Accredited data recipients are required to meet IT requirements under Australia’s Consumer Data Right. They also need to follow data standards, which include information security controls, consent guidelines and API standards, as well as the Consumer Data Right Register design, which defines dynamic client registration requirements.

Website and app requirements

The consumer consent process must be part of any online or app-based authorisation process. 

Accredited data recipients must include an area on their website or app where consumers can clearly see and manage their Consumer Data Right data consents, including the ability to withdraw consent.

Consumers must be able to see:

  • what data was collected
  • when the data was collected
  • the data holder of the data.

The data standards

Consumer Data Right includes data standards for both data holders and accredited data recipients. The Consumer Data Standards are developed by the Data Standards Body

Contribute to the discussion on standards development on GitHub.

The standards have five main components:

  1. The CX Standards focus on the consumer experience (CX). These mandatory requirements ensure Consumer Data Right elements are consistent for consumers.
  2. The CX Guidelines include examples of how to put the Consumer Data Right Rules and CX Standards into effect. These guidelines also include research-driven recommendations to help provide a positive consumer experience.
  3. The information security profile covers low-level technical details such as encryption algorithms and how tokens are transferred. The tokens dictate how the data is transferred between two entities in a secure way. 
  4. The API standards govern how application programming interfaces (APIs) are built and cover details such as errors, payload structures and URI taxonomies. These standards apply regardless of sector and enable accredited data recipients to work across multiple sectors without making any changes to APIs.
  5. The non-functional requirements include minimum availability, maximum traffic expectations and data quality requirements. These requirements mainly apply to data holders.

System test requirements for current providers

You must test your IT systems to ensure they are working correctly in compliance with Consumer Data Right rules and standards in preparation for data sharing. See the ACCC’s testing approach for the November 2020 phase release for details, including the test stages, test scenarios and timing of industry testing.

System test requirements for new providers

On-boarding requirements

If you are a provider that is new to Consumer Data Right, you are required to go through on-boarding. On-boarding helps prepare providers to actively participate in the Consumer Data Right system.

Once you are successfully accredited (as a data recipient) or registered (as a data holder), you must on-board into the Consumer Data Right system, including successfully passing the Consumer Data Right Conformance Test Suite. You will then receive an active status on the Consumer Data Right Register after all on-boarding requirements are fulfilled.

This is the last step you must go through as a new provider before you can start sharing consumer data in the Consumer Data Right system.

More information about on-boarding can be found in the on-boarding frequently asked questions (FAQs). The Consumer Data Right On-boarding Guide, due to be published in October 2020, includes more detailed information on the end-to-end on-boarding process steps, legal requirements, technical requirements and expectations of providers.

Conformance Test Suite

Before you can participate in the Consumer Data Right system, you must test your software products and brands using the Consumer Data Right Conformance Test Suite. The secure testing process helps ensure your software products and brands comply with the Consumer Data Standards and the Consumer Data Right Register design.

Participants must pass the Conformance Test Suite before they receive an active status on the Consumer Data Right Register. An ACCC on-boarding officer will be in touch to help initiate the process once you are accredited.

Consumer Data Right Register requirements

Accredited data recipients must meet certain client registration requirements relating to the Register, which is designed and managed by the Australian Competition and Consumer Commission (ACCC). 

The Register is also known as the Register of Accredited Persons. 

Contribute to the discussion on the Register design on GitHub.

Information security controls

Schedule 2 of the Consumer Data Right Rules covers the minimum information security controls. An accredited data recipient must:

Requirement 1: have processes in place to limit the risk of inappropriate or unauthorised access to its Consumer Data Right data environment. 

Minimum controls are:

  • multi-factor authentication or equivalent control
  • restriction of administrative privileges 
  • audit logging and monitoring
  • access security
  • limiting physical access 
  • role-based access
  • unique IDs
  • password authentication.

Requirement 2: take steps to secure its network and systems within the data environment. 

Minimum controls are:

  • encryption
  • firewalls
  • server hardening
  • hardening of end-user devices.

Requirement 3: securely manage information assets within the Consumer Data Right data environment over their lifecycle. 

Minimum controls are:

  • data loss prevention
  • Consumer Data Right data in non-production environments
  • information asset lifecycle (as it relates to Consumer Data Right data).

Requirement 4: implement a formal vulnerability management program to identify, track and remediate vulnerabilities within the Consumer Data Right data environment in a timely manner. 

Minimum controls are:

  • security patching
  • secure coding
  • vulnerability management.

Requirement 5: take steps to limit, prevent, detect and remove malware in regards to its Consumer Data Right data environment. 

Minimum controls are:

  • anti-malware antivirus
  • web and email content filtering
  • application whitelisting.

Requirement 6: implement a formal information security training and awareness program for all personnel interacting with Consumer Data Right data. 

Minimum controls are:

  • security training and awareness 
  • acceptable use of technology
  • human resource security.

For more information, see Schedule 2, Part 2 — Minimum information security controls of the Consumer Data Right Rules.

Related links