Is there any mandate which suggests we need to show the date from when we might be collecting user's data?
Yes. For completeness, this response covers the following areas where historical data requirements and recommendations exist:
- ADR consent step
- ADR dashboard
- DH authorisation step
- DH dashboard
The references to rules below refer to the Competition and Consumer (Consumer Data Right) Rules, unless otherwise noted.
ADR consent step
During the consent process, ADRs must explain how the collection and use of CDR data complies with the data minimisation principle, including that (Rule 4.11(3)(c)). That includes explaining that the ADR will not collect more historical data than they reasonably require for the provision of the service. Item C.34 in OAIC's CDR guidelines also reflects this requirement. The revamped CX guidelines will provide an example of this in the consent step, e.g. ‘If available, we will collect data dating back to 10 Feb 2021 to [value proposition] and comply with our [obligations].’
ADRs are not required to present the historical range on dashboards under rule 1.14, but the CX Guidelines recommend that they do (p.96 of v1.4.0). However, this information may end up on the dashboard indirectly in relation to Privacy Safeguard 5.
DH authorisation step
Rule 4.23(b) requires data holders to 'state the period of time to which the CDR data that was the subject of the request relates'. The CX Guidelines demonstrate this with a note that this data may date back to 1st January 2017 (exampled on p.83 of v1.4.0). This generic date was chosen to reflect the legislation and because DHs will not know the specific historical range the ADR intends to collect.
DHs are not required to show the historical data range on dashboards, but the CX Guidelines (p.109) recommend it be shown to achieve consistency with rule 4.23(b) and the ADR recommendations. Similar to ADR dashboards, however, this information may end up on DH dashboards indirectly as a result of Privacy Safeguard 10.