Wireframe ref | Type | Requirement level | Statement | Reference | Checklist ref | Focus area |
---|---|---|---|---|---|---|
01 | CDR Rule | MAY | (1) A CDR consumer who has given a consent to an accredited person for the purposes of this Division may withdraw the consent at any time: (a) by using the accredited person’s consumer dashboard; | CDR Rule 4.13(1)(a) | 4CM2.00.01 | |
02 | CDR Rule | MUST | (3) Withdrawal of a consent does not affect an election under rule 4.16 that the CDR consumer’s collected CDR data be deleted once it becomes redundant. | CDR Rule 4.13(3) | 4CM2.00.02 | |
04 | CDR Rule | MUST | (1) An accredited person must give the CDR consumer a notice that complies with this rule (a CDR receipt) as soon as practicable after: (b) the CDR consumer withdraws such a consent in accordance with rule 4.13 | CDR Rule 4.18(1)(b) | CX Research 20 | 4CM2.00.04 | |
05 | CDR Rule | MUST | (2) A CDR receipt given for the purposes of paragraph (1)(a) must set out: (a) the details that relate to the consent that are listed in paragraphs 1.14(3)(a) to (f); and (b) in the case of a collection consent―the name of each CDR participant the CDR consumer has consented to the collection of CDR data from; and (ba) in the case of a disclosure consent―the name of the person the CDR consumer has consented to the disclosure of CDR data to; and (c) any other information the accredited person provided to the CDR consumer when obtaining the consent (see rule 4.11). | CDR Rule 4.18(2) | CX Research 20 | 4CM2.00.05 | |
06 | CDR Rule | MUST | (3) A CDR receipt given for the purposes of paragraph (1)(b) must set out when the consent expired. | CDR Rule 4.18(3) | CX Research 20 | 4CM2.00.06 | |
07 | CDR Rule | MUST | (4) A CDR receipt must be given in writing otherwise than through the CDR consumer’s consumer dashboard. | CDR Rule 4.18(4) | CX Research 20 | 4CM2.00.07 | |
08 | CDR Rule | MUST | (1) A consent given under this Division expires at the earliest of the following: (a) if the consent is withdrawn in accordance with paragraph 4.13(1)(b)―the earlier of the following: (i) when the accredited person gave effect to the withdrawal; (ii) 2 business days after the accredited person received the communication; (b) if the consent is withdrawn in accordance with paragraph 4.13(1)(a)―when the consent was withdrawn; | CDR Rule 4.14(1)(a), (b) | 4CM2.00.08 | |
09 | CDR Rule | MUST | (1) An accredited person must update a CDR consumer’s consumer dashboard as soon as practicable after the information required to be contained on the dashboard changes. (2) Where a CDR representative provides the consumer dashboard on behalf of a CDR representative principal (see subrule 1.14(5)), the CDR representative principal may arrange for the CDR representative to update the consumer dashboard on the CDR representative principal’s behalf. | CDR Rule 4.19 | 4CM2.00.09 | |
10 | CDR Rule | MUST | (3) For paragraph (1)(b), the information is the following for each consent: (f) if the consent is current—when it is scheduled to expire; (g) if the consent is not current—when it expired; Note 1: For paragraph (f), consents expire at the latest 12 months (or 7 years for certain consents by a CDR business consumer) after they are given or, in some circumstances, amended: see paragraph 4.14(1)(c). | CDR Rule 1.14(3)(f), (g) | 4CM2.00.10 | |
11 | CX Guideline | MAY | Consumers may be allowing a data recipient to collect, use, and disclosure their data according to the varying types of consents. This means 'sharing' may not always be the most appropriate or flexible language to use. Data recipients should tailor language to the consent type, but may consider using generic terms such as 'access' to apply to the range of consent types. CX research suggested this language was comprehensible. If a generic term is used to apply to an array of consent types or actions, data recipients should provide additional explanations to clarify what the precise consent types or actions mean in the context of that term. | 4CM2.00.11 | ||
12 | CX Guideline | MAY | Data recipients should include information on consequences of withdrawal during the consent withdrawal process. Refer to CDR ule 7.2(4) and 4.11(3)(g)(iii). | 4CM2.00.12 | ||
13 | CX Guideline | MAY | Data recipients should introduce positive friction to the withdrawal flow to mitigate user error and unintended consequences. | CX Research 32 | 10 Usability Heuristics for User Interface Design: Error prevention (Nielsen) | 4CM2.00.13 | |
14 | CX Guideline | MAY | Data recipients should provide a message to consumers that withdrawal was successful. This message should be clearly visible on the dashboard and shown as soon as withdrawal has taken place. | 10 Usability Heuristics for User Interface Design: Visibility of system status (Nielsen) | 4CM2.00.14 | |
15 | CX Guideline | MAY | When a consent is withdrawn, data recipients should notify the consumer: • Of the status of their consent, including the updated duration and withdrawal date; • That the data recipient is no longer collecting, using, and/or disclosing their data (depending on the type of consent withdrawn); • Of how their redundant data will be handled, and when this will come into effect if it will not be immediate (such as when the data will need to be held for legal reasons). | 4CM2.00.15 | ||
16 | CX Guideline | MAY | Data recipients can refer to accounts using recognised nicknames, icons, account numbers, and account type. They can also include any known information on other elements the account may refer to such as any related plans, services, properties, numbers, and products. | 4CM2.00.16 | ||
17 | CDR Rule | MUST | (2) An accredited data recipient must keep and maintain records that record and explain the following: (b) amendments to or withdrawals of consents by CDR consumers | CDR Rule 9.3(2)(b) | 4CM2.00.17 | |
18 | CX Guideline | MAY | Data recipients are expected to record how the withdrawal was requested by the consumer in relation to CDR Rule 9.3(2)(b), but the rules do not require the method of withdrawal to be shown on the dashboard. However, data recipients may wish to do this on the dashboard and/or in any CDR Receipt they choose to provide. | 4CM2.00.18 | ||
19 | CDR Rule | MUST | (1) This rule applies if: (a) an accredited person has made a consumer data request to a CDR participant, based on a collection consent given under this Division relating to particular CDR data and that CDR participant; and (b) the request has not been completely resolved; and (c) the consent expires for any reason. (2) The accredited person must notify: (a) if the CDR participant is a data holder―the data holder, in accordance with the data standards, that the consent has expired; and (b) if the CDR participant is an accredited data recipient―the accredited data recipient as soon as practicable that the consent has expired. | CDR Rule 4.18AA | 4CM2.00.19 |