(1) For each joint account to which this Part applies, the data holder must provide a service to each joint account holder that allows the joint account holder to: (a) change the disclosure option that applies to the account in accordance with rule 4A.7; (b) propose a change in the disclosure option to the other joint account holders in accordance with rule 4A.8; and (c) respond to a proposal by another joint account holder to change the disclosure option. —————— (2) Such a service is a disclosure option management service.
CDR Rule 4A.6(1), (2)
(3) The service must be provided online and, if there is a data holder’s consumer dashboard for a joint account holder, may be included in the dashboard. (4) The service may, but need not, also be provided other than online.
CDR Rule 4A.6(3), (4)
(5) The service must give effect to a change in the disclosure option as soon as practicable.
CDR Rule 4A.6(5)
(6) The service must not do any of the following in relation to the processes that it provides for changing or proposing to change the disclosure option that applies to the joint account, or responding to such a proposal (the processes): (a) add any requirements to the processes beyond those specified in the data standards and these rules; (b) offer additional or alternative services as part of the processes; (c) include or refer to other documents, or provide any other information, so as to reduce comprehensibility; (d) offer any pre-selected options.
CDR Rule 4A.6(6)
(7) The service must indicate to the joint account holder which disclosure option currently applies.
CDR Rule 4A.6(7)
(8) The service must be in accordance with the data standards.
CDR Rule 4A.6(8)
(1) Disclosure of joint account data may be authorised only as permitted by the disclosure option that applies to the joint account. This may be any of the following: (a) the pre-approval option, under which joint account data may be disclosed in response to a valid consumer data request on the authorisation of the requester without the approval of the relevant account holders; (c) the non-disclosure option, under which joint account data may not be disclosed even in response to a valid consumer data request. —————— (2) The data holder must provide for the pre-approval and non-disclosure options to be available for a joint account.
CDR Rule 4A.5(1)(a), (c) and (2)
(1) A joint account holder may at any time choose that the non-disclosure option will apply to the joint account, using the disclosure option management service.
CDR Rule 4A.7(1)
(3) If a joint account holder (account holder A) changes the disclosure option that applies to the account in accordance with this rule, the data holder must, as soon as practicable through its ordinary means of contacting the other joint account holders: (a) explain to each of them what the consumer data right is;
CDR Rule 4A.7(3)(a)
(3) If a joint account holder (account holder A) changes the disclosure option that applies to the account in accordance with this rule, the data holder must, as soon as practicable through its ordinary means of contacting the other joint account holders: (b) inform them which disclosure option previously applied to the account; and (c) inform them that account holder A has changed the disclosure option, and of the disclosure option that now applies;
CDR Rule 4A.7(3)(b), (c)
(3) If a joint account holder (account holder A) changes the disclosure option that applies to the account in accordance with this rule, the data holder must, as soon as practicable through its ordinary means of contacting the other joint account holders: (d) explain to them the mechanisms for changing the disclosure option again.
CDR Rule 4A.7(3)(d)
ordinary means of contacting an account holder by a data holder means: (a) if the data holder has agreed with the account holder on a particular means of contacting the account holder for the purposes of the relevant provision—that means; and (b) otherwise—the default means by which the data holder contacts the account holder in relation to the account.
CDR Rule 1.7(1)
Data holders MUST alert a joint account holder where an action they are about to perform may result in the other joint account holder(s) being notified. This standard applies to the authorisation flow, consumer dashboards, and the disclosure option management service where notifications to the other joint account holder(s) may be triggered. The precise wording of this notification is at the discretion of the data holder.
As part of the process of removing a joint account approval or changing to a more restrictive disclosure option, the data holder MUST advise the consumer: 1. that doing this may impact existing services, including arrangements initiated by the other account holder(s) 2. when removing an approval: a. that even though sharing for this service has now stopped, the other account holder(s) can still create new data sharing arrangements for the joint account b. how to change their disclosure option Note: The exact phrasing of the withdrawal message is at the discretion of the data holder. This standard does not affect data holders’ other notification obligations, including under rule 4A.7(3).
In relation to the joint account alert standards in this section, data holders MAY provide further information about any services or processes in place for supporting vulnerable consumers or reporting risks of physical, psychological, or financial harm or abuse to the data holder.
Data holders may consider providing a centralised location for managing various CDR account permissions, which could, for example, allow a consumer to access and manage their joint accounts, secondary user instructions, and any appropriate partnership and non-individual permissions. The disclosure option management service (DOMS) could be accessible from this location and in relation to the consumer dashboard.
Data holders should refer to disclosure options using plain language. A description of the disclosure option should be provided where possible. These artefacts use 'single consent' to represent pre-approval disclosure option, 'joint consent' to represent co-approval disclosure option, and 'stop all sharing from this account' or 'data sharing disabled' to represent a non-disclosure option.
Community consultation suggested that identifying the specific account holder may raise privacy concerns in some instances. Data holders may identify the specific account holder in relation to the relevant rules requirement, but may also deem it necessary to omit these details in certain scenarios in accordance with rule 4A.15.
Data holders may provide a mechanism for consumers to see a list of authorisations currently sharing data from that joint account.
Data holders may offer an alternative notification schedule to apply at the account level and the customer level.
To aid intuitive disclosure option management, data holders may choose to semantically distinguish pre-approval and co-approval changes from changing to a non-disclosure option.
Existing approvals for specific authorisations are not automatically removed when a non-disclosure option is applied, but the joint account data cannot be shared due to the application of the non-disclosure option. If a joint account is changed from a non-disclosure to enable sharing again, joint account data sharing will recommence for any active authorisations that are associated with that joint account.
Email is shown as an example notification only. Data holders must use ordinary means of contacting the relevant account holder(s) as outlined in rules 4A.7(3) and 1.7(1). A data holder may agree with the account holder on a “particular means of contacting the account holder for the purposes of the relevant provision”. Data holders are required to provide an online disclosure option management service, and may negotiate to provide joint account notifications online in line with this provision even where the consumer otherwise receives notifications via non-digital channels.
Data holders can refer to accounts using recognised nicknames, icons, account numbers, and account type. They can also include information on other elements the account may refer to such as any related plans, services, properties, numbers, and products.
The Consumer Data Standards Program is part of Treasury. Copyright © Commonwealth of Australia 2023. The information provided on this website is licensed for re-distribution and re-use in accordance with Creative Commons Attribution 4.0 International (CC-BY 4.0) Licence.