Updated @March 6, 2024
This section provide examples for how to implement Trusted Adviser disclosure consents.
On this page
Overview
Trusted adviser disclosure consents allow consumers to consent to an accredited data recipient, or CDR representative who holds their CDR data as service data, disclosing their CDR data outside the CDR system with certain professionals. These are professions that are considered to be appropriately regulated to receive CDR data, particularly due to consumer protection mechanisms that form part of their regulatory framework. This model facilitates access to relevant data for those working within these professions while ensuring that disclosure of data can only occur with a consumer’s consent.
In accordance with CDR Rule 1.10C, the accredited data recipient or CDR representative:
- can invite a CDR consumer to nominate one or more trusted advisers.
- has taken reasonable steps to confirm that the trusted adviser is a member of one of the classes outlined in CDR Rule 1.10C(2).
- must not make a trusted advisor disclosure consent a condition for supply of the goods or services requested by the CDR consumer, except where the only good or service that is requested by the CDR consumer is for CDR data to be collected from a data holder and provided to a trusted adviser.
For further guidance, see OAIC's Trusted advisers in the Consumer Data Right system.
Wireframes and guidelines
Detached flow - default example
The following wireframes show a basic example of a Trusted Adviser disclosure consent requested by an accredited data recipient. In this example,
- the consumer has selected their preferred trusted adviser during pre-consent;
- the collection/use consent has already been separately established, allowing a disclosure consent to be requested in a separate consent flow.
Equivalent rules for CDR representatives can be found in the CDR rules Division 4.3A.
Wireframe ref | Type | Requirement level | Statement | Reference | Checklist ref | Focus area |
---|---|---|---|---|---|---|
01 | CDR Rule | MAY | (2A) If a CDR consumer has given a collection consent requested under subrule (2) in relation to CDR data, and whether or not the CDR data has yet been collected, the accredited person may also ask the consumer to give a disclosure consent in relation to the CDR data.
Note 1: In order to provide goods or services in accordance with the CDR consumer’s request, it might be necessary for the accredited person to request CDR data from more than 1 CDR participant.
Note 2: The CDR data may be collected and used only in accordance with the data minimisation principle: see rule 1.8. | CDR Rule 4.3(2A) | 1CO3.00.01 | |
02 | CDR Rule | MUST | (1) When asking a CDR consumer to give a consent, an accredited person must:
(ba) in the case of a disclosure consent―allow the CDR consumer to select the person to whom the CDR data may be disclosed; | CDR Rule 4.11(1)(ba) | 1CO3.00.02 | |
03 | CDR Rule | MAY | (1) An accredited person or CDR representative may invite a CDR consumer to nominate one or more persons as trusted advisers of the CDR consumer for the purposes of this rule. | CDR Rule 1.10C(1) | 1CO3.00.03 | |
04 | CDR Rule | MUST NOT | (4) The accredited person or CDR representative must not make:
(a) the nomination of a trusted adviser; or
(b) the nomination of a particular person as a trusted adviser; or
(c) the giving of a TA disclosure consent;
a condition for supply of the goods or services requested by the CDR consumer. | CDR Rule 1.10C(4) | 1CO3.00.04 | |
05 | CDR Rule | MUST | (1) When asking a CDR consumer to give a consent, an accredited person must:
(a) allow the CDR consumer to choose the types of CDR data to which the consent will apply by enabling the CDR consumer to actively select or otherwise clearly indicate:
(i) in the case of a collection consent or a disclosure consent―the particular types of CDR data to which the consent will apply; | CDR Rule 4.11(1)(a)(i) | 1CO3.00.05 | |
06 | CDR Rule | MUST | (1) An accredited person must give the CDR consumer a notice that complies with this rule (a CDR receipt) as soon as practicable after:
(a) the CDR consumer gives the accredited person a collection consent, a use consent or a disclosure consent; | CDR Rule 4.18(1)(a) | 1CO3.00.06 | |
07 | CDR Rule | MUST | (4) A CDR receipt must be given in writing otherwise than through the CDR consumer’s consumer dashboard. | CDR Rule 4.18(4) | 1CO3.00.07 | |
08 | CDR Rule | MUST | (2) A CDR receipt given for the purposes of paragraph (1)(a) must set out:
(a) the details that relate to the consent that are listed in paragraphs 1.14(3)(a) to (f); and
(ba) in the case of a disclosure consent―the name of the person the CDR consumer has consented to the disclosure of CDR data to; and
(c) any other information the accredited person provided to the CDR consumer when obtaining the consent (see rule 4.11). | CDR Rule 4.18(2)(a), (ba), (c) | 1CO3.00.08 | |
09 | CX Standard | MUST | Data Recipients and Data Holders MUST use data language standards to describe data clusters and permissions in consumer-facing interactions. See the Banking Language section for language to be used when requesting banking data; and the Energy Language section for language to be used when requesting energy data.
