Question
As a Data Holder or Data Recipient, does the ACCC require me to engage an external testing service provider or obtain independent verification of my CDR solution before I can commence conformance testing?
Answer
No.
Participants are accountable for testing and verifying their solutions in coverage and quality to meet the CDR Rules, Consumer Data Standards and CDR Register design. The ACCC has not requested that independent verification be obtained as part of participants’ own testing arrangements.
Participants are responsible for ensuring that the functionality of their solution is extensively tested internally, prior to requesting access to the CTS and commencing conformance testing, or deploying a new version of their solution in the ecosystem.
The ACCC has provided a range of scenarios to assist participants develop their own test plans. Refer:
Should the need arise, the ACCC may request information from participants on their test reports and outcomes.
Comments
1 comment
It's all well and good for the ACCC to state that independent testing isn't required but declaring an organisation "accountable" triggers compliance obligations of "how do we make sure" and CPS234 is pretty explicit about components related to information security (which is a major part of the aforementioned Consumer Data Standards) notably around testing control effectiveness.
Outside of the Big 4, very few organisations would have the capability required to be specialists in the CDR especially given the continuing ambiguity and myriad of sources of truth.
Please sign in to leave a comment.