable for one or more civil penalty provisions: see section 56EF of the Act and rule 1.16A. | CDR Rule 4.3A.2 Note | 1CO.03c.21 | |
22 | CDR Rule | MUST | (3) When asking a CDR consumer to give consent, the CDR representative must give the CDR consumer the following information:
(d) the CDR representative principal’s name;
(e) the CDR representative principal’s accreditation number; | CDR Rule 4.20E(3)(d), (e) | 1CO.03c.22 | |
23 | CDR Rule | MUST | (3) When asking a CDR consumer to give consent, the CDR representative must give the CDR consumer the following information:
(b) the fact that the person is a CDR representative and that the CDR data will be collected by its CDR representative principal at its request;
(j) a link to the CDR representative principal’s CDR policy;
(l) a statement that the CDR consumer can obtain further information about the collections or disclosures for which consent is requested from the CDR representative principal’s CDR policy if desired; | CDR Rule 4.20E(3)(b), (j), (l) | 1CO.03c.23 | |
24 | CDR Rule | MUST | (3) When asking a CDR consumer to give consent, the CDR representative must give the CDR consumer the following information:
(a) its name; | CDR Rule 4.20E(3)(a) | 1CO.03c.24 | |
25 | CDR Rule | MUST | (3) When asking a CDR consumer to give consent, the CDR representative must give the CDR consumer the following information:
(m) the following information about withdrawal of consents:
(i) a statement that, at any time, the consent can be withdrawn;
(ii) instructions for how the consent can be withdrawn;
(iii) a statement indicating the consequences (if any) to the CDR consumer if they withdraw the consent; | CDR Rule 4.20E(3)(m) | 1CO.03c.25 | |
26 | CDR Rule | MUST | (3) When asking a CDR consumer to give consent, the CDR representative must give the CDR consumer the following information:
(n) the following information about redundant data:
(i) a statement, in accordance with rule 4.20N, regarding the CDR representative’s intended treatment of redundant data; | CDR Rule 4.20E(3)(n)(i) | 1CO.03c.26 | |
27 | CDR Rule | MUST | (1) A CDR representative must not specify a period of time for the purposes of paragraph 4.11(1)(b) that is more than 12 months. | 4.20F(1) | 1CO.03c.27 | |
28 | CDR Rule | MUST | (1) A CDR consumer who has given a consent to a CDR representative for the purposes of this Division may withdraw the consent at any time:
(a) by using the CDR representative principal’s consumer dashboard; or
(b) by using:
(i) a method mentioned in subrule (2) to notify the CDR representative principal; or
(ii) a method mentioned in subrule (3) to notify the CDR representative.
Note 1: The CDR representative principal may allow the CDR representative to provide the consumer dashboard on its behalf—see subrule 1.14(5).
Note 2: If the withdrawal is made using the consumer dashboard, it has effect immediately (see rule 4.20K).
(2) The CDR representative principal must make available a simple method of communication for the withdrawal of consent, as an alternative to using the CDR representative principal’s consumer dashboard.
Note 1: The CDR representative principal may allow the CDR representative to provide the consumer dashboard on its behalf—see subrule 1.14(5).
Note 2: This subrule is a civil penalty provision (see rule 9.8).
(3) The CDR representative must make available a simple method of communication for the withdrawal of consent, as an alternative to using the CDR representative principal’s consumer dashboard.