Data language standards MUST be used when CDR data is being requested, reviewed, or access to such data is withdrawn.
Data Recipients and Data Holders MUST use the appropriate data standards language for business consumers as denoted with an '*' for the relevant data.
Data Recipients and Data Holders SHOULD expand on the proposed language where appropriate to communicate further details of what is being shared.
Additional details MAY include additional information in context, such as in-line help or tool tips, and/or additional permissions where they may exist.
Examples of permission details that MAY be used and provided as in-line help are denoted with an '†' for the relevant data. | 1CO3.00.09 | ||
10 | CX Standard | MUST | If a scenario requires it, Data Holders and Data Recipients MUST merge and amend Basic and Detailed data cluster and permission language to show that Detailed scopes include Basic data.
Data Holders and Data Recipients MUST use the alternative language denoted with an '‡' for the relevant scope(s). See the Banking Language section for banking data and the Energy Language section for energy data.
Example: A Data Recipient presents the Detailed data cluster in a data request to a consumer, but does not present the Basic data cluster. The Detailed scope includes Basic data, but this is not apparent to the consumer based on the data cluster language and permissions used for the Detailed scope. | 1CO3.00.10 | ||
11 | CX Standard | MUST | If:
2. An accredited data recipient is seeking a disclosure consent from a consumer to disclose CDR data;
and the data subject to the disclosure or collection is not within the data language standards as it does not relate to a relevant data cluster, then that data MUST be described in language that is as easy to understand as practicable.
NB: This is a subset of the CX Standard referenced. | 1CO3.00.11 | ||
12 | CX Standard | MUST | In the course of seeking a consumer’s consent to disclose data as part of a disclosure consent:
1. Data Recipients MUST specify which CDR Participant(s) they collected the associated CDR data from
2. Data Recipients SHOULD specify the sector(s) the data was collected from or associated with
Note:
• Point (1) only requires the Data Recipient to refer to the CDR Participant(s) immediately preceding them in the disclosure chain, which may not always include a consumer’s Data Holder(s)
• This standard is proposed to apply to all data to be disclosed by a Data Recipient, including unmodified, aggregated, derived, and transformed CDR data
• Where applicable, the existing data language standards apply to descriptions of CDR data that have not been modified | 1CO3.00.12 | ||
13 | CX Standard | MUST | Data recipients MUST state that data disclosed to a non-accredited person will not be regulated as part of the Consumer Data Right.
This information SHOULD be immediately viewable by the consumer without further interaction.
Data recipients MAY include a plain and concise explanation of what this means, which MAY include information on the Consumer Data Right, and MAY include a link to the Office of the Australian Information Commissioner guidance on the Consumer Data Right. | 1CO3.00.13 | ||
14 | CX Standard | MUST | Data recipients MUST provide plain and concise information on dispute resolution and making a complaint. This SHOULD reflect the process and information contained in the data recipient’s CDR policy related to complaints. This MAY also include a link to the accredited data recipient’s CDR policy. | 1CO3.00.14 | ||
15 | CX Standard | MUST | Data recipients MUST advise the consumer to review how the non-accredited person will handle their data. | 1CO3.00.15 | ||
16 | CX Standard | MAY | If available, data recipients MAY include a link to any relevant data handling policies of the non-accredited person, such as their Privacy Policy. | 1CO3.00.16 | ||
17 | CX Standard | MUST | Data recipients MUST provide the information contained in the disclosure notification otherwise than in the consent flow. This SHOULD be contained in the consumer’s CDR Receipt. This SHOULD also be accessible in the consumer dashboard as part of the data sharing arrangement details.
Note 1: The information to be included is limited to the following standards: CDR Protections; Review; Data Handling; Complaints; and Insight Records. The scope of information to include will depend on the accredited person’s specific implementation.
Note 2: This standard does not alter any existing rules obligations for CDR receipts or dashboards. | 1CO3.00.17 | ||
18 | CX Guideline | MAY | CX research suggested that, where a consumer does not have an existing relationship with a non-accredited person or trusted adviser, additional information from an independent source can increase confidence levels and informed consent.
Data recipients may provide this information during the pre-consent phase, outside of the CDR system. | CX Research: Phase 3 Round 8 | 1CO3.00.18 | |
19 | CX Guideline | MAY | Data recipients may meet standards requirements in relation to non-accredited person data handling at appropriate points throughout the Consent Model, such as:
• during Pre-consent;
• during Consent, as required by the data standards in relation to data handling and disclosure notifications;
• within the CDR Receipt and/or Consumer Dashboards, as required by the disclosure notification standards. | 1CO3.00.19 | ||
20 | CX Guideline | MAY | Data recipients may meet standards requirements in relation to complaint handling at appropriate points throughout the Consent Model, such as:
• during Pre-consent;
• within the Consent Flow, prior to disclosure to the non-accredited person, as required by the data standards;
• within the CDR Receipt and/or Consumer Dashboards, as required by the disclosure notification standards. | Consent Standards, Disclosure Consent: Non-Accredited Person Disclosure Notification, Disclosure consent: Complaints | CX Research: 2020 Phase 3 Round 8; 2021 Disclosure Consent report | 1CO3.00.20 | |
22 | CX Guideline | MAY | When data is requested and accessed, language used to describe the data must be described in accordance with the relevant CX standards;
• ‘Data Language Standards: Language to be used’ and ‘Data Language Standards: Detailed scope requests’ applies when describing unmodified data from data holder(s).
• ‘Consent Standards, Disclosure consent: Collection source’ applies when data is from multiple parties or sources.
• ‘Consent Standards, Disclosure Consent: Descriptions of Data to be Collected and Disclosed’ applies when describing any dataset. | 1CO3.00.22 | ||
23 | CX Guideline | MAY | To describe data in easy to understand language, data recipients should have regard to the Accessibility Standards on reading experiences, with specific reference to WCAG 3.1.5, and draw from the Australian Government Style Manual on literacy and access.
Data recipients should seek to, for example, describe data concisely, in plain language, with an Australian year 7 or lower readability level, and in a way that limits the use of unusual words, phrases, idioms, and jargon. | 1CO3.00.23 | ||
24 | CX Guideline | MAY | The common disclosure consent data standards may also apply to trusted adviser disclosure consents.
For example, where a data recipient requests that transformed or modified data be disclosed to a trusted adviser.
For more information, see the CX guidelines about 'Disclosing modified data' (in 'Disclosure consents to accredited persons') | 1CO3.00.24 | ||
25 | CX Guideline | MAY | Where applicable, data recipients should surface external links to '.gov.au' websites to allow consumers to further read about the CDR, if desired. | CX Research: 2021 Disclosure Consent report | 1CO3.00.25 | |
26 | CX Guideline | MAY | Data recipients are encouraged to provide simple summaries, developed with the trusted adviser, explaining how the disclosed data will be handled. This summary may, for example, highlight differences between CDR and non-CDR protections | CX Research: 2021 Disclosure Consent report | 1CO3.00.26 | |
27 | CX Guideline | MAY | Data recipients are encouraged to provide links to the non-accredited person’s data handling information for the consumer to review.
