Executive summary
This report contains findings and recommendations based on two rounds of qualitative CX research conducted in November 2021. Fourteen participant consumers were engaged in 1:1 research sessions that ran for 90 minutes each. Prototypes of the Insight Disclosure Consent flow were used to facilitate discussion and generate insights in relation to disclosure consents more generally. The purpose of this research was to inform standards development for Insights and Trusted Adviser Disclosure Consents.
It was hypothesised that if we present the below information to the consumer in relation to insights, data clusters, and data handling statements, then we can support informed disclosure consents:
This research was informed by earlier consultation and research conducted in 2020 and 2021 including the following:
- Noting Paper 207 consultation
- Draft v2 Rules consultation (see concepts 5.1: TA disclosures and 5.2: Insight disclosures)
- Draft v3 Rules consultation
- CX research (see research brief and summary of preliminary research on draft v2 rules)
- Consumer Policy Research Centre (CPRC) report: Vulnerability, capability, opportunity
Full details on the public consultation and final decision proposal outcome can be found on Decision Proposal 222 - CX Standards | Insights and Trusted Adviser Disclosure Consents.
Research approach
As part of our work to provide intuitive, informed, and trustworthy data sharing experiences, we tested concepts that explored how consumers might consent to disclosing data to a non-accredited person. Participants were given the scenario of applying for a new rental property, where they were offered the option to consent to sharing data insights from their bank with a real estate agent in an effort to bypass a number of manual processes.
Who did we research with?
What did we do?
What did we test?
Findings
What did we learn?
The participants in our research demonstrated various expectations and needs relating to comprehension and transparency.
These findings strongly validated the DP222 hypotheses and generated significant insights in relation to key research questions, summarised below.
Hypothesis 1 - Insight descriptions
What will the insight tell the non-AP?
Insights should be described using plain and concise language that seeks to achieve year 7 readability level. Where possible, the actual insight should be displayed.
ADRs should provide an insight example for consumers. When appropriate, the insight example may reflect use case criteria or be genericised, i.e.
- Use case specific- "Based on the last 6 months, average monthly income is over $5,000."
- Generic- "Based on [timeframe], average [criteria] is [value]."
ADRs should explain what information will not be disclosed to the non-accredited person.
ADRs should provide options or other means for the consumer to provide context or supply additional information around their insights. This may be provided as:
- additional text field;
- option to manually upload or email other documents;
- option to build insights using multiple DHs.
When will the insight be generated and what period will it refer to?
The period the insight will refer to and when the insight will or is expected to be generated should be noted.
ADRs should provide upfront information regarding:
- when insights might be generated and disclosed;
- why insights require data from specified time period;
- what is the required time period;
- how actual insights might be reviewed and disclosed.
ADRs should provide assurance that consent is always required before generating and disclosing insights.
Why will the insight be generated?
Where known, ADRs should explain why the non-accredited person requires the insight.
ADRs should provide transparency around:
- why insights would be generated;
- how non-accredited persons may use the insight
How will the insight be generated?
An explanation should be included regarding how the insight will be generated. Where possible, the method used (e.g. AI), who will generate the insight (e.g. actor), and sources used to generate the insight (e.g. datasets, ledger) should be specified.
ADRs should provide upfront and contextual information about how insights are generated. This may include:
- what method would be used;
- what sources would be used;
- who would generate the insights;
- why data clusters and permissions are needed for insight generation.
ADRs should provide assurance that actual or permission-level data will only be accessed by them to generate insights and won't be disclosed to the non-accredited person or any other parties.
Hypothesis 2 - Disclosure notifications
What regulations and protections do or do not apply to disclosed data?
Information on the Consumer Data Right should be included. Also, the fact that data disclosed to non-accredited persons will not be regulated as part of the Consumer Data Right should be provided, with advice that the consumer review how their data will be handled when available. This could include privacy policy links and information about the Privacy Act.
ADRs should surface information about CDR protections. This may include:
- how data is being stored;
- who would have access to it
ADRs could also provide a summary of the differences between the ADR and non-accredited person protections.
ADRs should surface information about the data deletion process:
- when data will be deleted;
- why data may need to be retained (e.g. business or legal reasons);
- how the data will be deleted, this may include timeframes
Where applicable, ADRs should surface external links to '.gov.au' websites to allow consumers to do further reading about the CDR.
Where can insights be reviewed and accessed?
Instructions for how the consumer can access records pertaining to insights via their consumer dashboard should be provided. The information contained in the disclosure notification should also be contained in the consumer’s CDR Receipt.
Whenever possible, ADRs should provide the consumer with the ability to review the actual insights within the Consent Flow, before they are disclosed to the non-accredited person. ADRs should also provide the consumer with the option to amend insights and/or data clusters.
Where can someone go for help if there’s a problem?
Information on making a complaint and dispute resolution should be provided, and should include a link to the ADR’s CDR policy related to complaints.
ADRs should provide information around how complaints can be made. This may be presented once or multiple times throughout the Consent Model:
- during Pre-consent, where consumers might have the option to select the CDR process;
- during Consent, contextually alongside data protection and/or data deletion information;
- within the Consent Flow, prior to disclosure to the non-accredited person;
- within the CDR receipt.
Informed Consent and Comprehension
Behavioural Archetypes
Fogg Behaviour Model
Takeaways
The findings from this research strongly validated the hypotheses that underpinned the DP222 consultation. These findings were published to the community as part of the DP222 consultation and informed the development of insight and trusted adviser consent standards.
Consumer Experience Guidelines for insights and trusted adviser disclosure consents were also shaped by this research, including insights and recommendations that may not have been incorporated into the final standards but nevertheless reflect best practice and consumer expectations.
Quick links to CX Guidelines:
→ cx@consumerdatastandards.gov.au → cx.cds.gov.au | cds.gov.au
