Data holder user journey
- Compliance guidance
The Competition and Consumer Act 2010, Consumer Data Right Rules and Standards impose a range of requirements that data holders, accredited data recipients and intermediaries need to comply with. Our compliance guidance is designed to assist data holders to understand and comply with their obligations. The focus of these resources is on the obligations arising under the rules and standards.
Compliance guide for banking sector | Compliance guide for energy sector
- Privacy obligations
Consumer Data Right participants have privacy obligations under the Consumer Data Right system, including in relation to collecting, using, disclosing and correcting Consumer Data Right data for which there are one or more consumers. The Office of the Australian Information Commissioner (OAIC) privacy obligations page provides a high level summary of participant privacy obligations.
It is important that participants understand their privacy obligations at an early stage, so they can embed appropriate privacy practices into the design specifications of their solutions and business practices.
- Participant tooling overview
The ACCC has been working on ways to help Consumer Data Right participants understand the Consumer Data Right ecosystem’s technical requirements, as well as develop and maintain solutions that can operate within the Consumer Data Right ecosystem. As the first step in participant tooling journey, the ACCC has built a series of free, open source mock solutions.
- Participant tooling: Architecture / Authentication / Authorisation APIs
The data holder architecture provides a high-level view of how all of the components of the mock data holder interact with one another. Authentication and Authorisation APIs are one of the first aspects of a participants' solution design and build. This resource will provide a reference point for this feature in the Consumer Data Right build in order to accelerate a quality build.
CDR repositories Github | CDR register Github | Participant tooling
- Participant tooling : mock solutions
The free mock solutions can be used throughout a participant’s activation journey. Accessing these tools in the discovery phase of a participant’s project can assist with scoping of a compatible Consumer Data Right solution. Beyond this stage, the tools can provide further value as a reference point for code, to validate a solution through the build and to test a participant’s solution.
Using the mock solutions early on in the journey is intended to improve quality, accuracy and speed of build for a participant’s solution.CDR repositories Github | CDR register Github | Participant tooling
- Participant tooling: sandbox
The existing mock solutions include automation and self-service capabilities that allow participants to download the reference code for use in their environment when developing and testing their own solutions. The Consumer Data Right hosted sandbox builds on this work to enhance the capability available to participants and their vendors to develop and test their own solutions in a sandbox environment hosted by the ACCC.
The Consumer Data Right hosted sandbox is a free tool that provides the following features to new and existing participants:
- ability for participants to use their own seed data to test against the mock solutions, or interact directly with other participants to exchange test data
- revised version of the mock solutions compatible with the latest rules and standards, which have been updated to include the energy sector
- management portal to assist participants with the integration and management of their own solutions within the environment
- CDR business readiness
To join the Consumer Data Right ecosystem, a participant will not only build their Consumer Data Right solution and follow the ACCC Consumer Data Right activation process but also consider the various internal readiness activities that can be performed to ensure a smooth go-live. These activities will differ from participant to participant but may include reporting considerations, updating of standard operating procedures, staff training plans and process updates.
- Participant portal registration
The Consumer Data Right Participant Portal is where a data holder completes the data holder registration process. The Participant Portal is also the place for Consumer Data Right participants - data holders and accredited data recipients - to update and manage their information and view the Consumer Data Right Register of Accredited Persons.
- Service management portal
The Consumer Data Right Service Management Portal is for Consumer Data Right participants to communicate technical incidents between each other, or with the ACCC Consumer Data Right Technical Operations team. The Consumer Data Right Technical Operations team undertake a monitoring approach to facilitate effective resolution of issues and promote a healthy and effective Consumer Data Right ecosystem.
- Service management access
At the start of the Consumer Data Right on-boarding process, each participant will identify a responsible person, or group, in their organisation to be granted access to the Consumer Data Right Service Management Tool. Other users who wish to have access, can request access by consulting their organisations Consumer Data Right representative or by emailing the Consumer Data Right Technical Operations team.
- On-boarding overview
After successfully completing registration, each new Consumer Data Right provider must complete the on-boarding process before they can be activated in the Consumer Data Right ecosystem and commence consumer data sharing.
On-boarding is the process of a participant, new to the Consumer Data Right, preparing to participate in the ecosystem.
On-boarding, which includes successful completion of the Consumer Data Right Conformance Test Suite, is the last step participants must go through before the Registrar makes a participant ‘active’ on the Consumer Data Right Register. Once participants complete on-boarding, they are able to start sharing consumer data in the ecosystem. There are two key aspects of On-boarding – Public Key Infrastructure and CDR Trade Mark Licence Agreement.On-boarding for data holders | Participant Conformance Approach
- On-boarding: Public Key Infrastructure
Public Key Infrastructure (PKI) certificates are a key component used in the Consumer Data Right ecosystem to provide secure and private communications between participants. The ACCC, as the Consumer Data Right Registrar, is responsible for issuing certificates to participants. The procedural and operational requirements relating to the use of the digital certificates issued to participants are governed by two agreements: the Subscriber and Relying Party Agreements. These agreements are legally binding and generally require consultation with legal teams. Participants cannot progress through the on-boarding process until these are signed.
What agreements are part of on-boarding to the Consumer Data Right?
- On-boarding: CDR Trade Mark Licence Agreement
The Consumer Data Right trade mark is intended to be a symbol of trust in the Consumer Data Right ecosystem. The ACCC encourages all Consumer Data Right participants to use the Consumer Data Right trade mark in the consent and authorisation processes offered to consumers. This agreement is legally binding and generally requires consultation with legal teams. Participants cannot progress through the on-boarding process until this is signed.
- Conformance Test Suite overview
The Conformance Test Suite is a final checkpoint for participants of key elements of a participant’s solution before activation in the ecosystem. The primary focus of the Conformance Test Suite is to provide the ACCC as the Consumer Data Right Registrar, performing its function to maintain the security, integrity, and stability of the register, with a level of confidence in their activation decisions.
The Conformance Test Suite is designed to verify a limited subset of standards alignment against security profile and consent components as well as other high-risk areas.
A participant should not use the Conformance Test Suite as validation that their solution complies with the Consumer Data Standards (CDS) and Consumer Data Right Register Design.
Conformance Test Suite version history and technical guidance | Participant Conformance Approach
- Conformance Test Suite: preparation
Participants are expected to have completed internal testing, including security testing, prior to commencing Conformance Test Suite. After the completion of Conformance Test Suite, the Registrar can request evidence of a participants’ internal test results as part of the activation process. Participants are expected to ensure their implementation aligns with the Consumer Data Standards and Consumer Data Right Register Design. While Conformance Test Suite conforms to the Consumer Data Right Standards, its role is not to validate a participant’s solution is compliant with those standards.
Participants are accountable for compliance with the standards and must address any alignment issues prior to commencing Conformance Test Suite testing.
Conformance Test Suite version history and technical guidance | Participant Conformance Approach
- Conformance Test Suite: participant tooling
In preparation for Conformance Test Suite, a participant will be able to use participant tooling to test their solution to inform any additional development or adjustments required before proceeding through Conformance Test Suite. Mock solutions can be used in the sandbox with the participant’s solution to test different test plans and scenarios, simulating the Conformance Test Suite experience.
- Conformance Test Suite: perform CTS
The Conformance Test Suite for data holders supports a collection of scenarios that can be composed to test plans based on the data holder conformance needs. Through the Conformance Test Suite user interface, a data holder test plan can be created and completed.
There are currently seven key Conformance Test Suite tests available for data holders - dynamic client registration, single consent, concurrent consent, revoke consent, revoke refresh token, API and register interaction. - Participant tooling to test consumer data sharing
Once a participant is active in the Consumer Data Right ecosystem they can request and share consumer data, with consumer consent. If a participant would like to validate successful consumer data sharing, they can use the sandbox to simulate interactions with an opposing participant. The ability to perform this business verification testing on the endpoints/APIs is important as it is the participant’s responsibility to ensure they can share consumer data once activated in the ecosystem.