CX research and consultation suggested that accurate information on data handling provided by the non-accredited person would increase trustworthiness and consumer comfort. | CX Research: 2021 Disclosure Consent report | 1CO3.00.27 | |
28 | CX Guideline | MAY | If the non-accredited person does not have a Privacy Policy, data recipients are encouraged to provide the consumer with other details;
• to contact the non-accredited person; or
• to review up-to-date information on the non-accredited person's data handling policies. | CX Research: 2021 Disclosure Consent report | 1CO3.00.28 | |
29 | CX Guideline | MAY | Data recipients should surface information about the data deletion process:
• when data will be deleted;
• why data may need to be retained (e.g. business or legal reasons);
• how the data will be deleted, this may include timeframes. | CDR Rule 7.2(4)(k) | CX Research: 2020 Phase 3, Round 3 report and 2021 Disclosure Consent report | 1CO3.00.29 | |
30 | CX Guideline | MAY | CX research suggested that further information on data handling, including from government sources, can aid comprehension and confidence for Sceptics, Assurance Seekers and Sensemakers. Based on these insights, data recipients are encouraged to provide a link to OAIC’s guidance on Privacy Safeguard 12, which outlines information on data security and redundant data handling. | 1CO3.00.30 | ||
31 | CX Guideline | MAY | As per CDR Rule 4.18, data recipients are required to provide CDR receipts.
Where separate consents are granted in a single flow, data recipients may provide a single CDR receipt that contains the details of each consent, or separate CDR receipts per consent.
The CX Guidelines demonstrate an intuitive grouping that presents collection and use consent details in one CDR receipt, and disclosure consent details in a separate CDR receipt. This allows the receipts to be grouped according to relevant CDR Participant pairings. | CDR Rule 4.18 | 1CO3.00.31 | |
32 | CDR Rule | MUST | (5) To avoid doubt, paragraphs (4)(a) and (c) do not apply where the only good or service that is requested by the CDR consumer is for CDR data to be collected from a data holder and provided to a trusted adviser. | CDR Rule 1.10C(5) | 1CO3.00.32 | |
33 | CX Guideline | MAY | CDR Representatives seeking a Trusted Adviser disclosure consent should refer to Division 4.3A of the CDR Rules. | 1CO3.00.33 |
Note: Some interactions and screens have been omitted for simplicity.
Consolidated flow
The following wireframes show a basic example of a Trusted Adviser disclosure consent requested by an accredited data recipient. In this example,
- the consumer has selected their preferred trusted adviser during pre-consent;
- the data recipient is then requesting a collection consent, a use consent, and a disclosure consent in a single consent flow.
Equivalent rules for CDR representatives can be found in the CDR rules Division 4.3A.
Wireframe ref | Type | Requirement level | Statement | Reference | Checklist ref | Focus area |
---|---|---|---|---|---|---|
01 | CDR Rule | MUST | (1) When asking a CDR consumer to give a consent, an accredited person must:
(ba) in the case of a disclosure consent―allow the CDR consumer to select the person to whom the CDR data may be disclosed; | CDR Rule 4.11(1)(ba) | 1CO3.01.01 | |
02 | CDR Rule | MUST NOT | (4) The accredited person or CDR representative must not make:
(a) the nomination of a trusted adviser; or
(b) the nomination of a particular person as a trusted adviser; or
(c) the giving of a TA disclosure consent;
a condition for supply of the goods or services requested by the CDR consumer. | CDR Rule 1.10C(4) | 1CO3.01.02 | |
03 | CDR Rule | MUST | (1) When asking a CDR consumer to give a consent, an accredited person must:
(a) allow the CDR consumer to choose the types of CDR data to which the consent will apply by enabling the CDR consumer to actively select or otherwise clearly indicate:
(i) in the case of a collection consent or a disclosure consent―the particular types of CDR data to which the consent will apply; | CDR Rule 4.11(1)(a)(i) | 1CO3.01.03 | |
04 | CDR Rule | MAY | (2A) If a CDR consumer has given a collection consent requested under subrule (2) in relation to CDR data, and whether or not the CDR data has yet been collected, the accredited person may also ask the consumer to give a disclosure consent in relation to the CDR data.
Note 1: In order to provide goods or services in accordance with the CDR consumer’s request, it might be necessary for the accredited person to request CDR data from more than 1 CDR participant.
Note 2: The CDR data may be collected and used only in accordance with the data minimisation principle: see rule 1.8. | CDR Rule 4.3(2A) | 1CO3.01.04 | |
05 | CDR Rule | MUST | (1) An accredited person must give the CDR consumer a notice that complies with this rule (a CDR receipt) as soon as practicable after:
(a) the CDR consumer gives the accredited person a collection consent, a use consent or a disclosure consent; | CDR Rule 4.18(1)(a) | 1CO3.01.05 | |
06 | CDR Rule | MUST | (4) A CDR receipt must be given in writing otherwise than through the CDR consumer’s consumer dashboard. | CDR Rule 4.18(4) | 1CO3.01.06 | |
07 | CDR Rule | MUST | (2) A CDR receipt given for the purposes of paragraph (1)(a) must set out:
(a) the details that relate to the consent that are listed in paragraphs 1.14(3)(a) to (f); and
(b) in the case of a collection consent―the name of each CDR participant the CDR consumer has consented to the collection of CDR data from; and
(ba) in the case of a disclosure consent―the name of the person the CDR consumer has consented to the disclosure of CDR data to; and
(c) any other information the accredited person provided to the CDR consumer when obtaining the consent (see rule 4.11). | CDR Rule 4.18(2) | 1CO3.01.07 | |
08 | CX Standard | MUST | Data Recipients and Data Holders MUST use data language standards to describe data clusters and permissions in consumer-facing interactions. See the Banking Language section for language to be used when requesting banking data; and the Energy Language section for language to be used when requesting energy data.
Data language standards MUST be used when CDR data is being requested, reviewed, or access to such data is withdrawn.
Data Recipients and Data Holders MUST use the appropriate data standards language for business consumers as denoted with an '*' for the relevant data.
Data Recipients and Data Holders SHOULD expand on the proposed language where appropriate to communicate further details of what is being shared.
Additional details MAY include additional information in context, such as in-line help or tool tips, and/or additional permissions where they may exist.
Examples of permission details that MAY be used and provided as in-line help are denoted with an '†' for the relevant data. | 1CO3.01.08 | ||
09 | CX Standard | MUST | If a scenario requires it, Data Holders and Data Recipients MUST merge and amend Basic and Detailed data cluster and permission language to show that Detailed scopes include Basic data.
Data Holders and Data Recipients MUST use the alternative language denoted with an '‡' for the relevant scope(s). See the Banking Language section for banking data and the Energy Language section for energy data.
Example: A Data Recipient presents the Detailed data cluster in a data request to a consumer, but does not present the Basic data cluster. The Detailed scope includes Basic data, but this is not apparent to the consumer based on the data cluster language and permissions used for the Detailed scope. | 1CO3.01.09 | ||
10 | CX Standard | MUST | Data recipients MUST state that data disclosed to a non-accredited person will not be regulated as part of the Consumer Data Right.
This information SHOULD be immediately viewable by the consumer without further interaction.
Data recipients MAY include a plain and concise explanation of what this means, which MAY include information on the Consumer Data Right, and MAY include a link to the Office of the Australian Information Commissioner guidance on the Consumer Data Right. | 1CO3.01.10 | ||
11 | CX Standard | MUST | Data recipients MUST provide plain and concise information on dispute resolution and making a complaint. This SHOULD reflect the process and information contained in the data recipient’s CDR policy related to complaints. This MAY also include a link to the accredited data recipient’s CDR policy. | 1CO3.01.11 | ||
12 | CX Standard | MUST | Data recipients MUST notify consumers of redirection prior to authentication. | 1CO3.01.12 | ||
13 | CX Standard | MAY | Data holders and data recipients MUST state in consumer-facing interactions and communications that services utilising the CDR do not need access to consumer passwords for the purposes of sharing data. The exact phrasing of this is at the discretion of the Data Holder and Data Recipient. | 1CO3.01.13 | ||
14 | CX Standard | MUST | Data holders and data recipients MUST clearly refer to a “One Time Password” in consumer-facing interactions and communications. The use of the term “One Time Password” MAY be presented alongside an existing term used by a data holder (e.g. Netcode, one time pin etc.). | 1CO3.01.14 | ||
15 | CX Standard | MUST | Data recipients MUST advise the consumer to review how the non-accredited person will handle their data. | 1CO3.01.15 | ||
16 | CX Standard | MAY | If available, data recipients MAY include a link to any relevant data handling policies of the non-accredited person, such as their Privacy Policy. | 1CO3.01.16 | ||
17 | CX Standard | MUST | Data recipients MUST provide the information contained in the disclosure notification otherwise than in the consent flow. This SHOULD be contained in the consumer’s CDR Receipt. This SHOULD also be accessible in the consumer dashboard as part of the data sharing arrangement details.
Note 1: The information to be included is limited to the following standards: CDR Protections; Review; Data Handling; Complaints; and Insight Records. The scope of information to include will depend on the accredited person’s specific implementation.
Note 2: This standard does not alter any existing rules obligations for CDR receipts or dashboards. | 1CO3.01.17 | ||
18 | CX Guideline | MAY | CX research suggested that, where a consumer does not have an existing relationship with a non-accredited person or trusted adviser, additional information from an independent source can increase confidence levels and informed consent.
Data recipients may provide this information during the pre-consent phase, outside of the CDR system. | CX Research: Phase 3 Round 8 | 1CO3.01.18 | |
19 | CX Guideline | MAY | Data recipients may meet standards requirements in relation to non-accredited person data handling at appropriate points throughout the Consent Model, such as:
• during Pre-consent;
• during Consent, as required by the data standards in relation to data handling and disclosure notifications;
• within the CDR Receipt and/or Consumer Dashboards, as required by the disclosure notification standards. | 1CO3.01.19 | ||
20 | CX Guideline | MAY | Data recipients may meet standards requirements in relation to complaint handling at appropriate points throughout the Consent Model, such as:
• during Pre-consent;
• within the Consent Flow, prior to disclosure to the non-accredited person, as required by the data standards;
• within the CDR Receipt and/or Consumer Dashboards, as required by the disclosure notification standards. | Consent Standards, Disclosure Consent: Non-Accredited Person Disclosure Notification, Disclosure consent: Complaints | CX Research: 2020 Phase 3 Round 8; 2021 Disclosure Consent report | 1CO3.01.20 | |
22 | CX Guideline | MAY | When data is requested and accessed, language used to describe the data must be described in accordance with the relevant CX standards;
• ‘Data Language Standards: Language to be used’ and ‘Data Language Standards: Detailed scope requests’ applies when describing unmodified data from data holder(s).
• ‘Consent Standards, Disclosure consent: Collection source’ applies when data is from multiple parties or sources.
• ‘Consent Standards, Disclosure Consent: Descriptions of Data to be Collected and Disclosed’ applies when describing any dataset. | 1CO3.01.22 | ||
23 | CX Guideline | MAY | Where applicable, data recipients should surface external links to '.gov.au' websites to allow consumers to further read about the CDR, if desired. | CX Research: 2021 Disclosure Consent report | 1CO3.01.23 | |
24 | CX Guideline | MAY | Data recipients are encouraged to provide simple summaries, developed with the trusted adviser, explaining how the disclosed data will be handled. This summary may, for example, highlight differences between CDR and non-CDR protections | CX Research: 2021 Disclosure Consent report | 1CO3.01.24 | |
25 | CX Guideline | MAY | If the non-accredited person does not have a Privacy Policy, data recipients are encouraged to provide the consumer with other details;
• to contact the non-accredited person; or
• to review up-to-date information on the non-accredited person's data handling policies. | CX Research: 2021 Disclosure Consent report | 1CO3.01.25 | |
26 | CX Guideline | MAY | Data recipients are encouraged to provide links to the non-accredited person’s data handling information for the consumer to review.
CX research and consultation suggested that accurate information on data handling provided by the non-accredited person would increase trustworthiness and consumer comfort. | CX Research: 2021 Disclosure Consent report | 1CO3.01.26 | |
27 | CX Guideline | MAY | Data recipients should surface information about the data deletion process:
• when data will be deleted;
• why data may need to be retained (e.g. business or legal reasons);
• how the data will be deleted, this may include timeframes. | CDR Rule 7.2(4)(k) | CX Research: 2020 Phase 3, Round 3 report; 2021 Disclosure Consent report | 1CO3.01.27 | |
28 | CX Guideline | MAY | CX research suggested that further information on data handling, including from government sources, can aid comprehension and confidence for Sceptics, Assurance Seekers and Sensemakers. Based on these insights, data recipients are encouraged to provide a link to OAIC’s guidance on Privacy Safeguard 12, which outlines information on data security and redundant data handling. | 1CO3.01.28 | ||
29 | CX Guideline | MAY | As per CDR Rule 4.18, data recipients are required to provide CDR receipts.
Where separate consents are granted in a single flow, data recipients may provide a single CDR receipt that contains the details of each consent, or separate CDR receipts per consent.
The CX Guidelines demonstrate an intuitive grouping that presents collection and use consent details in one CDR receipt, and disclosure consent details in a separate CDR receipt. This allows the receipts to be grouped according to relevant CDR Participant pairings. | CDR Rule 4.18 | 1CO3.01.29 | |
30 | CDR Rule | MUST | (5) To avoid doubt, paragraphs (4)(a) and (c) do not apply where the only good or service that is requested by the CDR consumer is for CDR data to be collected from a data holder and provided to a trusted adviser. | CDR Rule 1.10C(5) | 1CO3.01.30 | |
31 | CX Guideline | MAY | CDR Representatives seeking a Trusted Adviser disclosure consent should refer to Division 4.3A of the CDR Rules. | 1CO3.01.31 |
Note: Some interactions and screens have been omitted for simplicity.
Download open source asset
Open sources design assets are created in Figma for the purposes of assisting implementation. This Figma file contains annotated wireframes and working prototypes for Trusted Adviser disclosure consent, including:
- Detached flow - default example
- Consolidated flow
Item | File | Date released | Version introduced |
---|---|---|---|
March 6, 2024 | 1.29.1 |
For past versions, refer to
Open sources design assets are provided in the form of version-controlled Figma files. These assets contain the annotated wireframe and working prototype published on this page, and have been reviewed for accessibility compliance. Assets are partially conformant to Web Content Accessibility Guidelines (WCAG) 2.1 level AA. These assets do not tend to accessible code and instead focus on visual presentation and readability.
The assets use the GOLD Design System; component rationale, accessibility support, and code documentation is available in the GOLD Design System website.
For more details, see
References
These CX Guidelines were informed by consultations and research conducted in 2019 to 2022, including the following:
- Consultations
- ACCC 2020, Draft v2 Rules consultation (see concept 5.1 TA disclosure)
- Treasury 2021, Draft v3 Rules consultation
- DSB 2021, Noting Paper 207 - Draft v3 Rules Analysis | Anticipated Data Standards
- DSB 2021, Decision Proposal 222 - CX Standards | Insights and Trusted Adviser Disclosure Consents
- CX research
- Tobias 2019, Phase 2, Stream 3 report
- DSB 2020, Phase 3, Round 3 report
- DSB 2020, Phase 3 Round 8 summary (PDF)
- DSB 2021, Disclosure Consent Research Report (Q4 2021, R1-2)
- Other
- Australian Government Style Manual 2021, Literacy and access
- OAIC 2021, Trusted advisers in the Consumer Data Right system
- OAIC 2022, Privacy Safeguard 12
Quick links to CX Guidelines: