Collection and use consents

These guidelines provide examples for how to implement collection and use consents for common scenarios.

‣

On this page

Overview

In accordance with Rule 4.11(1)(Note 1), an accredited person cannot infer consent, or seek to rely on an implied consent. Consent must be voluntary, express, informed, specific as to purpose, time limited, and easily withdrawn.

When asking a CDR consumer to give consent, a data recipient must:

accord with the data standards;
have regard to any consumer experience guidelines developed by the Data Standards Body
be as easy to understand as practicable, including by use of concise language and, where appropriate, visual aids;

Data recipients should make the consent process as easy to understand as possible by using appropriate interventions to mitigate cognitive overload, facilitate comprehension, and provide transparency and consumer control.

This section provides examples illustrating how the guidelines may be implemented.

Consent is the first stage of The Consent Model.

These types of consents contain several steps, which may include:

Provider selection At this step, the consumer selects who they want to share data from, such as their data holder.
Terms of consent At this step, the consumer is asked for their consent and can do so by choosing the types of CDR data they will allow the ADR to access, the access period, and the specific uses of their data.

A high level example of the provider selection and terms of consent steps

Wireframes and guidelines

Note: The wireframes shown are examples of how to implement key rules, standards, and guidelines. Use the on-screen functions to adjust zoom level or expand the wireframes to be viewed at full screen.

Collection and use consents - default example

The following wireframes show a basic example of a collection and use consent.

‣

See key requirements and guidelines

‣

See prototype

CDR outsourcing, sponsorship and CDR representative arrangements

Using outsourced service providers

An accredited person or CDR representative may engage outsourced service providers (OSPs) to do one or both of the following: (1) to collect CDR data on their behalf; (2) to use or disclose data to provide specified goods or services to them.

To do so, a written contract, called a CDR outsourcing arrangement, must be in place with the OSP which meets the requirements set out in the CDR Rules. A data recipient may have both direct and indirect OSPs. This can occur where a direct OSP of the data recipient engages further OSPs in their own CDR outsourcing arrangements.

For more information on CDR outsourcing arrangements, see OAIC’s guidance on privacy obligations for principals and outsourced service providers.

‣

See wireframes, key requirements and guidelines

Sponsorship arrangement

The sponsored accreditation model allows a person accredited to the ‘sponsored’ level (an ‘affiliate’) to provide goods or services directly to a consumer. To do so, they must have a written contract with an unrestricted accredited person (a ‘sponsor’) who collect CDR data from data holders on their behalf.

For more information on the sponsored accreditation model, see OAIC’s guidance on privacy obligations of sponsors and affiliates.

‣

See wireframes, key requirements and guidelines

CDR representative arrangement

Under CDR Rules 1.10AA, the CDR representative model enables unaccredited persons (a ‘CDR representative’) to provide goods and services to consumers using CDR data, when they are in a CDR representative arrangement with an unrestricted accredited person (’a CDR representative principal’) who is liable for them.

In accordance with CDR Rule 1.10AA(1)(a), CDR representatives cannot deal with consumers in their capacity as a CDR business consumer, and as such can’t invite consumers to give a business consumer statement.

For more information on the CDR representative model, see OAIC’s guidance on privacy obligations for CDR principals and CDR representatives.

‣

See wireframes, key requirements and guidelines

Business consumer statement

An accredited person can treat a consumer as a business consumer if they take reasonable steps to confirm that the consumer is a business, using the criteria specified in CDR Rule 1.10A(9).

CDR Rule 1.10A(10) outlines the circumstances in which a business consumer can be asked to provide a business consumer statement. Importantly, a business consumer statement can’t be given in relation to a Collection consent. Additionally, CDR Representatives cannot deal with consumers in their capacity as a CDR business consumer, as per CDR Rule 1.10AA(1)(a).

The following wireframes provide an example of how an accredited person can invite a business consumer to give a business consumer statement in relation to a Use consent.

‣

See wireframes, key requirements and guidelines

Download open source asset

Open sources design assets are created in Figma for the purposes of assisting implementation. This Figma file contains annotated wireframes and working prototypes for the Collection and use consent, including:

Collection and use consents - default example
ADR uses outsourced service providers
Sponsorship arrangements
CDR representative arrangements
Business consumer statement

Download design asset

Item	File	Date released	Version introduced
1CO. Collection and use consents v1.30.0.2024.05.01	1CO. Collection and use consent v1.30.0.2024.05.01.fig	May 1, 2024	1.30.0

For past versions, refer to Change log.

‣

About open source assets

About this page

References

The artefacts on this page were informed by the following sources.

Title	Author	Year	URL	Type
Decision Proposal 127: CX Guidelines for Enhanced Error Handling	DSB	2020	github.com	Consultations
CX Workshop: Error handling	DSB	2020	miro.com	Consultations
Decision Proposal 276: July 2023 Rules \| Standards Impacts	DSB	2023	github.com	Consultations
Decision Proposal 333: Business Consumer Provisions	DSB	2023	github.com	Consultations
Phase 1 report	Tobias	2019	consumerdatastandards.gov.au	Research
Phase 2, Stream 1 report	GippsTech	2019	consumerdatastandards.gov.au	Research
Phase 2, Stream 2 report	Greater than X	2019	consumerdatastandards.gov.au	Research
Phase 2, Stream 3 report	Tobias	2020	consumerdatastandards.gov.au	Research
Phase 3, Round 3 report	DSB	2020	consumerdatastandards.gov.au	Research
Phase 3, Round 4 and 5 report	DSB	2020	consumerdatastandards.gov.au	Research
Disclosure consent report	DSB	2021	cx.cds.gov.au	Research
Consent (Data minimisation principle)	OAIC	2022	oaic.gov.au	Guidance
Privacy Safeguard 12	OAIC	2022	oaic.gov.au	Guidance
10 Usability Heuristics for User Interface Design (Flexibility and efficiency of use)	Nielsen Norman Group	1994	nngroup.com	Other

Last updated

This page was updated @May 1, 2024

Have your say

Community consultations and maintenance are part of our ongoing process. Here’s how you can get involved:

Request new Guidelines or changes to existing Guidelines through the Guidelines Consultation process
Request new Standards or changes to existing Standards through the Standards Maintenance process
Log a ticket for any questions about the rules, standards, or guidelines through the CDR Support Portal
Email your feedback to cx@consumerdatastandards.gov.au

Quick links to CX Guidelines:

Accessibility statement

→ cx@consumerdatastandards.gov.au → cx.cds.gov.au | cds.gov.au

The Consumer Data Standards Program is part of Treasury. Copyright © Commonwealth of Australia 2023. The information provided on this website is licensed for re-distribution and re-use in accordance with Creative Commons Attribution 4.0 International (CC-BY 4.0) Licence.