Note: A failure to do this could make the CDR representative principal liable for a civil penalty (see rule 1.16A). | CDR Rule 4.20J(1) – (3) | 1CO.03c.28 | |
29 | CDR Rule | MUST | (1) A CDR representative must give the CDR consumer a notice that complies with this rule (a CDR receipt) as soon as practicable after:
(a) the CDR consumer gives the CDR representative a collection consent, a use consent or a disclosure consent; | CDR Rule 4.20O(1)(a) | 1CO.03c.29 | |
30 | CDR Rule | MUST | A CDR representative’s processes for asking a CDR consumer to give or amend a consent:
(a) must:
(i) accord with any relevant data standards; and
(ii) having regard to any consumer experience guidelines developed by the Data Standards Body, be as easy to understand as practicable, including by use of concise language and, where appropriate, visual aids; and
(b) must not:
(i) include or refer to the CDR representative principal’s CDR policy or other documents so as to reduce comprehensibility; or
(ii) bundle consents with other directions, permissions, consents or agreements. | CDR Rule 4.20D | 1CO.03c.30 | |
31 | CDR Rule | MUST | (1) When asking a CDR consumer to give a consent, a CDR representative must:
(a) allow the CDR consumer to choose the types of CDR data to which the consent will apply by enabling the CDR consumer to actively select or otherwise clearly indicate:
(i) in the case of a collection consent or a disclosure consent―the particular types of CDR data to which the consent will apply; | CDR Rule 4.20E(1)(a)(i) | 1CO.03c.31 | |
32 | CDR Rule | MUST | (1) When asking a CDR consumer to give a consent, a CDR representative must:
(a) allow the CDR consumer to choose the types of CDR data to which the consent will apply by enabling the CDR consumer to actively select or otherwise clearly indicate:
(ii) in the case of a use consent―the specific uses of collected data to which they are consenting; | CDR Rule 4.20E(1)(a)(ii) | 1CO.03c.32 | |
33 | CDR Rule | MUST | (1) When asking a CDR consumer to give a consent, a CDR representative must:
(b) allow the CDR consumer to choose the period of the collection consent, use consent, or disclosure consent (as appropriate) by enabling the CDR consumer to actively select or otherwise clearly indicate whether the consent would apply:
(i) on a single occasion; or
(ii) over a specified period of time; | CDR Rule 4.20E(1)(b) | 1CO.03c.33 | |
34 | CDR Rule | MUST | (1) When asking a CDR consumer to give a consent, a CDR representative must:
(d) ask for the CDR consumer’s express consent to the choices referred to in paragraphs (a), (b) and (c) for each relevant category of consents; | CDR Rule 4.20E(1)(d) | 1CO.03c.34 | |
35 | CDR Rule | MUST | (2) The CDR representative must not present pre‑selected options to the CDR consumer for the purposes of subrule (1). | CDR Rule 4.20E(2) | 1CO.03c.35 |
Business consumer statement
An accredited person can treat a consumer as a business consumer if they take reasonable steps to confirm that the consumer is a business, using the criteria specified in CDR Rule 1.10A(9).
CDR Rule 1.10A(10) outlines the circumstances in which a business consumer can be asked to provide a business consumer statement. Importantly, a business consumer statement can’t be given in relation to a Collection consent. Additionally, CDR Representatives cannot deal with consumers in their capacity as a CDR business consumer, as per CDR Rule 1.10AA(1)(a).
The following wireframes provide an example of how an accredited person can invite a business consumer to give a business consumer statement in relation to a Use consent.
Wireframe ref | Type | Requirement level | Statement | Reference | Checklist ref | Focus area |
---|---|---|---|---|---|---|
01 | CDR Rule | MUST | (9) For these rules, a CDR consumer is taken to be a CDR business consumer in relation to a consumer data request to be made by an accredited person if the accredited person has taken reasonable steps to confirm that:
(a) the CDR consumer is not an individual; or(b) the CDR consumer has an active ABN. | CDR Rule 1.10A(9) | 1CO.04.01 | |
02 | CDR Rule | MUST | (2) An accredited data recipient must keep and maintain records that record and explain the following:(eg) any steps taken for the purposes of subrule 1.10A(9) to confirm that a CDR consumer is a CDR business consumer; | CDR Rule 9.3(2)(eg) | 1CO.04.02 | |
03 | CDR Rule | MUST | (10) For these rules, a business consumer statement is a statement made by a CDR business consumer that:
(a) is given in relation to a consent in one of the following categories:
(i) use consents relating to the goods or services requested by the CDR business consumer;
(ii) TA disclosure consents;
(iii) insight disclosure consents;
(iv) business consumer disclosure consents; and
(b) certifies that the consent is given for the purpose of enabling the accredited person to provide goods or services to the CDR business consumer in its capacity as a business (and not as an individual).
Note: Only an accredited person is able to deal with a CDR consumer in the CDR consumer’s capacity as a CDR business consumer, and is hence able to invite a CDR consumer to provide a business consumer statement. | CDR Rule 1.10A(10) | 1CO.04.03 | |
04 | CDR Rule | MUST | (1) When asking a CDR consumer to give a consent, an accredited person must:
(bb) where the accredited person proposes, or is offering, to deal with a person in their capacity as a CDR business consumer in relation to a consent of a kind mentioned in paragraph 1.10A(10)(a)―invite the CDR business consumer to provide the business consumer statement; | CDR Rule 4.11(1)(bb) | 1CO.04.04 | |
05 | CDR Rule | MUST | (12) An accredited person must not make:
(b) the giving of a business consumer statement;
a condition for supply of the goods or services requested by the CDR business consumer. | CDR Rule 1.10A(12)(b) | 1CO.04.05 | |
06 | CDR Rule | MUST | (13) To avoid doubt, paragraphs (12)(a) and (b) do not apply where the only good or service that is requested by the CDR business consumer is for CDR data to be collected from a data holder and provided to a specified person. | CDR Rule 1.10A(13) | 1CO.04.06 | |
07 | CDR Rule | MUST | (1) When asking a CDR consumer to give a consent, an accredited person must:
(a) allow the CDR consumer to choose the types of CDR data to which the consent will apply by enabling the CDR consumer to actively select or otherwise clearly indicate:
(i) in the case of a collection consent or a disclosure consent―the particular types of CDR data to which the consent will apply; | CDR Rule 4.11(1)(a)(i) | 1CO.04.07 | |
08 | CDR Rule | MUST | (1) When asking a CDR consumer to give a consent, an accredited person must:
(b) allow the CDR consumer to choose the period of the collection consent, use consent, or disclosure consent (as appropriate) by enabling the CDR consumer to actively select or otherwise clearly indicate whether the consent would apply:
(i) on a single occasion; or
(ii) over a specified period of time;
Note 2: For paragraph (b), the specified period may not be more than 12 months (or 7 years for certain consents by a CDR business consumer): see subrule 4.12(1). After the end of the period, redundant data would need to be dealt with in accordance with subsection 56EO(2) of the Act (privacy safeguard 12) and rules 7.12 and 7.13. | CDR Rule 4.11(1)(b) | 1CO.04.08 | |
09 | CDR Rule | MUST | (1) Subject to subrule (1A), an accredited person must not specify a period of time for the purposes of paragraph 4.11(1)(b) that is more than 12 months. | CDR Rule 4.12(1) | 1CO.04.09 | |
10 | CDR Rule | MUST | (1A) In the case of a consent given by a CDR business consumer that includes a business consumer statement, an accredited person must:
(a) not specify a period of time that is more than 7 years; and
(b) if specifying a period of time of more than 12 months, give the CDR business consumer the option of choosing a period for the consent of 12 months or less. | CDR Rule 4.12(1A) | 1CO.04.10 | |
11 | CDR Rule | MUST | (10) For these rules, a business consumer statement is a statement made by a CDR business consumer that:
(a) is given in relation to a consent in one of the following categories:
(i) use consents relating to the goods or services requested by the CDR business consumer; | CDR Rule 1.10A(10)(a)(i) | 1CO.04.11 | |
12 | CDR Rule | MUST | (1) An accredited person must give the CDR consumer a notice that complies with this rule (a CDR receipt) as soon as practicable after:
(a) the CDR consumer gives the accredited person a collection consent, a use consent or a disclosure consent; | CDR Rule 4.18(1)(a) | 1CO.04.12 | |
13 | CDR Rule | MUST | (2) A CDR receipt given for the purposes of paragraph (1)(a) must set out:
(a) the details that relate to the consent that are listed in paragraphs 1.14(3)(a) to (f); and
(b) in the case of a collection consent―the name of each CDR participant the CDR consumer has consented to the collection of CDR data from; and
(c) any other information the accredited person provided to the CDR consumer when obtaining the consent (see rule 4.11). | CDR Rule 4.18(2)(a), (b), (c) | 1CO.04.13 | |
14 | CDR Rule | MUST | (4) A CDR receipt must be given in writing otherwise than through the CDR consumer’s consumer dashboard. | CDR Rule 4.18(4) | 1CO.04.14 | |
15 | CX Standard | MUST | Data recipients MUST use plain and concise language when inviting a consumer to give a business consumer statement. | 1CO.04.15 | ||
16 | CX Standard | MUST | When seeking a business consumer statement, data recipients MUST invite the business consumer to give the business consumer statement in a manner that is explicit, express, and through an active selection or declaration.
The giving of a business consumer statement MUST be clearly separated from any other interaction or information provided to the consumer and MUST NOT be implied or bundled with any other permission. | 1CO.04.16 | ||
17 | CX Standard | MUST | Data Recipients and Data Holders MUST use data language standards to describe data clusters and permissions in consumer-facing interactions. See the Banking Language section for language to be used when requesting banking data; and the Energy Language section for language to be used when requesting energy data.
Data language standards MUST be used when CDR data is being requested, reviewed, or access to such data is withdrawn.
Data Recipients and Data Holders MUST use the appropriate data standards language for business consumers as denoted with an '*' for the relevant data.
Data Recipients and Data Holders SHOULD expand on the proposed language where appropriate to communicate further details of what is being shared.
Additional details MAY include additional information in context, such as in-line help or tool tips, and/or additional permissions where they may exist.
Examples of permission details that MAY be used and provided as in-line help are denoted with an '†' for the relevant data. | 1CO.04.17 | ||
18 | CX Standard | MUST | If a scenario requires it, Data Holders and Data Recipients MUST merge and amend Basic and Detailed data cluster and permission language to show that Detailed scopes include Basic data.
Data Holders and Data Recipients MUST use the alternative language denoted with an '‡' for the relevant scope(s). See the Banking Language section for banking data and the Energy Language section for energy data.
Example: A Data Recipient presents the Detailed data cluster in a data request to a consumer, but does not present the Basic data cluster. The Detailed scope includes Basic data, but this is not apparent to the consumer based on the data cluster language and permissions used for the Detailed scope. | 1CO.04.18 | ||
19 | CX Guideline | MAY | Data recipients should only request a business consumer statement if they have verified the consumer is a business consumer — per CDR Rule 1.10(9) — and reasonably expect them to be intending to use the service for business purposes.
Appropriate pre-consent and onboarding experiences can assist with funnelling consumers towards the most appropriate consent flow for their needs.
This can reduce cognitive load for non-business consumers, and prevent consumers from inadvertently providing a business consumer statement. | CDR Rule 1.10(9) | 1CO.04.19 | |
20 | CX Guideline | MAY | Inline with CDR Rule 1.10A(9), when verifying the consumer is not an individual or has an active ABN, data recipients should be satisfied that the evidence given — such as the ABN — is current and relates to the consumer. | CDR Rule 1.10(9) | 1CO.04.20 | |
21 | CX Guideline | MAY | In accordance with CDR Rule 4.11(1)(bb), data recipients must invite a business consumer to give a business consumer statement in the consent flow.
This invitation should be presented upfront. Doing so can help data recipients determine the appropriate consent duration and customer data language standards to surface, and whether a business consumer disclosure consent can be requested. | CDR Rule 4.11(1)(bb) | 1CO.04.21 | |
22 | CX Guideline | MAY | In accordance with CDR Rule 1.10A(10), a business consumer statement cannot be made in relation to a collection consent. As such, CDR Rule 4.12(1) stipulates that the maximum duration for collection consent is 12 months. | CDR Rule 1.10A(10), CDR Rule 4.12(1) | 1CO.04.22 | |
23 | CX Guideline | MAY | Data recipients should only present business consumers with a pre-selected duration of more than 12 months where the service reasonably requires this and in compliance with the data minimisation principle, CDR Rule 1.8. | CDR Rule 1.8 | 1CO.04.23 | |
24 | CX Guideline | MAY | Data recipients should present consumers with a limited selection of duration options to reduce cognitive load. The options presented should represent the most common and/or most appropriate durations for the service being offered. For the purpose of CDR rule 4.12(1A)(b), duration options of 12 months or less must be offered. | CDR Rule 4.12(1A)(b), 10 Usability Heuristics for User Interface Design: Visibility of system status (Nielsen) | 1CO.04.24 |
Download open source asset
We're currently addressing an issue related to importing individually downloaded files into Figma. As an interim solution, we've compiled all 'Active' design assets into a single zip file.
- 1CO. Collection and use consents v1.30.0.2024.05.01
- 1CO1. AP disclosure consents v1.29.1.2024.03.06
- 1CO2. Amending consents v1.30.0.2024.05.01
- 1CO3. Trusted Adviser disclosure consent v1.29.1.2024.03.06
- 1CO4. Insights disclosure consent v1.29.1.2024.03.06
- 1CO5. Business consumer disclosure consents v1.30.0.2024.05.01
- 2AU. Redirect with One Time Password v1.29.0.2024.02.22
- 3AU. Authorisation to disclose v1.29.0.2024.02.22
- 3AU1. Amending authorisations v1.29.0.2024.02.22
- 3AU2. Authorisation to disclose joint account data v1.16.0.2022.03.17
- 4CM1. Disclosure consents v1.30.0.2024.05.01
- 4CM1. Collection and use consents v1.29.1.2024.03.06
- 4CM2. Withdrawal v1.29.1.2024.03.06
- 5CM1. Authorisations v1.29.1.2024.04.09
- 5CM2. Withdrawals v1.29.1.2024.04.09
- 5CM3. Joint account disclosure option management service v1.17.0.2022.06.08
- 5CM4. Secondary Users v1.17.0.2022.06.08
- 5CM5. Joint account notification settings v1.17.0.2022.06.08
Download design asset zip file
We appreciate your patience as we resolve this issue. If you have any questions, please reach out to cx@consumerdatastandards.gov.au.
Open sources design assets are created in Figma for the purposes of assisting implementation. This Figma file contains annotated wireframes and working prototypes for the Collection and use consent, including:
- Collection and use consents - default example
- ADR uses outsourced service providers
- Sponsorship arrangements
- CDR representative arrangements
- Business consumer statement
Item | File | Date released | Version introduced |
---|---|---|---|
May 1, 2024 | 1.30.0 |
For past versions, refer to
Open sources design assets are provided in the form of version-controlled Figma files. These assets contain the annotated wireframe and working prototype published on this page, and have been reviewed for accessibility compliance. Assets are partially conformant to Web Content Accessibility Guidelines (WCAG) 2.1 level AA. These assets do not tend to accessible code and instead focus on visual presentation and readability.
The assets use the GOLD Design System; component rationale, accessibility support, and code documentation is available in the GOLD Design System website.
For more details, see
References
These CX Guidelines were informed by consultations and research conducted in 2019 to 2022, including the following:
- Consultations
- DSB 2020, Decision Proposal 127 - CX Guidelines for Enhanced Error Handling and CX Workshop: Error handling
- DSB 2023, Decision Proposal 276 - July 2023 Rules | Standards Impacts
- DSB 2023, Decision Proposal 333 - Business Consumer Provisions
- CX research
- Tobias 2019, Phase 1 CX report
- GippsTech 2019, Phase 2, Stream 1 report
- Greater than X 2019, Phase 2, Stream 2 report
- Tobias 2019, Phase 2, Stream 3 report
- DSB 2020, Phase 3, Round 3 report
- DSB 2020, Phase 3, Round 4 and 5 report
- DSB 2021, Disclosure Consent Research Report (Q4 2021, R1-2)
- Other
- Nielsen Norman Group 2019, 10 Usability Heuristics for User Interface Design (Flexibility and efficiency of use)
- OAIC 2022, Consent (Data minimisation principle)
- OAIC 2022, Privacy Safeguard 12
Quick links to CX Guidelines: