Updated @March 6, 2024
These guidelines provide examples for how to implement the data recipient consumer dashboards related to collection and use consents and amended consents.
On this page
Overview
This page includes scenarios where a consumer could use their dashboard to manage their collection and use consents. The consumer dashboard allows a consumer to review and manage their consents. In consumer-facing designs, ‘consents’ are sometimes referred to as sharing arrangements.
For consumer dashboard guidance about data recipients disclosing data to specified persons, see
Wireframes and guidelines
Collection and use consents - default example
The following wireframes show a basic example of a data recipient dashboard, including options and pathways to amend consents. Variations can be found in the below sections.
Wireframe ref | Type | Requirement level | Statement | Reference | Checklist ref | Focus area |
---|---|---|---|---|---|---|
01 | CDR Rule | MUST | (1) Subject to subrule (5), an accredited person must provide each eligible CDR consumer on whose behalf the accredited person makes a consumer data request with an online service that:
(a) can be used by the CDR consumer to manage:
(i) such requests; and
(ii) associated consents; and
(b) contains the details of each consent specified in subrule (3) and the information specified in subrule (3A); | CDR Rule 1.14(1)(a)(b) | 4CM1.00.01 | |
02 | CDR Rule | MUST | (2) Such a service is the accredited person’s consumer dashboard for that consumer. | CDR Rule 1.14(2) | 4CM1.00.02 | |
03 | CDR Rule | MUST | (1) An accredited person must update a CDR consumer’s consumer dashboard as soon as practicable after the information required to be contained on the dashboard changes. | CDR Rule 4.19 | 4CM1.00.03 | |
04 | CDR Rule | MUST | (3) For paragraph (1)(b), the information is the following for each consent:
(g) if the consent is not current—when it expired; | CDR Rule 1.14(3)(g) | 4CM1.00.04 | |
05 | CDR Rule | MUST | (3) For paragraph (1)(b), the information is the following for each consent:
(b) for a use consent―details of the specific use or uses for which the CDR consumer has given their consent; | CDR Rule 1.14(3)(b) | OAIC Chapter C: Consent (Data minimisation principle) | 4CM1.00.05 | |
06 | CDR Rule | MUST | (3) For paragraph (1)(b), the information is the following for each consent:
(c) when the CDR consumer gave the consent; | CDR Rule 1.14(3)(c) | 4CM1.00.06 | |
07 | CDR Rule | MUST | 3) For paragraph (1)(b), the information is the following for each consent:
(f) if the consent is current—when it is scheduled to expire;
Note 1: For paragraph (f), consents expire at the latest 12 months (or 7 years for certain consents by a CDR business consumer) after they are given or, in some circumstances, amended: see paragraph 4.14(1)(c). | CDR Rule 1.14(3)(f) | 4CM1.00.07 | |
08 | CDR Rule | MAY | (5) A copy of the CDR receipt may be included in the CDR consumer’s consumer dashboard. | CDR Rule 4.18(5) | 4CM1.00.08 | |
09 | CDR Rule | MUST | (1) Subject to subrule (5), an accredited person must provide each eligible CDR consumer on whose behalf the accredited person makes a consumer data request with an online service that:
(c) has a functionality that:
(i) allows a CDR consumer, at any time, to:
(A) withdraw current consents; and
(ii) is simple and straightforward to use; and
(iii) is prominently displayed. | CDR Rule 1.14(1)(c)(i)(A),(ii),(iii) | 4CM1.00.09 | |
10 | CDR Rule | MAY | (2A) The consumer dashboard may also include a functionality that allows a CDR consumer to amend a current consent. | CDR Rule 1.14(2A) | 4CM1.00.10 | |
11 | CDR Rule | MUST | (3) For paragraph (1)(b), the information is the following for each consent:
(a) details of the CDR data to which the consent relates; | CDR Rule 1.14(3)(a) | 4CM1.00.11 | |
12 | CDR Rule | MUST | (3) For paragraph (1)(b), the information is the following for each consent:
(h) information relating to CDR data that was collected or disclosed pursuant to the consent (see rules 7.4 and 7.9); | CDR Rule 1.14(3)(h) | 4CM1.00.12 | |
13 | CDR Rule | MUST | (1) For section 56EH of the Act, and subject to subrule (2), an accredited data recipient that collected the CDR data in accordance with section 56EF of the Act as a result of a collection consent must update the person’s consumer dashboard as soon as practicable to indicate:
(a) what CDR data was collected; and
(b) when the CDR data was collected; and
(c) the CDR participant for the CDR data from which the CDR data was collected. | CDR Rule 7.4(1) | CDR Privacy Safeguard Guidelines: Privacy Safeguard 5 | 4CM1.00.13 | |
14 | CDR Rule | MUST | (3) For paragraph (1)(b), the information is the following for each consent:
(d) whether the consent applies:
(i) on a single occasion; or
(ii) over a period of time; | CDR Rule 1.14(3)(d) | 4CM1.00.14 | |
15 | CDR Rule | MUST | (3) For paragraph (1)(b), the information is the following for each consent:
(e) if a collection consent or disclosure consent applies over a period of time:
(i) what that period is; and
(ii) how often data has been, and is expected to be, collected or disclosed over that period; | CDR Rule 1.14(3)(e) | 4CM1.00.15 | |
16 | CDR Rule | MUST | (8) For paragraph 56ED(7)(b) of the Act, a CDR participant must make its CDR policy readily available through each online service by means of which the CDR participant ordinarily deals with CDR consumers.
(9) For subsection 56ED(8) of the Act, if a copy of a the CDR participant’s policy is requested by a CDR consumer, the participant must give the CDR consumer a copy:
(a) electronically; or
(b) in hard copy;
as directed by the consumer. | CDR Rule 7.2(8), (9) | 4CM1.00.16 | |
17 | CX Guideline | MAY | Data recipients and data holders should provide the consumer with a contextual 'walkthrough’ or ‘tutorial' to introduce them to the concept of the dashboard if they are not familiar with it. | 4CM1.00.17 | ||
18 | CX Guideline | MAY | Data recipients should prioritise information that is important to consumers. This may include using tabs (e.g. active, pending, archived), or presenting key details up front, such as when consent was granted. | 4CM1.00.18 | ||
19 | CX Guideline | MAY | Data recipients should allow consumers to search, sort, and filter their data sharing arrangements in a way that is aligned to the outcomes consumers are seeking.
For example, a consumer may want to sort by data recipient, data cluster, or by a user-defined tag. | 4CM1.00.19 | ||
20 | CX Guideline | MAY | Data recipients should organise consents by data holder brand names in a way that is consistent with how data holders are referenced in the provider/data holder selection step when consent is first being sought. | 4CM1.00.20 | ||
21 | CX Guideline | MAY | Data recipients should allow consumers to create user-defined tags, names, and/or descriptions (e.g. home deposit) for each data sharing arrangement. | 4CM1.00.21 | ||
22 | CX Guideline | MAY | Data recipients should include a link to the data holder's specific page on www.cdr.gov.au/find-a-provider for verification purposes. | 4CM1.00.22 | ||
23 | CX Guideline | MAY | Data recipients should organise consents by referring to the use case/purpose, the brand name, and software product name to aid consent and authorisation recognitions and management across dashboards. | 4CM1.00.23 | ||
24 | CX Guideline | MAY | Data recipients should show the status of the consent, which may refer to it being 'active', 'cancelled', 'expired', or relating to a 'once-off’ instance of sharing. | 4CM1.00.24 | ||
25 | CX Guideline | MAY | Data recipients should prioritise information that is important to consumers and structure the presentation in a way that reduces cognitive overload.
This may include progressive disclosure design patterns (e.g. accordion menus), UX writing (e.g. microcopy), and visual aids (e.g. to display time-based qualities of consent). | 4CM1.00.25 | ||
26 | CX Guideline | MAY | Data recipient dashboards should display which accounts they are collecting data from to facilitate consumer comprehension and consent management. | 4CM1.00.26 | ||
27 | CX Guideline | MAY | Data recipients should allow consumers to download and/or request a copy of their CDR Receipt(s). | 4CM1.00.27 | ||
28 | CX Guideline | MAY | Consumers may be allowing a data recipient to collect, use, and disclosure their data according to the varying types of consents. This means 'sharing' may not always be the most appropriate or flexible language to use.
Data recipients should tailor language to the consent type, but may consider using generic terms such as 'access' to apply to the range of consent types. CX research suggested this language was comprehensible.
If a generic term is used to apply to an array of consent types or actions, data recipients should provide additional explanations to clarify what the precise consent types or actions mean in the context of that term. | 4CM1.00.28 | ||
29 | CX Guideline | MAY | Data recipients may allow consumers to add or remove accounts from an existing consent.
This process may be initiated by the ADR, such as by inviting them to add new account types to an existing consent, or by allowing the consumer to trigger this process on their ADR consumer dashboard.
The account amendment process should trigger the consent flow and DH authentication/authorisation process to add or remove the account(s) from the associated authorisation.
Data recipients should supply the relevant cdr_arrangement_id to the DH when seeking to have a current authorisation amended. | 4CM1.00.29 | ||
30 | CX Guideline | MAY | Data recipients should explain how the time period complies with the data minimisation principle (DMP) for data that is yet to be generated (e.g. for an ongoing consent) as well as historical data (e.g. for a collection on a 'single occasion').
Example DMP statement for data that is yet to be generated:
We're accessing your data for 12 months so [we can update your financial position in real-time] to [deliver accurate and tailored personal financial management].
Example DMP statement for historical data:
We're accessing data that dates back to [earliest date of record] so [we can assess seasonal changes] to [provide an accurate energy comparison]. | 4CM1.00.30 | ||
31 | CX Guideline | MAY | Data recipients should present purpose in relation to each data cluster unless this statement applies equally to all datasets.
If the statement applies equally to all datasets, data recipients should present this to the consumer clearly in relation to all of the datasets.
This information should clearly communicate the purposes and benefits of data sharing to the consumer. | 4CM1.00.31 | ||
32 | CX Guideline | MAY | Privacy Safeguard 5
For ongoing data sharing: Data recipients may include the date range between which CDR data will be collected (dates of initial and final collection), as well as frequency of data collection.
For single or ‘once-off’ disclosure: Data recipients may include the date on which the CDR data was collected (date of initial collection).
Note: The example provided is context dependent. Please refer to Privacy Safeguard 5 for more guidance. | CDR Rule 7.4 | CDR Privacy Safeguard Guidelines: Privacy Safeguard 5 | 4CM1.00.32 | |
33 | CX Guideline | MAY | Data recipients should use the phrases ‘Granted’, 'Expire' and ‘Sharing period’ to refer to the time-based qualities of the data sharing arrangement. | 4CM1.00.33 | ||
34 | CDR Rule | MUST | (1) Subject to subrule (5), an accredited person must provide each eligible CDR consumer on whose behalf the accredited person makes a consumer data request with an online service that:
(c) has a functionality that:
(i) allows a CDR consumer, at any time, to:
(B) elect that redundant data be deleted in accordance with these rules and withdraw such an election; and
(ii) is simple and straightforward to use; and
(iii) is prominently displayed. | CDR Rule 1.14(1)(c)(i)(B),(ii),(iii) | 4CM1.00.34 | |
35 | CDR Rule | MUST | (3A) For paragraph (1)(b), the other information is:
(a) a statement that the CDR consumer is entitled to request further records in accordance with rule 9.5; and
(b) information about how to make such a request. | CDR Rule 1.14(3A) | 4CM1.00.35 | |
36 | CDR Rule | MUST | (2) A CDR consumer may request an accredited data recipient for copies of records relating to the information referred to in:
(a) paragraphs 9.3(2)(a), (b), (c), (d), (da), (e), (ea), (eb), (ec), (ed), (ee), (ef), (eg), (f) and (m); and
(b) paragraphs 9.3(2A)(d), (e), (f), (g), (ga), (h), (ha), (hb), (hc), (i) and (o);
that relates to the CDR consumer. | CDR Rule 9.5(2) | 4CM1.00.36 | |
37 | CX Guideline | MAY | Data recipients are encouraged to surface information on dispute resolution and making a complaint. This may include:
• a link to the complaints section of the ADR’s CDR policy; and/or
• a summary of the complaint handling process. | CX Research: 2020 Phase 3, Round 4 and 5 report | 4CM1.00.37 | |
38 | CX Guideline | MAY | Data recipients can refer to accounts using recognised nicknames, icons, account numbers, and account type. They can also include any known information on other elements the account may refer to such as any related plans, services, properties, numbers, and products. | 4CM1.00.38 | ||
39 | CX Guideline | MAY | Data recipients are encouraged to surface information about data deletion found in their CDR policy along with a link to read this policy. This may include:
• when and how redundant data is deleted;
• how a CDR consumer may elect for this to happen. | CDR Rule 7.2(4)(k) | 4CM1.00.39 | |
40 | CX Guideline | MAY | Data recipients should surface information about the data deletion process:
• when data will be deleted;
• why data may need to be retained (e.g. business or legal reasons);
• how the data will be deleted, this may include timeframes. | CDR Rule 7.2(4)(k) | CX Research: Phase 3, Round 3 report; 2021 Disclosure Consent report | 4CM1.00.40 | |
41 | CX Guideline | MAY | These wireframes demonstrate what a consumer might see where an ADR has a policy to delete redundant data by default. As per CDR Rule 1.14(1)(c)(i)(B), where an ADR will de-identify redundant data instead of deleting it, the ADR is required to provide the consumer with the ability to elect that redundant data be deleted instead. ADRs should consider providing this functionality in a way that is consistent with any other data handling information and functionality, and may surface the right to delete election in a location similar to the 'Data handling' component found on this screen. | 4CM1.00.41 | ||
42 | CX Guideline | MAY | CX research suggested that further information on data handling, including from government sources, can aid comprehension and confidence for Sceptics, Assurance Seekers and Sensemakers. Based on these insights, data recipients are encouraged to provide a link to OAIC’s guidance on Privacy Safeguard 12, which outlines information on data security and redundant data handling. | 4CM1.00.42 |
Note: Some interactions and screens have been omitted for simplicity.
CDR outsourcing, sponsorship, and CDR representative arrangements
The following wireframes show examples for how to implement CDR outsourcing arrangements, sponsorship arrangements, and CDR representative arrangements on the data recipient dashboard.
For more information, see OAIC’s guidance on privacy obligations for these arrangements.
ADR uses outsourced service providers
An accredited person may engage an outsourced service provider (OSP) to do one or both of the following: (1) to collect CDR data on their behalf; (2) provide goods or services to the accredited person using CDR data that the OSP collected on the accredited person’s behalf or that was disclosed to them by the accredited person.
To do so, an accredited person must have a written contract in place with the OSP which meets the requirements set out in the CDR Rules.
Wireframe ref | Type | Requirement level | Statement | Reference | Checklist ref | Focus area |
---|---|---|---|---|---|---|
06 | CX Guideline | MAY | Data recipients should outline what the outsourced service provider, sponsor or principal is doing in relation to the specific consent and data, for example: collection; use; transformation; storage; de-identification; etc. | CX Research: 2020 Phase 3, Round 4 and 5 report | 4CM1.03a.06 | |
07 | CX Guideline | MAY | Where outsourced service providers are used, CDR Rule 4.11(3)(f)(i) requires the accredited person to specify that fact in the consent flow but not on dashboards. These guidelines recommend that specific outsourced service providers and their roles be surfaced in dashboards as well as consent flows to support consistency and meet consumer expectations, as identified in consumer research. These details may reflected CDR policy on outsourced service providers. | CX Research: 2020 Phase 3, Round 4 and 5 report | 4CM1.03a.07 | |
09 | CX Guideline | MAY | These designs demonstrate a consolidated pattern that CDR participants may choose to implement for various sharing models, including where an accredited data recipient uses an outsourced service provider; for an affiliate using a sponsor to collect data; and for a CDR representative requesting that a CDR principal collect data on their behalf. Using a consistent pattern will help provide familiar, trustworthy, and intuitive experiences while also providing flexible and reusable designs to support various implementation requirements. | 4CM1.03a.09 |
Sponsorship arrangement
The sponsored accreditation model allows a person accredited to the ‘sponsored’ level (an ‘affiliate’) to provide goods or services directly to a consumer. To do so, they must have a written contract with an unrestricted accredited person (a ‘sponsor’) who collect CDR data from data holders on their behalf.
Wireframe ref | Type | Requirement level | Statement | Reference | Checklist ref | Focus area |
---|---|---|---|---|---|---|
01 | CDR Rule | MUST | (3) For paragraph (1)(b), the information is the following for each consent:
(ha) if the accredited person is an affiliate and the CDR data will be collected by a sponsor at its request:
(i) the sponsor’s name; and
(ii) the sponsor’s accreditation number; | CDR Rule 1.14(3)(ha) | 4CM1.03b.01 | |
02 | CDR Rule | MUST | (2) Where the CDR data was collected by a sponsor on behalf of an affiliate:
a) the sponsor is not required to provide the consumer dashboard;
Note: The affiliate, as an accredited person that makes the consumer request through the sponsor, is required to provide the consumer dashboard under subrule 1.14(1). | CDR Rule 7.4(2)(a) | 4CM1.03b.02 | |
03 | CDR Rule | MUST | (2) Where the CDR data was collected by a sponsor on behalf of an affiliate:
(c) the dashboard must also indicate that the CDR data was collected by the sponsor on behalf of the affiliate. | CDR Rule 7.4(2)(c) | 4CM1.03b.03 | |
05 | CX Guideline | MAY | For a generic example demonstrating how CDR Rule 7.4, privacy safeguard 5 may be implemented, see annotations 12, 13, and 32 in the default ADR dashboard example. | 4CM1.03b.05 | ||
06 | CX Guideline | MAY | Data recipients should outline what the outsourced service provider, sponsor or principal is doing in relation to the specific consent and data, for example: collection; use; transformation; storage; de-identification; etc. | CX Research: 2020 Phase 3, Round 4 and 5 report | 4CM1.03b.06 | |
08 | CX Guideline | MAY | Various rules require specific entities to provide certain items, such as dashboards and notifications, and may also require the sponsor or principal to be referenced. These guidelines demonstrate how this information may generally be displayed so that, where appropriate, the consumer is primarily engaging with the known entity that they have a relationship with, and the sponsor or principal is only noted as a background detail. | 4CM1.03b.08 | ||
09 | CX Guideline | MAY | These designs demonstrate a consolidated pattern that CDR participants may choose to implement for various sharing models, including where an accredited data recipient uses an outsourced service provider; for an affiliate using a sponsor to collect data; and for a CDR representative requesting that a CDR principal collect data on their behalf. Using a consistent pattern will help provide familiar, trustworthy, and intuitive experiences while also providing flexible and reusable designs to support various implementation requirements. | 4CM1.03b.09 | ||
10 | CDR Rule | MUST | (2) Where the CDR data was collected by a sponsor on behalf of an affiliate
(b) the sponsor and the affiliate may choose which of them will be responsible for updating the consumer’s dashboard in accordance with subrule (1); | CDR Rule 7.4(2)(b) | 4CM1.03b.10 |
CDR representative arrangement
The CDR representative model enables unaccredited persons (a ‘CDR representative’) to provide goods and services to consumers using CDR data when they are in a CDR representative arrangement with an unrestricted accredited person (’a principal’) who is liable for them.
Wireframe ref | Type | Requirement level | Statement | Reference | Checklist ref | Focus area |
---|---|---|---|---|---|---|
04 | CDR Rule | MAY | (5) Where a CDR representative principal makes a consumer data request at the request of a CDR representative, it may arrange for the CDR representative to provide the consumer dashboard on its behalf. | CDR Rule 1.14(5) | 4CM1.03c.04 | |
06 | CX Guideline | MAY | Data recipients should outline what the outsourced service provider, sponsor or principal is doing in relation to the specific consent and data, for example: collection; use; transformation; storage; de-identification; etc. | CX Research: 2020 Phase 3, Round 4 and 5 report | 4CM1.03c.06 | |
08 | CX Guideline | MAY | Various rules require specific entities to provide certain items, such as dashboards and notifications, and may also require the sponsor or principal to be referenced. These guidelines demonstrate how this information may generally be displayed so that, where appropriate, the consumer is primarily engaging with the known entity that they have a relationship with, and the sponsor or principal is only noted as a background detail. | 4CM1.03c.08 | ||
09 | CX Guideline | MAY | These designs demonstrate a consolidated pattern that CDR participants may choose to implement for various sharing models, including where an accredited data recipient uses an outsourced service provider; for an affiliate using a sponsor to collect data; and for a CDR representative requesting that a CDR principal collect data on their behalf. Using a consistent pattern will help provide familiar, trustworthy, and intuitive experiences while also providing flexible and reusable designs to support various implementation requirements. | 4CM1.03c.09 | ||
11 | CDR Rule | MUST | (1) A CDR representative must inform the CDR representative principal as soon as practicable after the information required to be contained on the CDR representative principal’s consumer dashboard changes.
Note: The CDR representative principal may allow the CDR representative to provide the consumer dashboard on its behalf—see subrule 1.14(5).
(2) The CDR representative principal must, as soon as practicable, make those changes.
Note 1: This subrule is a civil penalty provision (see rule 9.8).
Note 2: The CDR representative principal could arrange for the CDR representative to update the consumer dashboard on the CDR representative principal’s behalf: see subrule 4.19(2). | CDR Rule 4.20T | 4CM1.03c.11 | |
12 | CDR Rule | MUST | (2) Where a CDR representative provides the consumer dashboard on behalf of a CDR representative principal (see subrule 1.14(5)), the CDR representative principal may arrange for the CDR representative to update the consumer dashboard on the CDR representative principal’s behalf. | CDR Rule 4.19(2) | 4CM1.03c.12 | |
13 | CX Guideline | MAY | CDR Representatives should refer to Division 4.3A of the CDR Rules for further information on their obligations when providing dashboards and consent management. | 4CM1.03c.13 |
Amended consents
The following wireframes show an example of the data recipient dashboard for an amended consent.
Wireframe ref | Type | Requirement level | Statement | Reference | Checklist ref | Focus area |
---|---|---|---|---|---|---|
01 | CDR Rule | MUST | (1) An accredited person must update a CDR consumer’s consumer dashboard as soon as practicable after the information required to be contained on the dashboard changes. | CDR Rule 4.19 | 4CM1.02.01 | |
02 | CDR Rule | MUST | (1) An accredited person must give the CDR consumer a notice that complies with this rule (a CDR receipt) as soon as practicable after:
(aa) the CDR consumer amends such a consent in accordance with this Division; | CDR Rule 4.18(1)(aa) | 4CM1.02.02 | |
03 | CDR Rule | MUST | (3) For paragraph (1)(b), the information is the following for each consent:
(i) details of each amendment (if any) that has been made to the consent. | CDR Rule 1.14(3)(i) | 4CM1.02.03 | |
04 | CDR Rule | MUST | An amendment of a consent takes effect when the CDR consumer amends the consent. | CDR Rule 4.12A | 4CM1.02.04 | |
05 | CX Guideline | MAY | Data recipients may provide customers with pathways to past CDR Receipts from the sharing arrangement. | 4CM1.02.05 | ||
06 | CX Guideline | MAY | Data recipients may allow consumers to access the associated amendment request that was sent to the consumer such as the invitation specified in CDR Rule 4.12B(1) and (2)(b). | 4CM1.02.06 | ||
07 | CX Guideline | MAY | Data recipients should allow consumers to access the details of past amendments from the current version of the consent.
The details of past amendments should be accessible on the dashboard as per CDR Rule 1.14(3)(i) as well as CDR receipts relating to past consent amendments.
Amendment details should refer to the specific attributes, including additional uses, that were amended, added, or removed, along with the date of the amendment. | 4CM1.02.07 |
Note: Some interactions and screens have been omitted for simplicity.
Download open source asset
Open sources design assets are created in Figma for the purposes of assisting implementation. This Figma file contains annotated wireframes and working prototypes for Consent Management - Collection and use consents, including:
- Collection and use consents - default example
- CDR outsourcing, sponsorship and CDR representative arrangements
- Amended consents
Item | File | Date released | Version introduced |
---|---|---|---|
March 6, 2024 | 1.29.1 |
For past versions, refer to
Open sources design assets are provided in the form of version-controlled Figma files. These assets contain the annotated wireframe and working prototype published on this page, and have been reviewed for accessibility compliance. Assets are partially conformant to Web Content Accessibility Guidelines (WCAG) 2.1 level AA. These assets do not tend to accessible code and instead focus on visual presentation and readability.
The assets use the GOLD Design System; component rationale, accessibility support, and code documentation is available in the GOLD Design System website.
For more details, see
References
These CX Guidelines were informed by consultations and research conducted in 2019 to 2022, including the following:
- Consultations
- DSB 2019, CX Workshop: Manage and withdraw
- CX research
- Tobias 2019, Phase 1 CX report
- GippsTech 2019, Phase 2, Stream 1 report
- Tobias 2019, Phase 2, Stream 3 report
- DSB 2020, Phase 3, Round 3 report
- DSB 2020, Phase 3, Round 4 and 5 report
- DSB 2021, Disclosure Consent Research Report (Q4 2021, R1-2)
- Other
- Nielsen Norman Group 2019, 10 Usability Heuristics for User Interface Design (Flexibility and efficiency of use)
- OAIC 2021, Privacy obligations
- OAIC 2022, Consent (Data minimisation principle)
- OAIC 2022, OAIC: Privacy Safeguard 5
- OAIC 2022, Privacy Safeguard 12
Quick links to CX Guidelines: