Decision Proposal 222 - CX Standards | Insights and Trusted Adviser Disclosure Consents

[CDR-CX-Stream]

January 28 2022: Decision Made
This decision was approved on 28 January 2022. The decision record is attached below:
Decision 222 - Insight and TA Disclosure Consents.pdf

As per Rule 7.5A, insight and trusted adviser disclosure consents are now permitted.

---

December 17 2021: v2 Proposal
This decision proposal relates to CX Standards for insight and trusted adviser disclosure consents.

This second iteration of DP222 progresses from the initial DP222 consultation, which concluded on 30 November 2021, and has been further informed by 2 rounds of consumer experience research conducted in November.

The v2 DP222 paper can be found below:
v2 Decision Proposal 222 - Insight and TA Disclosure Consents.pdf

This revised paper covers:

• options for ADRs to make clear what an insight would reveal or describe
• options for ADRs to notify consumers when disclosing data from the CDR environment

For an overview of the research conducted by the CX working group on insight and TA disclosures in Q4 2021, and a summary of the findings, see Miro | PDF

Feedback is now open for this proposal for an extended period to account for the end of year break. This consultation will close on Friday 21st January 2022.

Extension requests may not be considered given the extensive two stage consultation conducted for DP222 and the 1st February date for disclosure consents. We encourage participants to develop and post queries and submissions to DP222 early.

---

November 16 2021: v1 Proposal
The initial v1 decision proposal, which was consulted on in November 2021, can be found below:
Decision Proposal 222 - Insight and TA Disclosure Consents.pdf

The first DP222 consultation was conducted to collect initial feedback from the community.

---

Edit 28.01.22: Decision made
Edit 17.12.21: Decision proposal v2 published
Edit 16.11.21: Decision proposal v1 published

[CDR-CX-Stream]

DP222 has been published for consultation and can be found in the original post.

CX research is currently underway to test several options in this paper. These include options 1, 2, 3, and 4 in the Insight Descriptions section, and options 1, 2, 3, and 7 in the Disclosure Notifications section. For an overview of the research being conducted by the CX working group on insight and TA disclosures, see Miro | PDF

DP222 outlines a range of identified options but makes no recommendations. This initial consultation is being conducted to collect feedback from the community before a subsequent decision proposal is published and consulted on in December/January, in which the DSB’s final recommendations will be proposed.

Feedback is open for this initial proposal and will close on Tuesday 30 November 2021.

[commbankoss]

CBA appreciates the opportunity to provide feedback on this Decision Proposal. Please see attached our feedback and recommendations.
DP-222 CBA feedback.pdf

[JTRlaw]

Thank you for the opportunity to comment. I would raise the concern that insight disclosures and TA disclosures are grouped. This appears to disregard that a consumer must have identified their trusted advisers prior to any disclosure, that TA disclosure requests will be triggered by the consumer. A TA disclosure is not comparable to a insight disclosure which can be from a party completely unknown to the consumer and trigged by the party seeking the insight. In the CDR Rules, what is required around these two types of disclosures is separate and distinct. The CDR Rules recognise that a consumer will already have an agreement to engage a trusted adviser and it is that agreement that provides many of the protections under the CDR regime, such as privacy, even though the data is leaving the CDR ecosystem.
As such, to the proposed disclosure notifications, for trusted advisers, Option 1 is reasonable; Option 2, 3, 4, 5 are irrelevant as already established with a TA on engagement; Option 6 may be confusing as this complaints process refers to CDR data handling and may be misunderstood to refer to complaints with the consumers TA or insight party; Option 7 n/a; Option 8: appears to create even more data for a consumer without a clear value proposition for the consumer.

[CDR-CX-Stream]

Thanks to those who provided comments. This feedback will be considered while developing the second iteration of DP222, which will specify the DSB's recommendations and be open for feedback until late January.

This thread will be left open for the community to provide further comments on queries relating to DP222.

