Introduction
The consumer gives consent to share data according to specified authorisation scopes. These help to limit the sharing of data, in accordance with data minimisation principles.
CX Data Language Standards and data clusters
The CX Data Language Standards specify a data cluster language. Data is grouped into clusters, to support informed consent and data minimisation. For each Data Cluster, there are related permissions and a related authorisation scope. When a consumer consents to a Data Holder (DH) sharing their data with an Accredited Data Recipient (ADR), they consent to the sharing of specified data clusters, and accordingly to the use of specified authorisation scopes.
Data minimisation
In accordance with the data minimisation principle, an ADR should request the minimum data required for the task. The ADR may receive data surplus to requirement, as a DH cannot deliver only part of a data cluster. The ADR should delete any data they do not need.
See:
- CDR Rules, main section, division1.3 - Interpretation, section 1.8 - Data minimisation principle
- OAIC Chapter 3: Privacy Safeguard 3 - Seeking to collect CDR data from CDR participants
Ignoring unsupported authorisation scopes
An Accredited Data Recipient (ADR) is accredited for all sectors, and hence all scopes across those sectors. Sectors currently include Banking and Energy, with Telecommunications in progress and more sectors to come.
The ACCC Register issues the SSA (Software Statement Assertion), signed using the ACCC CA certification, incorporating all scopes for which the ADR is accredited.
When registering with the Data Holder (DH), the ADR presents a verified SSA and verified Registration Request.
When an ADR presents all scopes for DCR (Dynamic Client Registration) to a DH, the DH needs to facilitate the ADR registration updates, without rejecting the request due to scopes not supported by the DH.
The requirement introduced in Consumer Data Standards (CDS) version 1.18.0, CDS Dynamic Client Registration, Registration Validation, specifies that Data Holders MUST ignore unsupported authorisation scopes presented in the SSA.
See:
Subsections
Comments
0 comments
Please sign in to leave a comment.