Updated @May 1, 2024
These guidelines provide examples for how to implement collection and use consents for common scenarios.
On this page
Overview
In accordance with Rule 4.11(1)(Note 1), an accredited person cannot infer consent, or seek to rely on an implied consent. Consent must be voluntary, express, informed, specific as to purpose, time limited, and easily withdrawn.
When asking a CDR consumer to give consent, a data recipient must:
- accord with the data standards;
- have regard to any consumer experience guidelines developed by the Data Standards Body
- be as easy to understand as practicable, including by use of concise language and, where appropriate, visual aids;
Data recipients should make the consent process as easy to understand as possible by using appropriate interventions to mitigate cognitive overload, facilitate comprehension, and provide transparency and consumer control.
This section provides examples illustrating how the guidelines may be implemented.
These types of consents contain several steps, which may include:
- Provider selection At this step, the consumer selects who they want to share data from, such as their data holder.
- Terms of consent At this step, the consumer is asked for their consent and can do so by choosing the types of CDR data they will allow the ADR to access, the access period, and the specific uses of their data.
Wireframes and guidelines
Collection and use consents - default example
The following wireframes show a basic example of a collection and use consent.
CDR outsourcing, sponsorship and CDR representative arrangements
Using outsourced service providers
An accredited person or CDR representative may engage outsourced service providers (OSPs) to do one or both of the following: (1) to collect CDR data on their behalf; (2) to use or disclose data to provide specified goods or services to them.
To do so, a written contract, called a CDR outsourcing arrangement, must be in place with the OSP which meets the requirements set out in the CDR Rules. A data recipient may have both direct and indirect OSPs. This can occur where a direct OSP of the data recipient engages further OSPs in their own CDR outsourcing arrangements.
For more information on CDR outsourcing arrangements, see OAIC’s guidance on privacy obligations for principals and outsourced service providers.
Sponsorship arrangement
The sponsored accreditation model allows a person accredited to the ‘sponsored’ level (an ‘affiliate’) to provide goods or services directly to a consumer. To do so, they must have a written contract with an unrestricted accredited person (a ‘sponsor’) who collect CDR data from data holders on their behalf.
For more information on the sponsored accreditation model, see OAIC’s guidance on privacy obligations of sponsors and affiliates.
CDR representative arrangement
Under CDR Rules 1.10AA, the CDR representative model enables unaccredited persons (a ‘CDR representative’) to provide goods and services to consumers using CDR data, when they are in a CDR representative arrangement with an unrestricted accredited person (’a CDR representative principal’) who is liable for them.
In accordance with CDR Rule 1.10AA(1)(a), CDR representatives cannot deal with consumers in their capacity as a CDR business consumer, and as such can’t invite consumers to give a business consumer statement.
For more information on the CDR representative model, see OAIC’s guidance on privacy obligations for CDR principals and CDR representatives.
Business consumer statement
An accredited person can treat a consumer as a business consumer if they take reasonable steps to confirm that the consumer is a business, using the criteria specified in CDR Rule 1.10A(9).
CDR Rule 1.10A(10) outlines the circumstances in which a business consumer can be asked to provide a business consumer statement. Importantly, a business consumer statement can’t be given in relation to a Collection consent. Additionally, CDR Representatives cannot deal with consumers in their capacity as a CDR business consumer, as per CDR Rule 1.10AA(1)(a).
The following wireframes provide an example of how an accredited person can invite a business consumer to give a business consumer statement in relation to a Use consent.
Download open source asset
Open sources design assets are created in Figma for the purposes of assisting implementation. This Figma file contains annotated wireframes and working prototypes for the Collection and use consent, including:
- Collection and use consents - default example
- ADR uses outsourced service providers
- Sponsorship arrangements
- CDR representative arrangements
- Business consumer statement
Item | File | Date released | Version introduced |
---|---|---|---|
May 1, 2024 | 1.30.0 |
For past versions, refer to Change log.
References
These CX Guidelines were informed by consultations and research conducted in 2019 to 2022, including the following:
- Consultations
- DSB 2020, Decision Proposal 127 - CX Guidelines for Enhanced Error Handling and CX Workshop: Error handling
- DSB 2023, Decision Proposal 276 - July 2023 Rules | Standards Impacts
- DSB 2023, Decision Proposal 333 - Business Consumer Provisions
- CX research
- Tobias 2019, Phase 1 CX report
- GippsTech 2019, Phase 2, Stream 1 report
- Greater than X 2019, Phase 2, Stream 2 report
- Tobias 2019, Phase 2, Stream 3 report
- DSB 2020, Phase 3, Round 3 report
- DSB 2020, Phase 3, Round 4 and 5 report
- DSB 2021, Disclosure Consent Research Report (Q4 2021, R1-2)
- Other
- Nielsen Norman Group 2019, 10 Usability Heuristics for User Interface Design (Flexibility and efficiency of use)
- OAIC 2022, Consent (Data minimisation principle)
- OAIC 2022, Privacy Safeguard 12
Quick links to CX Guidelines:
→ cx@consumerdatastandards.gov.au → cx.cds.gov.au | cds.gov.au