[CDR-CX-Stream]

The below feedback was received from Consumer Policy Research Centre within the consultation period - it is being posted on their behalf with their permission:

---

DECISION PROPOSAL 222: INSIGHT AND TA DISCLOSURE CONSENTS

Insight descriptions

Feedback: All 5 options should be part of the standards, in particular 3, 4 and 5 with Option 1 being an alternative if Option 5, the actual insight, cannot be displayed. Below is specific feedback on some of the options.

Option 1: Insight Example
ADRs MUST provide an easy to understand example that demonstrates what they will reveal or describe to the non-accredited person using the insight. This example SHOULD be articulated
conversationally and in a way that realistically portrays the specific insight being requested.

Feedback: Add “ADR SHOULD make every effort to confirm that the example is understood.”

Option 4: Insight Readability
This option proposes that ADRs achieve a specified readability level when describing insights. A grade 10 readability level is considered appropriate, flexible, and achievable. This is not specified in the proposed standard at this time, and the DSB welcomes feedback on an appropriate grade to specify.

This option can be articulated in the standards as follows:
ADRs MUST describe insights in a way that achieves grade (x) readability using the Flesch-Kincaid formula or the Automated Readability Index.

Feedback: Readability should be no more than Grade 10. Ideally, best practice is to aim consumer-focussed content between the Reading Grades of 5 and 10, and where possible around Grade 6. Anything higher increases the risk of consumers not understanding the content, rendering any consent as meaningless.

Option 5: Actual Insights
This option proposes that ADRs display the actual insight to the consumer prior to disclosing the insight to the non-AP. This will not be workable for certain use cases, such as insight consents with an ongoing duration, or scenarios where the insight cannot be generated until after the consumer has granted consent(s), such as a collection and use consent.

This option can be articulated in the standards as follows:
ADRs MAY display the actual insight(s) to the consumer prior to disclosing the insight to a non-accredited person.

Feedback: Possible rewording: ADRs SHOULD display the actual insights(s), where possible, to the consumer prior to disclosing the insight to a non-accredited person. If the actual insight(s) cannot be disclosed, consumer should be advised why this is not possible.

Disclosure notifications

Feedback: Option 1 (CDR Protections) and Option 5 (Non-AP Data Handling Summary) are key in ensuring consent is meaningful as the onus is placed on the ADR instead of the consumer to clarify what it means for consumer data to move out of the CDR ecosystem. The concern with Options 2, 3 and 4 is that the onus is placed back on the consumer to review other policies or other regulations themselves. Our research has shown that 94% of Australian consumers are not reading all of the privacy policies or T&Cs that apply to them in a 12-mont period (Ref: CPRC’s 2020 Data and Technology Survey). This type of frictionless provision of information won’t enable consumers to provide genuine, informed consent.

Options 6, 7 and 8 are all relevant to ensure consumers are aware of redress, access and notifications.

Below is specific feedback on some of the options.

Option 1: CDR Protections
This option proposes that ADRs specify that non-APs, including TAs, will not be regulated as part of CDR.
This option can be articulated in the standards as follows:
ADRs MUST state that data disclosed to non-accredited persons, including trusted advisers, will not be regulated as part of the Consumer Data Right. ADRs SHOULD also include information on the Consumer Data Right.

Feedback: Possible rewording: ADRs MUST state that data disclosed to non-accredited persons, including trusted advisers, will not be regulated as part of the Consumer Data Right. ADRs SHOULD explain what this may mean for the consumer and also include information on the Consumer Data Right.

Option 5: Non-AP Data Handling Summary
This option can be articulated in the standards as follows:
If known, ADRs MAY provide a simple summary of how a non-accredited person will handle disclosed data. This MAY, for example, list key and meaningful elements of a non-accredited person’s Privacy Policy.

Feedback: Possible rewording: If known, ADRs MUST provide a clear and simple summary of how a non-accredited person will handle disclosed data. This MAY, for example, list key and meaningful elements of a non-accredited person’s Privacy Policy.

Option 6: Complaint Handling
This option proposes that ADRs display information on or instructions for how to make a complaint or resolve a dispute, such as through OAIC’s CDR complaints portal. This option can be articulated in the standards as follows:
ADRs MUST provide information on making a complaint and dispute resolution. This MAY include a direct link to the CDR complaints portal or information on how to lodge a complaint with another dispute resolution body.

Feedback: Possible rewording: ADRs MUST provide clear and simple information on making a complaint and dispute resolution. This MAY include a direct link to the CDR complaints portal or easy-to-access information on how to lodge a complaint with another dispute resolution body.

[spikejump]

@CDR-CX-Stream Thank you for keeping this thread open for additional comments.

Insight
Option 2:
Insights can be derived from many different data sources; some CDR and some non-CDR. One insight can affect another insight with sharing of only the later insight. This makes an insight period not easily referenceable. Moreover, an insight sharing may be an on-going consent - the non-AP may require the insight on a daily/weekly/monthly etc basis. Combined, they make a MUST for a period of insight to be difficult to be accurately presented to users.

Option 3:
We're supportive of this option. We do note that while it may be possible to explain why the non-AP requires the insight at a high level, ADRs should not be required to explain how the insight will be used.

Option 5:
For an ongoing insight consent, it will not be possible to display the actual insight to the consumer before it is shared. In such a case, consumers should provide consent to the types of insights (in general terms) that will be shared with third parties if they choose to use that third parties' services via the AP's platform. We're only supportive of this option as a MAY.

Disclosure
Option 3:
We're not supportive of this. It should not be the responsibility of the ADRs to disclose regulations etc. relied on by the non-AP for the disclosed data. It would be cumbersome and a burden, particularly where there are hundreds if not thousands of non-APs. ADRs can't be expected to make enquiries and keep up to date the rules and regulations or privacy policies for each.

Option 4:
We're not supportive of the strong wording that non-AP "may not be subject to regulations such as Privacy Act". The wording may cause unnecessary alarm & friction for consumers. The disclosure of non-AP's compliance to regulations should be contained in their T&C's and not be a requirement for ADRs to specify. It is more sensible for ADRs to recommend consumers to verify non-AP's compliance to regulations before providing consent.

Option 5:
We're not supportive of this. This option is not feasible where ADRs will share data with hundreds/thousands of Trusted Advisors or third parties, where ongoing consents will be required. It should not be incumbent on an ADR to describe to the consumer how a third party manages its data. Nor should an ADR have the liability for doing so if in fact, the third party does not comply with its policy or changes it. Again, the customer can and should verify this with their non-APs.

Option 6:
We're not supportive of adding additional notification for only Disclosure consent when there’s already a mandate for ADRs to inform customers of the complaint process via CDR Policy. Existing mandate is applicable for all CDR consents. Making it an additional callout for Disclosure consent is unnecessary.

[CDR-CX-Stream]

Thanks @spikejump for your submission. We did not receive this feedback in time to incorporate it into the second iteration of DP222, but it will be considered as part of the final consultation. We encourage further feedback on the second version of DP222 in this period.

[CDR-CX-Stream]

The second iteration of DP222 has been published and can be found in the original post.

This DP progresses from the initial DP222 consultation, which concluded on 30 November 2021, and has been further informed by 2 rounds of consumer experience research conducted in November.

Feedback is now open for this proposal for an extended period to account for the end of year break. This consultation will close on Friday 21st January 2022.

[darrenbooth]

v2 DP222 refers in a number of instances to a 'non-accredited person' ('non-AP'). The Rules v3 however do not state that insight disclosures relate only to a 'non-accredited person'. Instead the Rules state that the ADR may be authorised to dislose CDR data to a 'specified person'.

Further, the Rules v3 Explanatory Statement clarifies that the CDR Rules allow a consumer to consent to an ADR sharing CDR insights containing the consumer’s CDR data with 'any person'.

The difference between a non-accredited person vs a specified person and/or any person is a very small but hugely significant difference in relation to the consent options in v2 DP222.

The CDR Rules no longer apply to an insight once disclosure has been consent to. A consumer may therefore consent to an insight being disclosed to an Accredited Data Recipient (a specified person and/or any person), such that the disclosed insight is no longer required to be regulated as part of the Consumer Data Right and is not within the boundary of the ADR's CDR data environment.

