Question
Is there any mandate which suggests we need to show the date from when we might be collecting user's data?
Answer
Yes. For completeness, this response covers the following areas where historical data requirements and recommendations exist:
- ADR consent step
- ADR dashboard
- DH authorisation step
- DH dashboard
The references to rules below refer to the Competition and Consumer (Consumer Data Right) Rules, unless otherwise noted.
ADR consent step
During the consent process, ADRs must explain how the collection and use of CDR data complies with the data minimisation principle, including that (Rule 4.11(3)(c)). That includes explaining that the ADR will not collect more historical data than they reasonably require for the provision of the service. Item C.34 in OAIC's CDR guidelines also reflects this requirement. The CX guidelines provide an example of this in the consent step, e.g. ‘If available, we will collect data dating back to 10 Feb 2021 to [value proposition] and comply with our [obligations].’
ADR dashboard
ADRs are not required to present the historical range on dashboards under rule 1.14, but the CX Guidelines recommend that they do. See Data Recipient, Manage Consent. However, this information may appear on the dashboard indirectly in relation to Privacy Safeguard 5.
DH authorisation step
CDR Rules, main section, division 4.4, rule 4.23(b) requires data holders to 'state the period of time to which the CDR data that was the subject of the request relates'. The CX Guidelines demonstrate this with a note that this data may date back to 1st January 2017 . This generic date was chosen both:
- to reflect the legislation
- because DHs do not know the specific historical range the ADR intends to collect.
See CX Guidelines, Authorisation to disclose, Wireframes and Guidelines, Default example, Wireframe 3AU. Authorisation to disclose.
DH dashboard
DHs are not required to show the historical data range on dashboards, but the CX Guidelines recommend it be shown to achieve consistency with rule 4.23(b) and the ADR recommendations. See CX Guidelines, Authorisation to disclose. As with ADR dashboards, however, this information may be displayed on DH dashboards in accordance with OAIC Privacy Safeguard 10.
See:
- Competition and Consumer (Consumer Data Right) Rules
- Division 4.4 - Authorisation to disclose CDR data, rule 4.23(b)
- CX Guidelines, Authorisation to disclose
- OAIC CDR Guidelines, Consent
Comments
0 comments
Please sign in to leave a comment.