Updated @April 9, 2024
These guidelines provide examples for how to implement the data holder authorisation withdrawal and approval removals process.
On this page
Overview
The withdrawal process is broken into the following steps:
- Identifying the authorisation or approval to be withdrawn
- Reviewing the implications and confirming withdrawal
- Receiving a final notification of success
The consumer must be able to review their data sharing arrangement from the consumer dashboard.
The consumer will be advised of potential consequences of withdrawal before they stop sharing.
The consumer may receive confirmation that they have successfully withdrawn their authorisation or approval, and be provided with an updated view of the sharing arrangement on their dashboard.
Wireframes and guidelines
Default example
The following wireframes show a basic example of the authorisation withdrawal process.
Wireframe ref | Type | Requirement level | Statement | Reference | Checklist ref | Focus area |
---|---|---|---|---|---|---|
01 | CDR Rule | MUST | A data holder must update a CDR consumer’s consumer dashboard as soon as practicable after the information required to be contained on the dashboard changes. | CDR Rule 4.27 | 5CM2.00.01 | |
02 | CX Standard | MUST | As part of the withdrawal process, the data holder MUST advise the consumer to review the consequences of withdrawal with the Data Recipient before they stop sharing their data.
The data holder MAY consider using or paraphrasing the following message(s):
• ‘You should check with [Data Recipient] before you stop sharing to understand the consequences.’
• ‘You should check with [Data Recipient] to see if your service will be impacted before you stop sharing.’ | 5CM2.00.02 | ||
03 | CX Standard | MUST | As part of the withdrawal process, the data holder MUST inform the consumer about the handling of redundant data and the right to delete.
The data holder MAY consider using or paraphrasing the following message(s):
• ‘CDR data is either deleted or de-identified when it is no longer required.’
• ‘[Data Recipient] will have specific policies on how to handle your data once it’s no longer required.’ | 5CM2.00.03 | ||
04 | CX Guideline | MAY | Data holders should use the phrase 'Stop sharing' or 'Stop data sharing' to refer to how a consumer can withdraw authorisation. | 5CM2.00.04 | ||
05 | CX Guideline | MAY | Data holders should introduce positive friction to the withdrawal flow to mitigate user error and unintended consequences.
Data holders may choose to do this via a 2-step authorisation withdrawal process. | 5CM2.00.05 | ||
06 | CX Guideline | MAY | Data holders should provide a message to consumers that withdrawal was successful. This message should be clearly visible on the dashboard and shown as soon as withdrawal has taken place. | 5CM2.00.06 | ||
07 | CX Guideline | MAY | Data holders should provide CDR Receipts reflecting the details of the authorisation shown on a consumer's dashboard.
CDR Receipts should be provided in writing, such as in an email, when:
1. Authorisations are successfully established
2. Authorisations are withdrawn
3. Authorisations expire
4. Authorisations are amended
CDR receipts should also outline details on complaint handling and resolution processes. Dashboards should provide a way for consumers to request a copy of their CDR receipts. | 5CM2.00.07 | ||
08 | CDR Rule | MUST | (1) If a data holder receives a consumer data request from an accredited person on behalf of a CDR consumer, the data holder must, in the circumstances specified in a sector Schedule, ensure that it provides the CDR consumer with an online service that:
(c) has a functionality that:
(v) as part of the withdrawal process, displays a message relating to the consequences of the withdrawal in accordance with the data standards; | CDR Rule 1.15(1)(c)(v) | 5CM2.00.08 | |
09 | CDR Rule | MUST | (1) A data holder must keep and maintain records that record and explain the following:
(b) amendments to or withdrawals of authorisations to disclose CDR data; | CDR Rule 9.3(1)(b) | 5CM2.00.09 | |
10 | CX Guideline | MAY | Data holders are expected to record how the withdrawal was requested by the consumer in relation to CDR Rule 9.3(1)(b), but the rules do not require the method of withdrawal to be shown on the dashboard.
However, data holders may wish to do this on the dashboard and/or in any CDR Receipt they choose to provide. | 5CM2.00.10 | ||
11 | CX Guideline | MAY | Data holders can refer to accounts using recognised nicknames, icons, account numbers, and account type.
They can also include information on other elements the account may refer to such as any related plans, services, properties, numbers, and products. | 5CM2.00.11 | ||
12 | CX Standard | MUST | Effective from July 1st 2024:
Data holders MUST advise consumers to check with the relevant data recipient for information about how their data may be handled.
The precise wording of this message is at the discretion of the data holder. The data holder MAY consider using or paraphrasing the following message:
• ‘You should check with [ADR brand/the data recipient] for more information on how they are handling your data, and for any other permissions you may have given them. See [ADR]’s CDR policy or their Dashboard for more information.’ | 5CM2.00.12 |
Note: Some interactions and screens have been omitted for simplicity.
Withdrawing approvals
The following wireframes show an example of how a relevant account holder (account holder B: AH-B) can cease joint account data sharing for a sharing arrangement set up by the requester (account holder A: AH-A).
For further guidance, see ACCC's Revised joint account implementation guidance.
Wireframe ref | Type | Requirement level | Statement | Reference | Checklist ref | Focus area |
---|---|---|---|---|---|---|
01 | CDR Rule | MUST | (1) Where:
(a) this Division applies in relation to a consumer data request; and
(b) either the co-approval option or the pre-approval option applies, or has applied, to the joint account;
the data holder must provide each relevant account holder with an online service that:
(c) contains the details referred to in paragraph 1.15(1)(b) that relate to the joint account data; | CDR Rule 4A.13(1)(a), (b), (c) | 5CM2.01.01 | |
02 | CDR Rule | MUST | (1) Where:
(a) this Division applies in relation to a consumer data request; and
(b) either the co-approval option or the pre-approval option applies, or has applied, to the joint account;
the data holder must provide each relevant account holder with an online service that:
(d) has a functionality that:
(i) can be used by the relevant account holder to manage approvals in relation to each authorisation to disclose joint account data made by a requester; | CDR Rule 4A.13(1)(a), (b), (d)(i) | 5CM2.01.02 | |
03 | CDR Rule | MUST | (1) Where:
(a) this Division applies in relation to a consumer data request; and
(b) either the co-approval option or the pre-approval option applies, or has applied, to the joint account;
the data holder must provide each relevant account holder with an online service that:
(d) has a functionality that:
(iii) is simple and straightforward to use; and
(iv) is prominently displayed;
——————
(4) A data holder does not contravene subrule (1) in relation to subparagraphs (1)(d)(iii) and (iv) so long as it takes reasonable steps to ensure that the functionality complies with those subparagraphs. | CDR Rule 4A.13(1)(a), (b), (d)(iii) and (iv), 4A.13(4) | 5CM2.01.03 | |
04 | CDR Rule | MUST | (1) Where:
(a) this Division applies in relation to a consumer data request; and
(b) either the co-approval option or the pre-approval option applies, or has applied, to the joint account;
the data holder must provide each relevant account holder with an online service that:
(d) has a functionality that:
(ii) allows for withdrawal, at any time, of such an approval; | CDR Rule 4A.13(1)(a), (b), (d)(ii) | 5CM2.01.04 | |
05 | CDR Rule | MUST | (1) Where:
(a) this Division applies in relation to a consumer data request; and
(b) either the co-approval option or the pre-approval option applies, or has applied, to the joint account;
the data holder must provide each relevant account holder with an online service that:
(d) has a functionality that:
(v) as part of the withdrawal process, displays a message relating to the consequences of the withdrawal in accordance with the data standards. | CDR Rule 4A.13(1)(a), (b), (d)(v) | 5CM2.01.05 | |
06 | CDR Rule | MUST | (2) Where the data holder already provides a consumer dashboard for the relevant account holder under rule 1.15, the service under subrule (1) must be included in the consumer dashboard.
