Question

In a Collection arrangement or CDR outsourcing arrangement do both the principals' and providers' Accredited Data Recipient (ADR) number need to be shown in the following locations:

• on the page where the consumer gives consent to the ADR to collect and use data during the initial stages of the consent flow
• the CDR Receipt; and
• CDR Policy?

Answer

Under the CDR Rules, it is not mandatory to show details (including accreditation number) of both parties at the consent step and in the CDR Receipt. It is only the principal’s details that need to be shown. The operation of rule 1.7(5) clarifies that the consent rules apply to the principal; the name and accreditation number of the provider's ADR is not required.

While the rules don’t require the providers' accreditation number to be displayed in the consent step, the CX Guidelines recommend that outsourced service providers (OSPs) be included. The v2 rules CX wireframes included an example of this; the existing CX Guidelines on OSPs suggest OSPs be presented in the consent step (instead of only in the CDR policy); and featuring the OSP here is a best practice example supported by the research and has already been implemented by ADRs with good results. The CX Guidelines will reflect this recommendation for CDR Receipts and ADR dashboards.

The CX research showed that consumers will look to accreditation numbers to verify trustworthiness (non-accredited OSPs were frequently viewed with suspicion), and may also use accreditation numbers to verify that a CDR participant is indeed accredited – something research participants suggested they would do before proceeding.

To summarise, while it is not mandatory to show the details of both parties, it is recommended to build user confidence.  It is mandatory to show the ADR number of the Primary ADR in the collection arrangement.