With respect to Rule 7.9 are we as Data Holders required to list every instance of the data disclosure or is a generic statement like the Consumer Experience (CX) guidelines states: we are sharing this data, we will continue sharing it until <date> and we last disclosed it on <date>, acceptable?
The generic statement in the CX Guidelines was developed with ACCC and OAIC to demonstrate a compliant example for rule 7.9. The intention of the example is to show, in a relatively static way, how to compliantly state (1) the first time a specific data cluster was disclosed (2) who the specific data cluster was disclosed to (3) when the DH expects (or knows) the final date of disclosure to be.
The example is provided as a way to meet the rule 7.9 disclosure requirements in relation to the authorisation details (the dates of which may differ). The OAIC guidelines on PS10 should be referred to as it will be context dependent.
To add to the response, here is a link to the OAIC's Guidance around Privacy Safeguard 10: https://www.oaic.gov.au/consumer-data-right/cdr-privacy-safeguard-guidelines/chapter-10-privacy-safeguard-10-notifying-of-the-disclosure-of-cdr-data/
An example we feel is relevant for your scenario is linked to here: https://www.oaic.gov.au/consumer-data-right/cdr-privacy-safeguard-guidelines/chapter-10-privacy-safeguard-10-notifying-of-the-disclosure-of-cdr-data/#the-accredited-data-recipient-of-the-cdr-data