(3) Where the data holder does not already provide a consumer dashboard for that relevant account holder under rule 1.15, the service under subrule (1) is the data holder’s consumer dashboard for the relevant account holder. | CDR Rule 4A.13(2), (3) | 5CM2.01.06 | |
07 | CDR Rule | MUST | (5) For paragraph 1.15(1)(d), if a relevant account holder’s consumer dashboard contains details of approvals under this Division, the dashboards of the other joint account holders must contain those details. | CDR Rule 4A.13(5) | 5CM2.01.07 | |
08 | CDR Rule | MUST | (1) If a relevant account holder:
(a) approves of the disclosure of joint account data in accordance with this Division; or
(b) is taken to have approved of the disclosure under the pre-approval option;
the approval is taken to apply while the authorisation referred to in paragraph 4A.10(4)(b) is current, unless withdrawn sooner in accordance with this Division.
(2) Any relevant account holder may withdraw an approval given under this Division at any time, using their consumer dashboard. | CDR Rule 4A.12 | 5CM2.01.08 | |
09 | CDR Rule | MUST | (1) For this rule, an approval notification is a notice given by the data holder:
(b) to the requester, to inform them that:
(ii) a relevant account holder has withdrawn an approval previously given;
in accordance with the data standards. | CDR Rule 4A.14 (1)(b)(ii) | 5CM2.01.09 | |
10 | CDR Rule | MUST | (2) The data holder must make the appropriate approval notification to a joint account holder in relation to an event mentioned in subrule (1):
(a) as soon as practicable after the event occurs, unless the joint account holder has selected an alternative schedule of notifications; and
(b) through its ordinary means of contacting the joint account holders. | CDR Rule 4A.14(2) | 5CM2.01.10 | |
11 | CDR Rule | MUST | ordinary means of contacting an account holder by a data holder means:
(a) if the data holder has agreed with the account holder on a particular means of contacting the account holder for the purposes of the relevant provision—that means; and
(b) otherwise—the default means by which the data holder contacts the account holder in relation to the account. | CDR Rule 1.7(1) | 5CM2.01.11 | |
12 | CDR Rule | MUST | A data holder must update a CDR consumer’s consumer dashboard as soon as practicable after the information required to be contained on the dashboard changes. | CDR Rule 4.27 | 5CM2.01.12 | |
13 | CX Standard | MUST | Data holders MUST alert a joint account holder where an action they are about to perform may result in the other joint account holder(s) being notified.
This standard applies to the authorisation flow, consumer dashboards, and the disclosure option management service where notifications to the other joint account holder(s) may be triggered.
The precise wording of this notification is at the discretion of the data holder. | 5CM2.01.13 | ||
14 | CX Standard | MUST | As part of the process of removing a joint account approval or changing to a more restrictive disclosure option, the data holder MUST advise the consumer:
1. that doing this may impact existing services, including arrangements initiated by the other account holder(s)
2. when removing an approval:
◦ that even though sharing for this service has now stopped, the other account holder(s) can still create new data sharing arrangements for the joint account
◦ how to change their disclosure option
Note: The exact phrasing of the withdrawal message is at the discretion of the data holder. This standard does not affect data holders’ other notification obligations, including under rule 4A.7(3). | 5CM2.01.14 | ||
15 | CX Standard | MAY | In relation to the joint account alert standards in this section, data holders MAY provide further information about any services or processes in place for supporting vulnerable consumers or reporting risks of physical, psychological, or financial harm or abuse to the data holder. | 5CM2.01.15 | ||
16 | CX Guideline | MAY | As per CDR Rule 4A.13(1)(d), data holders are required to allow account holders to remove one approval at a time.
