DP225 does not put forward proposals. The DSB sought input on security standards to be considered for the transfer of CDR data beyond the primary data recipient.
The primary data recipient may have a relationship with a secondary data recipient. How is data managed in this case? Potential relationships with unaccredited data recipients include:
- Sponsor and affiliate relationship
- Unaccredited representative and principal relationship
- Trusted adviser - that is, an adviser trusted by the consumer
There are several pathways by which consumer data may be disclosed. Pathways may be via trusted or untrusted applications. The Decision Proposal lists these pathways and how standards may apply to each. For many of these pathways, no standards are defined and security requirements are not specified in the rules or standards.
DP225 asks a number of questions, rephrased here for brevity:
- What principles should the Data Standards Chair apply to determine if security standards should be made in these cases?
- How should the Data Standards Chair determine where standards apply to data recipient access arrangements?
- What standards are recommended?
- What considerations apply to existing commercial data integrations and solutions?
- Are security considerations sector specific, or do they generally apply to all CDR data?
- Should the Data Standards Chair define customer authentication requirements in these cases?
- If action or payment initiation are introduced into the CDR, are additional security considerations or access arrangements required?
- What additional matters should be considered?
If you have an interest in these questions and topics, read DP225 for more details.
CDR Rules referred to in this document include:
- Schedule 2, 2.2(1)(i) Encryption in transit
- Main section, part 7, division 7.2, subdivision 7.2.3, 7.5 Meaning of permitted use or disclosure (2)
- Main section, part 8, division 8.4, 8.11 Data standards that must be made
- Main section, part 1, division 1.3 Interpretation, 1.10C Trusted advisers