Question

What is required with respect to what must be presented to the consumer in the DH dashboard relating to disclosure on a consent.  The rules (1.15 (3) (f)) state:

[information relating to authorisations to disclose CDR data is] information relating to CDR data that was disclosed pursuant to the authorisation (see rule 7.9);

This does not provide any detail on what “information” is required. 

In the CX guidelines (p. 109) there is a picture of the consumer dashboard with the “guideline” 2 stating:

Data holder consumer dashboards SHOULD show details of any historical CDR data that was disclosed.

The example does not actually provide much information on the data that has been disclosed under the consent, how many times, when, etc.:  it states only when data was first disclosed.  Other information relates to the consent duration and the first holder date, but not to data actually disclosed.

Is it sufficient to do as the example in the CX Guidelines has done (i.e., whether this example is compliant)?

Answer

Rule 1.15(3)(f) and 7.9

Rule 1.15(3)(f) requires data holders to provide information relating to CDR data that was disclosed pursuant to the authorisation, which refers to rule 7.9. The information that is required is specified in rule 7.9 - which relates to privacy safeguard 10 (PS10) - and requires data holders to state what CDR data was disclosed, when it was disclosed, and who it was disclosed to.

Yes, the CX Guideline on p.110 of the v1.4.0 release covers this requirement and provides a compliant example for how to meet rule 1.15(3)(f), rule 7.9, and PS10 that the DSB developed with the OAIC and ACCC. This is considered to be a minimal way to comply with these requirements. This example meets these requirements in the following ways:

1. 'What CDR data was disclosed' is met by displaying the disclosure notification in the context of the data cluster (p.110 presents the PS10 notification in relation to the Transaction Details data cluster only, not as a general authorisation notice).
2. 'When the CDR data was disclosed' is met by displaying the first time that specific data cluster was disclosed to the ADR, and the expected date of the final disclosure (the authorisation's expiry date). A once-off disclosure can refer to the single disclosure date.
3. 'Who it was disclosed to' is met by referring to the ADR in the statement about the first disclosure date. Importantly, the second statement need not refer to the ADR again if it is presented in relation to the other statements that do refer to the ADR's name. This can be done to avoid making repeated reference to the ADR in relation to each statement/requirement. If these statements are presented separately the DH would need to refer to the ADR in relation to each separate statement.

DHs may wish to provide more detail than the CX Guideline suggests, such as a statement/notification on when a specific data cluster was last disclosed (e.g. 20 January 2021 at 9pm). The CX Guideline only provides one simple example; DHs should note that meeting PS10 will be context dependent. For example, there are exceptions to rule 7.9 for joint accounts that will need to be considered. DHs may also choose to meet this requirement in another way, such as through a dashboard notification feed instead of on the authorisation record itself. DHs should refer to the OAIC's online guidance for more detail.

Importantly, rule 1.15(3)(g) refers to a different set of requirements under subsection 56EN(4) of the Act concerning data quality (PS11) and correction requests (PS13). The CX Guideline on p.110 does not provide examples for how to comply with Privacy Safeguards 11 and 13 (rules 7.10 and 7.15, respectively).

CX Guideline p.109 - Historical data

This guideline is a separate recommendation to the privacy safeguard requirements discussed above. For context, rule 4.23(b) requires DHs to give CDR consumers information about the 'period of time to which the CDR data that was the subject of the request relates'. This rule refers to the historical range of the data, e.g. 'data that may date back to 1st January 2017'. An example of this requirement is displayed on p.83 of the v1.4.0 CX Guidelines for the authorisation flow in relation to the Transaction Details data cluster. An equivalent requirement does not exist for the DH dashboard, so the CX Guideline on p.109 recommends this same level of detail be provided on the DH dashboard for consistency. It is not required nor does it relate to rule 1.15(3)(f), rule 7.9 or any of the privacy safeguards.