Data holders must meet IT requirements under Consumer Data Right. They also need to follow data standards, which include information security controls, consent guidelines and API standards, as well as the Consumer Data Right Register design, which defines client registration requirements.
Website and app requirements
Consumer Data Right apps or websites must be designed to include the consumer authorisation process.
Data holders must also include an area on their website or app where consumers can clearly see and manage their data authorisations, and include the ability to withdraw authorisations.
Consumers must be able to see:
- details of the Consumer Data Right data they’ve authorised to be shared
- when they gave the authorisation
- the period for which they gave the authorisation
- when the authorisation expires (if the authorisation is current)
- when the authorisation expired (if the authorisation is not current).
The data standards
Consumer Data Right includes data standards for data holders and accredited data recipients. The standards are developed by the Data Standards Body.
Contribute to the discussion on standards development on GitHub.
The standards have five main components:
- The CX Standards focus on the consumer experience (CX). These mandatory requirements ensure Consumer Data Right elements are consistent for consumers.
- The CX Guidelines include examples of how to put the Consumer Data Right Rules and CX Standards into effect. These guidelines also include research-driven recommendations to help provide a positive consumer experience.
- The information security profile covers low-level technical details such as encryption algorithms and how tokens are transferred. The tokens dictate how the data is transferred between two entities in a secure way.
- The API standards govern how application programming interfaces (APIs) must be built and cover details such as errors, payload structures and URI taxonomies. These standards apply regardless of sector and enable accredited data recipients to request Consumer Data Right data from data holders across multiple sectors without making any changes to APIs.
- The non-functional requirements include minimum availability, maximum traffic expectations and data quality requirements. These requirements mainly apply to data holders.
All providers must test their IT systems to ensure they are working correctly and are in compliance with Consumer Data Right rules and standards. See the ACCC’s Consumer Data Right Participant Test Strategy, which covers providers that are looking to enter the Consumer Data Right system and providers that are already part of the system. This Test Strategy helps all providers prepare for future releases while maintaining the ongoing integrity and operation of the Consumer Data Right system.
As part of the Test Strategy, providers need to test their solution using the Consumer Data Right Conformance Test Suite. For new providers, this is part of the on-boarding process. Find out more about conformance testing for data recipients and data holders in the For providers section.
System production incidents
If you are a new provider entering the Consumer Data Right system, you can find information on incidents that occurred in the Consumer Data Right production environment, before and after launch of the system in July 2020, on the Consumer Data Right Support Portal. This information covers verification activities on 15 June 2020 and runs through to the end of the hyper-care period on 30 September 2020, and provides insight to new participants preparing to enter the system to help you avoid the same problems wherever possible.
This information includes:
- a categorised collection of incidents
- a description of the incidents along with workarounds, resolutions and the impact to the consumers, accredited data recipients and data holders
- the root cause of the incident where relevant information was available to the ACCC, who is overseeing this process.
Consumer Data Right Register requirements
Data holders must meet certain client registration requirements relating to the Register, which is designed and managed by the Australian Competition and Consumer Commission.
The Register is also known as the Register of Accredited Persons.
Contribute to the discussion on the Register design on GitHub.