Data61’s role in creating standards for the consumer data right

The Australian government is introducing a Consumer Data Right giving consumers greater control over their data. Part of this right requires the creation of common technical standards making it easier and safer for consumers to access data held about them by businesses, and – if they choose to – share this data via application programming interfaces (APIs) with trusted, accredited third parties.

Data61 has been appointed as technical advisor for an interim standards body, designing the first iteration of open technical standards to support consumer-driven data sharing.

You can check out the team’s website here, or read an extract below of one of their posts outlining the workstreams they’re focusing on. Sign up to their mailing list here for more updates on their work – it’s an important project that’s relevant to every consumer in Australia.

Data61 has been appointed as the Consumer Data Standards (CDS) team by Treasury to develop standards for the Consumer Data Right (CDR). These standards will enable consumers to access and direct the sharing of data about them with third parties flexibly and simply, and in ways that ensure security and trust in how that data is being accessed and used. The Australian Competition and Consumer Commission (ACCC) will be the lead regulator for the CDR with support from Data61 and the Office of the Australian Information Commissioner (OAIC). Data61’s work includes validating the technical workstreams and putting into effect the ACCC’s Rules.

Introducing a Consumer Data Right requires the creation of common technical standards that make it easier and safer for consumers to access data held about them by businesses, and — if they choose to — share this data via application programming interfaces (APIs) with trusted, accredited third parties. The Consumer Data Right will first be implemented in the financial sector before expanding into the energy sector, followed by telecommunications, and then intended to apply sector by sector before applying economy-wide. A precedent for the Consumer Data Right was set with the implementation of Open Banking in the UK, and the Consumer Data Right has looked to their implementation for reference.

The Consumer Data Standards Workstreams

The work on technical standards is supported by an interim Advisory Committee. The Advisory Committee, spanning representatives from the financial sector, FinTechs, consumer groups, energy and telecommunications representatives and software vendors, has been appointed for a period of 12 months commencing in July 2018. Its role has been to provide guidance and feedback on the development of the technical standards, while rules and legislation are developed in parallel.

The Data61 workstreams currently underway are:

• API standards: drafting and validating API standards being developed
• Information security: defining the information security profile supporting API standards, and authentication and authorisation flows
• Consumer Experience: articulating best practice language and design patterns for organisations seeking consent from consumers to access their data, and providing guidance on the user experience of authentication and authorisation.
• Engineering: technical delivery including a functional demonstration of the Standards using Reference Implementations; a Conformance tool for data holders; and a Sandbox for developers.

The Consumer Experience Workstream

The API standards, Engineering, and Information Security workstreams have operated primarily through GitHub. The Consumer Experience (CX) workstream will rely more heavily on publication through consumerdatastandards.org.au and our Medium publication to help make the work more accessible to non-technical audiences and the general public.

The key output of the CX Workstream will come in the form of CX Standards, which will provide data recipients and data holders with standards and guidance for seeking and receiving consent from consumers. Following advice in the the Farrell report, the CX Workstream has looked to the UK implementation of Open Banking and their accompanying CX Guidelines for reference. Drafts of the CX Standards will be published for feedback as they are developed.

The ultimate aim of the CX workstream is to help organisations provide consumers accessing their rights under the CDR with a trusted and usable consent experience. This involves the development of design requirements and guidelines for organisations seeking consent from consumers and facilitating authorisation and authentication under the Consumer Data Right that meet the ACCC’s standards for consent.

The ultimate aim of the CX Workstream is to help organisations provide consumers with a trusted and usable data sharing experience.

The ACCC sets the rules surrounding the implementation of the Consumer Data Right and provides the framework within which the Data Standards Body and the Consumer Experience Workstream operates. The ACCC has proposed requiring the Data Standards Body to develop standards relating to the design of consent screens and permissions, the user experience of authentication and authorisation, and making testing of consumer comprehension of consent be required as part of the standards-setting process.