CDS has been developed as part of the Australian Government’s introduction of the Consumer Data Right legislation to give Australians greater control over their data across different sectors, starting with banking, energy and telecommunications.
Consumer Data Standards – CDS
The Consumer Data Standards Program, part of The Commonwealth Scientific and Industrial Research Organisation (CSIRO).
A set of principles are the basis for the development of the standards for Consumer Data Right. They include:
The security of customer data
APIs using open standards
Simple, informed, and trustworthy data sharing
Easily written code should be facilitated by the API standards.
Consistency in patterns, structure, security mechanisms and user experience across sectors
To be as simple, with as much capability, as possible.
The consumer experience principles put accessibility, use and comprehension of the standards at the fore.
Consent is granted at a point in time and is only as current as the consumer’s original intent.
A compelling case for the development and adoption of data standards and interoperability in the Australian aged care sector (White Paper): White Paper
V1.21.0 / 22 Mar 2023
The standards are open source.
The Consumer Data Right confers obligations for users to comply with the standards, and for standards specified as binding standards they apply as under contract between a data holder and an accredited data recipient.
Data holders must meet IT requirements under Consumer Data Right and fulfil information security controls, consent guidelines and API standards, as well as the Consumer Data Right Register design, which defines client registration requirements.
Participants must pass the Conformance Test Suite before they receive an ‘active’ status on the Consumer Data Right Public Register.
These standards should be used in Australia.
High Level Standards are outlined first, containing components of the standards that are foundational and generally applicable.
The Consumer Experience (CX) Standards contain examples and recommendations for how to implement key rules and standards that relate to the consumer experience.
Non-functional requirements are outlined, including availability and performance requirements as well as traffic thresholds.
The APIs cover Banking, Energy, Telecommunications, Common and Admin specifications.
Commenting is encouraged on the standards.
Payment initiation (note: described within transactions, direct debits, and scheduled payments Get Transactions For Account – Consumer Data Standards)
Consent requirements will be communicated between the Data Recipient Software Product and Data Holder via the authorisation request object. The primary mechanism for capturing consent will be scopes and claims under [OIDC].
Other patterns for the establishment of consent MAY be considered in the future, including the incorporation of fine-grained consent for specific use cases.
Consent – Consumer Data Standards
Data recipients must notify consumers of consent redirection prior to authentication.
As of September 16th 2022 the information security profile builds upon the foundations of the Financial-grade API Advanced Profile [FAPI-1.0-Advanced] and other standards relating to Open ID Connect 1.0 [OIDC].
For information on the specific normative references that underpin this profile, refer to the Normative References section.
Parties Or Contacts
Customer Experience Guidelines
Partial certification process in place
On November 26th 2017, the Australian Government introduced Consumer Data Right (CDR) in Australia after years in the making.
The need for ‘data portability’ was contemplated in various reports as early as 2015. Draft legislation was first introduced in 2018, with the Treasury Laws Amendment (Consumer Data Right) Bill 2019 passed in August 2019.
CDR will give consumers greater access to and control over their data and will improve consumers’ ability to compare and switch between products and services.
The Consumer Data Standards is strictly regulated by the Government with all providers accredited. The Treasurer has appointed CSIRO (The Commonwealth Scientific and Industrial Research Organisation) as the Data Standards Body (DSB) to support the delivery of the Consumer Data Right.
Government organisations involved in establishing the Open Data ecosystem and its governance include the ACCC (Australian Competition and Consumer Commission), which is the lead regulator together with OIAC (Office of the Australian Information Commissioner), CSIRO (Commonwealth Scientific and Industrial Research Organisation), and its subsidiary Data 61, which Consumer Data Standards Team is responsible for developing the standards for CDR (Consumer Data Right), APRA (Australian Prudential Regulation Authority), ASIC (Australian Securities & Investments Commission), the Australian Government Productivity Commission and the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry.
Data Recipients are expected to design their services to minimise traffic with Data Holders and to be resilient in the case of the rejection of a call by a Data Holder due to traffic threshold breaches.
The service availability requirement for data holders and secondary data holders is 99.5% per month.
Planned outages should be commensurate in length and frequency to other primary digital channels offered by the data holder, published to Data Recipient Software Products with at least one week lead time for normal outages, yet may occur without notification if the change is to resolve a critical service or security issue.
All providers must be accredited recipients of data. The Data Availability and Transparency Bill provides for two types of accreditation – Accredited User and Accredited Data Service Provider.
Data holders must submit reports twice a year to the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC).
Consumer Data Right (CDR)