In addition to this functionality, data holders may allow the relevant account holder(s) to remove approvals in bulk using the equivalent withdrawal mechanism the requester would use to withdraw an authorisation. This would allow the flow to be more intuitive and streamlined for the relevant account holder(s) when compared to Pathway 1. | 5CM2.01.16 | ||
17 | CX Guideline | MAY | Inline with CDR Rule 4A.14(3) and CX Notification Standards, data holders may offer an alternative notification schedule to apply at the account level and the customer level. Any account holders may control the frequency and channel of their joint account notifications. An example of this, on the CX Guidelines website, is Joint account notification settings. | 5CM2.01.17 | ||
18 | CX Guideline | MAY | Community consultation suggested that identifying the specific account holder may raise privacy concerns in some instances. Data holders may identify the specific account holder in relation to the relevant rules requirement, but may also deem it necessary to omit these details in certain scenarios in accordance with CDR Rule 4A.15. | 5CM2.01.18 | ||
19 | CX Guideline | MAY | Data holders should use plain language to describe the call to action for removing an approval. These artefacts use 'stop sharing from this account' and 'stop sharing' to represent this action. | 5CM2.01.19 | ||
20 | CX Guideline | MAY | A push notification is shown as an example notification only. Data holders must use ordinary means of contacting the relevant account holder(s) as outlined in CDR Rules 4A.14(2) and 1.7(1).
A data holder may agree with the account holder on a “particular means of contacting the account holder for the purposes of the relevant provision”.
Data holders are required to provide an online disclosure option management service, and may negotiate to provide joint account notifications online in line with this provision even where the consumer otherwise receives notifications via non-digital channels. | 5CM2.01.20 | ||
21 | CX Guideline | MAY | Where an alternative notification schedule is provided as per CDR Rule 4A.14(3), this notification may be omitted at the consumer's request. | 5CM2.01.21 | ||
22 | CX Guideline | MAY | Data holders can refer to accounts using recognised nicknames, icons, account numbers, and account type.
They can also include information on other elements the account may refer to such as any related plans, services, properties, numbers, and products. | 5CM2.01.22 | ||
23 | CX Guideline | MAY | Inline with CDR Rule 4A.6, the data holder must provide joint account holders with a disclosure option management service (DOMS). Any joint account holder can manage account sharing permissions, such as to stop all sharing from an account, through DOMS. An example of this, on the CX Guidelines website, is Account permissions, Joint account disclosure option management service. | 5CM2.01.23 |
Note: Some interactions and screens have been omitted for simplicity.
Download open source asset
Open sources design assets are created in Figma for the purposes of assisting implementation. This Figma file contains annotated wireframes and working prototypes for the authorisation and approval withdrawal process, including:
- Default example
- Withdrawing approvals
Item | File | Date released | Version introduced |
---|---|---|---|
April 9, 2024 | 1.29.1 |
For past versions, refer to
Open sources design assets are provided in the form of version-controlled Figma files. These assets contain the annotated wireframe and working prototype published on this page, and have been reviewed for accessibility compliance. Assets are partially conformant to Web Content Accessibility Guidelines (WCAG) 2.1 level AA. These assets do not tend to accessible code and instead focus on visual presentation and readability.
The assets use the GOLD Design System; component rationale, accessibility support, and code documentation is available in the GOLD Design System website.
For more details, see
References
These CX Guidelines were informed by consultations and research conducted in 2019, including the following:
- Consultations
- DSB 2019, CX Workshop: Manage and withdraw
- CX research
- GippsTech 2019, Phase 2, Stream 1 report
- Greater than X 2019, Phase 2, Stream 2 report
- Tobias 2019, Phase 2, Stream 3 report
- Other
- Nielsen Norman Group 2019, 10 Usability Heuristics for User Interface Design (Error prevention)
- Nielsen Norman Group 2019, 10 Usability Heuristics for User Interface Design (Visibility of system status)
Quick links to CX Guidelines: