Questions
- Questions about CDR Rule 4.25 Withdrawal of authorisation to disclose CDR data and notification
We noticed that in the CDR Rules PDF file published on the ACCC website on 06 Mar 2020, Rule 4.25(1) reads as follows:
4.25 Withdrawal of authorisation to disclose CDR data and notification
(1) The CDR consumer who gave, to a data holder, an authorisation to disclose particular CDR data to an accredited person may withdraw the authorisation at any time:
(a) by communicating the withdrawal to the data holder in writing; or
(b) by using the data holder’s consumer dashboard.
On the Australian Government Federal Register of Legislation website, there is a different version of the rules that has the below version of Rule 4.25(1):
4.25 Withdrawal of authorisation to disclose CDR data and notification
(1) The CDR consumer who gave, to a data holder, an authorisation to disclose particular CDR data to an accredited person may withdraw the authorisation at any time:
(a) by using the data holder’s consumer dashboard; or
(b) by using a simple alternative method of communication to be made available by the data holder for that purpose.
Question 1. Which is the latest version of the rules that we should follow?
Question 2. What can be the options of a simple alternative method of communication?
- We understand that according to the rule 4.25, the Data Holder has to provide an alternative method to withdraw authorisation. Is there a similar requirement for joint accounts, such as to manage or withdraw authorisations to disclose joint account data? Or can this service be online only?
Request for clarification 2. Vulnerable customers requirement
Under CDR Rule 4A.15 Avoidance of harm, it specifies that:
A data holder is not liable under these rules for a failure to comply with this Part if it is considered that the relevant act or omission was necessary in order to prevent physical, psychological or financial harm or abuse to any person.
Will you be able to provide guidance on expected implementation of the above rule and possible scenarios? For example, does this mean that data holders can assess whether to refuse to update a joint account holder's dashboard on a case by case basis? Or can the option to update/not update other joint account holder’s dashboard be provided to all joint account holders during the consent flow?
Scenario: A customer in an abusive relationship wants to share data for his/her joint account with a 3rd party and doesn’t want the second joint account holder (the abuser) to find out about this data sharing arrangement.
Implementation options:
Option 1
Before starting the consent flow, vulnerable customer gets in touch with the Data Holder and explains his/her situation. If Data Holder considers it necessary, Data Holder marks the customer as ‘vulnerable’ which results in any Data Sharing arrangements this customer establishes for the joint accounts not to be visible for the second account holder(s).
Option 2
Before starting the consent flow, vulnerable customer gets in touch with the Data Holder and explains his/her situation. If Data Holder considers it necessary, Data Holder marks the customer as ‘vulnerable’ which results in giving this customer choice to have some of Data Sharing arrangements this customer establishes for the joint account not to be visible for the second account holder(s). In this case, a functionality will be added inside Consent flow to select which account to show or not to show on other joint account holder’s dashboard.
Option 3
Before starting the consent flow, vulnerable customer gets in touch with the Data Holder and explains his/her situation. If Data Holder considers it necessary, Data Holder marks the joint account(s) affected as ‘vulnerable’ which results in any Data Sharing arrangements this customer establishes for the joint account not to be visible for the second account holder(s).
Option 4
For all joint account holders, during the Consent flow the option is displayed to update other joint account holder’s Dashboard or not (in this case, this option is provided to all joint account holders and Data Holder won’t be participating in determining if the customer is vulnerable or not).
Can you please provide guidance, which of implementation options is in line with the rules, or if there’s some other way to meet this requirement.
Answers
Request for clarification 1 - Question one
With respect to the latest version of the rules that should be followed, participants should always rely on the Federal Register of Legislation for the latest version of the rules. Refer to Consumer Data Right Legislation for a quick reference guide to finding key documents in the Consumer Data Right legislative framework.
Request for clarification 1 - Question two
Data holders must allow consumers to withdraw authorisation through the consumer dashboard as well as through a simple alternative method of communication. This could include, for example, via telephone or in writing.
Request for clarification 2 – Authorisations for joint accounts
Rule 4A.13 provides that a data holder must provide each relevant joint account holder with an online service that can be used by the account holder to manage authorisations to disclose joint account data via a consumer dashboard. It is not expected that data holders provide an alternative method for joint account holders to manage authorisations.
For the joint account disclosure option management service, this must be provided online and may, but does not need to, also be provided through a method other than online.
Request for clarification 2 – Vulnerable consumers requirement
The current CDR Rules are intentionally principles based, allowing data holders to leverage current practices regarding vulnerable consumers. For example, if a data holder currently has a vulnerable consumer flag on a consumer’s account, they may automatically treat that consumer as vulnerable in a CDR context.
We consider options 1 and 3 to be permissible under the rules. Options 2 and 4 are not currently permissible as data holders must not add any requirements, or provide or request additional information, during the authorisation process beyond that specified in the data standards and rules (see rule 4.24). However, together with the DSB, we intend to give further consideration to whether additions to the data standards or rules are appropriate.
For completeness, we also note data holders may refuse to ask for an authorisation, or disclose CDR data, if it considers it necessary in order to prevent physical, psychological or financial harm or abuse (Rule 4.7(1)(a).
Comments
0 comments
Please sign in to leave a comment.