Wireframe ref | Type | Requirement level | Statement | Reference | Checklist ref | Focus area |
|---|---|---|---|---|---|---|
01 | CDR Rule | MUST | (1) Disclosure of joint account data may be authorised only as permitted by the disclosure option that applies to the joint account. This may be any of the following: (a) the pre-approval option, under which joint account data may be disclosed in response to a valid consumer data request on the authorisation of the requester without the approval of the relevant account holders | CDR Rule 4A.5(1)(a) | 3AU2.01.01 | |
02 | CDR Rule | MUST | (2) The data holder must provide for the pre-approval and non-disclosure options to be available for a joint account. | CDR Rule 4A.5(2) | 3AU2.01.02 | |
03 | CDR Rule | MUST | (4) For the purposes of rule 4A.12, where the pre-approval option applies to a joint account and the requester authorises the disclosure of joint account data in response to a valid consumer data request: (a) each relevant account holder is taken to have approved the disclosure; | CDR Rule 4A.5(4)(a) | 3AU2.01.03 | |
04 | CDR Rule | MUST | (5) Unless a sector Schedule provides otherwise, the pre-approval option applies to a joint account by default. | CDR Rule 4A.5(5) | 3AU2.01.04 | |
05 | CDR Rule | MUST | The disclosure option that applies to a joint account may be changed in accordance with rule 4A.7 or 4A.8. | CDR Rule 4A.5(6) | 3AU2.01.05 | |
06 | CDR Rule | MUST | (1) For each joint account to which this Part applies, the data holder must provide a service to each joint account holder that allows the joint account holder to: (a) change the disclosure option that applies to the account in accordance with rule 4A.7; and (b) propose a change in the disclosure option to the other joint account holders in accordance with rule 4A.8; | CDR Rule 4A.6(1)(a), (b) | 3AU2.01.06 | |
07 | CDR Rule | MUST | (1) For this rule, an approval notification is a notice given by the data holder: (a) to a relevant account holder, to inform them that the requester has given, amended or withdrawn an authorisation, or that the authorisation has expired; in accordance with the data standards. | CDR Rule 4A.14(1)(a) | 3AU2.01.07 | |
08 | CDR Rule | MUST | (2) The data holder must make the appropriate approval notification to a joint account holder in relation to an event mentioned in subrule (1): (a) as soon as practicable after the event occurs, unless the joint account holder has selected an alternative schedule of notifications; and (b) through its ordinary means of contacting the joint account holders. | CDR Rule 4A.14(2) | 3AU2.01.08 | |
09 | CDR Rule | MUST | ordinary means of contacting an account holder by a data holder means: (a) if the data holder has agreed with the account holder on a particular means of contacting the account holder for the purposes of the relevant provision—that means; and (b) otherwise—the default means by which the data holder contacts the account holder in relation to the account. | CDR Rule 1.7(1) | 3AU2.01.09 | |
10 | CX Standard | MUST | Data holders MUST alert a joint account holder where an action they are about to perform may result in the other joint account holder(s) being notified. This standard applies to the authorisation flow, consumer dashboards, and the disclosure option management service where notifications to the other joint account holder(s) may be triggered. The precise wording of this notification is at the discretion of the data holder. | 3AU2.01.10 | ||
11 | CX Standard | MAY | For the content of the approval notification, data holders MAY provide the consumer with instructions for how any relevant authorisation(s) or approval(s) can be reviewed. | 3AU2.01.11 | ||
12 | CX Standard | MAY | Data holders MAY provide a mechanism or entry point for a notification schedule to be amended from or in relation to the notification itself. This MAY, for example, allow a consumer to stop receiving the type of notification(s) from the notification itself. The notification MAY also, for example, include a link to amend the notification schedule or instructions to direct the consumer to the appropriate place. | 3AU2.01.12 | ||
13 | CX Standard | MAY | In relation to the joint account alert standards in this section, data holders MAY provide further information about any services or processes in place for supporting vulnerable consumers or reporting risks of physical, psychological, or financial harm or abuse to the data holder. | 3AU2.01.13 | ||
14 | CX Guideline | MAY | Community consultation suggested that identifying the specific account holder may raise privacy concerns in some instances. Data holders may identify the specific account holder in relation to the relevant rules requirement, but may also deem it necessary to omit these details in certain scenarios in accordance with CDR Rule 4A.15. | CDR Rule 4A.15 | 3AU2.01.14 | |
15 | CX Guideline | MAY | Data holders should refer to disclosure options using plain language. A description of the disclosure option should be provided where possible. These artefacts use 'single consent' to represent pre-approval disclosure option, 'joint consent' to represent co-approval disclosure option, and 'stop all sharing from this account' or 'data sharing disabled' to represent a non-disclosure option. | 3AU2.01.15 | ||
16 | CX Guideline | MAY | Data holders should provide instructions for how a disclosure option can be changed. | 3AU2.01.16 | ||
17 | CX Guideline | MAY | Email is shown as an example notification only. Data holders must use ordinary means of contacting the relevant account holder(s) as outlined in CDR Rules 4A.14(2)and 1.7(1). A data holder may agree with the account holder on a “particular means of contacting the account holder for the purposes of the relevant provision”. Data holders are required to provide an online disclosure option management service, and may negotiate to provide joint account notifications online in line with this provision even where the consumer otherwise receives notifications via non-digital channels. | CDR Rule 4A.11(a) and 1.7(1) | 3AU2.01.17 | |
18 | CX Guideline | MAY | Data holders should include information about data sharing with the CDR. | 3AU2.01.18 | ||
19 | CX Guideline | MAY | Data holders should provide information about the ADR to relevant account holders. This should include the ADR's name, accreditation number and a link to the their specific page on www.cdr.gov.au/find-a-provider for accreditation verification purposes. | CX Research: 2019 Phase 2, Stream 1; 2020 Phase 3, Round 3 | 3AU2.01.19 | |
20 | CX Guideline | MAY | Where an alternative notification schedule is provided as per CDR Rule 4A.14(3), this notification may be omitted at the consumer's request. | CDR Rule 4A.14(3) | 3AU2.01.20 | |
21 | CX Guideline | MAY | Data holders can refer to accounts using recognised nicknames, icons, account numbers, and account type. They can also include information on other elements the account may refer to such as any related plans, services, properties, numbers, and products. | 3AU2.01.21 |