Further the Rules and Explanatory Statement state a specified person and/or any person NOT another specified person and/or another person. The ADR's therefore could (under the Rules) nominate themselves as a specified person, such that the insight is disclosed to them, with the disclosed insight no longer required to be regulated as part of the Consumer Data Right and not be within the boundary of the ADR's CDR data environment.

Whilst you may be asking yourself why would an ADR want to disclose an insight to another ADR or themselves such that the CDR Rules no longer apply, this is not the role of the DSB. The role is to apply to Rules in the CX, which is not currently achieved by the CX standards outlined in v2 DP222. There are a number of use cases facilitated by the sharing of an insight with an ADR (either another or themselves).

Comment
The Insight Disclosure Consents should be updated to reflect the actual Rules in effect (disclosure to a specified person and/or any person), not an interpretation of them (disclosure only to a non-AP).

[RobHale-Truelayer]

In response to @darrenbooth's earlier comment our understanding is that the rules will always take precedence and the standards cannot supersede the rules. However, it may be helpful to get clarification on this particular item in order to resolve what appears to be some unintended ambiguity within DP222 v2. Perhaps the DSB and Treasury could provide a definitive view here?

[CDR-CX-Stream]

@darrenbooth and @RobHale-Truelayer thanks for raising this query. We are finalising a response with other CDR agencies and will post it here soon.

[TT-Frollo]

Frollo has some comments regarding the In the Cx artifact, Hypothesis 1 states that
• All participants understood insights were being disclosed to non-Aps for a particular purpose and on a once-off basis only

My understanding from the rules is that Consents can be for a single occasion or periodic and different consents may be for different time periods – see rule 1.14(1). This includes a consent for an insight.

If this is correct then a Cx example of how a single consent for insights that occur regularly (example monthly) could be established.

[TT-Frollo]

Under 1.10A Types of consents, both a TA disclosure consent and an insight disclosure consent are conveyed as two different types.

(iii) to a trusted adviser of the CDR consumer (a TA disclosure consent);
or
(iv) to a specified person in accordance with an insight disclosure consent;

The Cx artifact provides an example that appears to be more related to an insight than at TA disclosure. Given a disclosure to a TA may not be an insight but part of the ADR's software product, an example specific to a TA disclosure would be helpful.

Also, how does the Cx support the rule that requires a consumer to select the person to whom the CDR data may be disclosed?

[CDR-CX-Stream]

@TT-Frollo thanks for raising these points - in response:

Consents can be for a single occasion or periodic and different consents may be for different time periods

That's correct - the CX artefacts only demonstrate a once-off disclosure as this is what was tested in consumer research, but it is also possible to disclose insights on an ongoing basis. CX guidelines will be finalised following this consultation that make this clear.

The Cx artifact provides an example that appears to be more related to an insight than at TA disclosure. Given a disclosure to a TA may not be an insight but part of the ADR's software product, an example specific to a TA disclosure would be helpful.

These CX artefacts focus on demonstrating the proposals and as such are limited in scope. The flow is based on insight disclosures but also demonstrates what the disclosure notification proposals may look like, which relates to both insight and TA disclosures. CX guidelines specific to TA disclosures will be developed following this consultation.

how does the Cx support the rule that requires a consumer to select the person to whom the CDR data may be disclosed?

This will also be clearly demonstrated in finalised CX guidelines. One possibility was linked to in the decision proposal here (see the 'trusted adviser nomination' stage), but importantly these artefacts were developed for the v2 rule consultation and not the latest rules and will likely differ to the finalised trusted adviser CX guidelines.

[CDR-CX-Stream]

The Treasury, DSB, ACCC, and OAIC have agreed on the below clarifications in response to @darrenbooth's original queries, specified below:

Query 1

A consumer may therefore consent to an insight being disclosed to an Accredited Data Recipient (a specified person and/or any person), such that the disclosed insight is no longer required to be regulated as part of the Consumer Data Right and is not within the boundary of the ADR's CDR data environment.

While an insight disclosure can be provided to any person, should that data be provided to an entity regulated by the CDR, the data would remain subject to the CDR Rules and Privacy Safeguards. As such, the ADR must treat the data in accordance with the requirements of the CDR.

Insights remain CDR data and therefore, entities that are regulated by the CDR must treat the data in accordance with the requirements of the CDR. Under the Competition and Consumer Act, an accredited person becomes an ADR for CDR data if that data was disclosed to it under the CDR Rules, and it is not a data holder/gateway for the data (s 56AK). As CDR insights will be CDR data disclosed under the CDR Rules, the recipient accredited person will become an ADR for that data. This means the recipient will need to comply with all applicable privacy safeguards in relation to the disclosed insight, including in relation to the use and security of that data.

There are existing mechanisms in place which would allow an insight-like disclosure to occur from ADR to ADR without the need to use an insight disclosure consent. The relevant existing mechanism which would allow disclosure of CDR data from an ADR to an Accredited Person is an AP disclosure consent. For example, an AP disclosure consent could currently be used to disclose CDR data that would underpin a CDR insight without an insight disclosure consent.

Query 2

Further the Rules and Explanatory Statement state a specified person and/or any person NOT another specified person and/or another person. The ADR's therefore could (under the Rules) nominate themselves as a specified person, such that the insight is disclosed to them, with the disclosed insight no longer required to be regulated as part of the Consumer Data Right and not be within the boundary of the ADR's CDR data environment.

An ADR could not disclose CDR data to itself. This is because a ‘disclosure’ occurs when data is made available to another person or entity (see further guidance here). If an ADR transferred CDR data to its own databases outside the CDR ecosystem, this would be a ‘use’ of CDR data and all handling of that data would still be subject to CDR regulatory obligations.

Query 3

The Insight Disclosure Consents should be updated to reflect the actual Rules in effect (disclosure to a specified person and/or any person), not an interpretation of them (disclosure only to a non-AP).

In line with the above clarifications, the proposed ‘Disclosure Notifications’ standards from page 5 will not be amended to refer to ‘any persons’. This is because these proposals are intended to apply only when the disclosed data will not be subject to CDR regulation, such as when insights are disclosed to a non-accredited person or any CDR data is disclosed to a trusted adviser (who is also a non-accredited person). The proposed ‘Insight Descriptions’ standards from page 3 will not be amended to refer to ‘any persons’ either unless this change is raised through consultation and considered appropriate. Referring only to 'non-accredited persons' in the decision proposal, or in any finalised standards, would not alter the rules as the standards cannot supersede the rules. As such, the proposed standards would not prevent insights being disclosed to ‘any person’ in line with the above interpretations.

[darrenbooth]

Thanks for the clarification.

Given the view that an insight is always CDR data in an ADR's environment, this implies that the consent flow, CDR Receipt and CDR Dashboard are now going to contain CDR data, as the insight should/needs to be provided to the consumer through these. How has this been considered, as it seems that they would now be subject to CDR regulatory obligations?

Consent data has never previously been considered CDR data given it did not contain any actual CDR data (or derived data). Decision proposal 222 results in the consent flow, CDR Receipt and CDR Dashboard containing CDR data. How has the contradiction between consent information retention and the CDR Rules for redundant CDR data been considered?

Do ADR's also now need to bring these consent methods inside the scope of their CDR data environment boundary, and ensure that they comply with Privacy Safeguard 12. For example, how can an ADR comply with the DLP control in Schedule 2 Part 2 when emailing a CDR Receipt containing an insight?

Please confirm whether a consent flow, CDR Receipt and CDR Dashboard containing an insight is now going to be considered as containing CDR data and subject to CDR regulatory obligations.

[commbankoss]

CBA welcomes the opportunity to review and comment on this updated Decision Proposal and is supportive of the changes.

[NationalAustraliaBank]

Hi team, below is our feedback on DP #222.

Insight descriptions

Option 1
NAB agrees with this in principle but believes that it should be combined with option #5 (actual insights). That is, ADRs MUST provide an easy-to-understand description which MAY be the actual insight.

Option 2
NAB supports this option.

Option 3
NAB supports this option.

Option 4
NAB believes that this option is heavy-handed and will restrict the flexibility required when communicating. NAB suggests that this be downgraded to SHOULD, and remove references to reading grades.

Option 5
NAB supports this option.

Option 6
NAB does not support this option in current form and believes it should be MAY. Whilst NAB supports the principles of transparency, NAB believes this information is unlikely to be useful; it’s more likely to be disregarded and distract from more important information.

Disclosure notifications

Option 1
NAB supports this option.

Option 2
NAB supports this option.

Option 3
NAB does not support this option.

NAB believes that it’s the ADRs responsibility to inform the customer of the risks of leaving the CDR ecosystem, but that ADRs should not be required to reach beyond the ecosystem and provide information on third parties.

There is inherent risk in leaving the ecosystem, NAB believes that reduction of this risk is not the responsibility of the participants within it. NAB believes that this risk reduction should rest on the third parties themselves, who should inform the consumer to the point the consumer is confident their data will be safe.

Option 4
NAB believes that this option MUST be a disclaimer for all disclosure notifications, rather than based on known/unknown (see points above).

Option 5
NAB supports this option, noting that trusted advisors should somehow be encouraged to provide ADRs their intentions with the data. That is, the trusted advisor should be the source of this information, not the ADR’s best guess.

Option 6
NAB supports this option.

Option 7
NAB supports this option.

Option 8
NAB supports this option.

[AdatreeCDR]

Thanks @CDR-CX-Stream for the opportunity to give feedback. Our feedback is below.

Insight Descriptions

Option 1 - Insight Description

• The Must is supported.
• The Should is not support. If an insight is easy to understand, then an example isn’t necessary and further crowds an already verbose process.

Option 2: Time of Insight Generation

• The Must is supported but should be reflected in the same way that consumers consenting to ADR data sharing see the time period of data sharing.
• The Should is not supported.

Option 3: Purpose of Insight

• This should not be upgraded to must. The purpose isn’t binding or limited. As the insight is non-CDR data, it will likely be used for other purposes, e.g. internal reporting.

Option 5: Actual Insights

• This should not be upgraded to must. Insights may not be generated in a time period that is timely for consumers. Also only applies to one-off insight sharing and not future-dated ones. They can request information from the company receiving the insights if wanted.

Option 6: Insight Generation

• We do not support this suggestion. This should not be a Must. Consumers ask for a service to be done and don’t ever ask how it happens. Showing them ‘machine learning’ will make them ask more questions than comfort given. It won’t be specific enough to be useful anyway. How an ADR generates the insights is their IP. In the unlikely event that a consumer is interested, they can look at the ADR’s CDR Policy and OSP list for potential actors too.

Disclosure Notifications

Option 1: CDR Protections

• The Must is supported. Would go further to say what that means - as in, the right to deletion or de-identification
• The Should is not supported. There is adequate information in the CDR Policy.
• The May is not supported. If required, put in the ADR CDR Policy.

Option 2: Non-AP Handling

• This is not supported. Realistically, Active intermediaries like Adatree will have hundreds of non-ADR clients generating Insights. It is not up to the ADR to ask how the business client will handle their data and keep up with any changes. If it isn’t regulated, treat it as so.

Option 3: Non-AP – Known Regulations

• This is not supported on the same basis as Option 2. This should not be included. How will this be scalable to know and keep up with every non-ADR? What if it out of date - who is responsible? It is up to the non-ADR receiving insights to communicate security and policies with their customers, not the ADR. This is information overload for the consumer.

Option 4: Non-AP – Unknown Regulation

• This is not supported. This is more of a hindrance to the consumer than not. Be clear it is not CDR data, can’t be deleted or undone, once it is agreed. Considering the importance of readability above, this doesn’t fit the bill.

Option 5: Non-AP Data Handling Summary

• The standards govern CDR, not non-CDR data. This is not supported.

Option 6: Complaint Handling

• It isn’t provided to consumers outside the CDR Policy now, so why should it be different for Insights? If anything, it should link to the non-ADR’s complaint policy, not the ADR’s, since it is not CDR data anymore and the relationship is with the non-ADR.

Option 8: Notification Record

• Supported only if it mimics the existing disclosures in the CDR receipts and dashboard.

Implementation Considerations

4. What requirements should be considered to ensure consumers are informed about the
disclosure of their data outside of the CDR environment?

Nowhere does it say the difference between CDR & non-CDR data and the implications in plain English.

Would suggest confirmation like:

• Deletion and de-identification protections no longer apply
• Who the consumer can complain to about what topics

Be clear about insights based on both CDR & non-CDR data and what protections do or do not apply.

[JTRlaw]

Trusted Advisers should not be captured in the same standards as those seeking insights.

The identification of TAs, the restrictive list of who is a TA, in the Competition and Consumer (Consumer Data Right) Rules 2020 recognises that these groups of professionals are held accountable to professional standards, the majority are licensed therefore regulated and are accountable to the Privacy Act 1988.

That is, while not accredited within the CDR regime, TAs are held accountable on matters of privacy, usage and secure storage of personal data.

We therefore seek consideration of specific CX Standards for disclosure to TAs as required under Rule 8.11 (1)(c)(v), rather than being grouped with the CX Standards designed to meet 8.11 (1A), insight disclosures, which are disclosures to non-accredited persons under the CDR, unregulated by Government agencies, are not held to professional standards and who are not a TA of the consumer.

In respect of the proposals from the TAs perspective, in relation to disclosure notifications:

1. Obligations

Option 1 is reasonable - to advise a consumer that TAs are not regulated as part of the CDR.

Options 2, 3, 4 and 5 are excessive and beyond the control of the CDR regime.
Primarily as data disclosed to a TA is no longer CDR data therefore it is not the role of the Data Standards Body to place obligations on CDR participants for potential actions outside of CDR regime.

Option 6, with the proviso that it is clear that the dispute process relates solely to matters within the CDR regime, not matters with their TA or privacy breaches, are reasonable.

Option 7 is not applicable to TAs.

Option 8 is duplication, therefore unnecessary,
The data disclosed to a TA will be evident in the provision of the service that TA has been engaged to provide.
This an unnecessary requirement placed on the data recipient and duplication of information on an already crowded consumer dashboard and CDR receipt.

2. Which options do you support.
   As indicated above, for disclosures to TAs, we support options 1and 6.

The distinction of TAs within the CDR Rules acknowledges the trusted relationship between those professionals and their clients, consumers. TAs are known to, and nominated by, the consumer. Critically, data provided under a TA disclose is no longer CDR data and not subject to data standards within the CDR regime.

[TT-Frollo]

Insight descriptions
Option 1
Similar to NAB, Frollo agrees with this in principle but believes that it should be combined with option #5 (actual insights). That is, ADRs MUST provide an easy-to-understand description which MAY be the actual insight.
Option 2
Frollo supports this option.
Option 3
Frollo supports this option.
Option 4
Frollo believes that this option will restrict the flexibility required when communicating. There is a fair amount to communicate already with insights and disclosures. Frollo suggests that this be downgraded to SHOULD, and remove references to reading grades.
Option 5
As per feedback in option 1. These two options can be combined
Option 6
Like NAB, Frollo does not support this option in current form and believes it should be MAY. Whilst Frollo supports the principles of transparency, we believe this information can distract from more important information.
Disclosure notifications
Option 1
Frollo supports the MUST condition. However, the SHOULD information is a repeat of information likely given at the time of collection consent and other places in the user journey.
Option 2
Frollo supports this option.
Option 3
Frollo supports this option.
Option 4
Frollo supports this option
Option 5
Frollo supports this option,
Option 6
Frollo supports this option but suggests the SHOULD statement should link to the CDR policy and NOT to a specific section of the CDR policy. Getting to a lower level of detail within a document is a further burden and CDR policies are governed for good readability.
Option 7
Frollo supports this option.
Option 8
Frollo supports this option subject to changes recommended in regard to insight options.

[amanuel13]

Option 1 - Insight Description
• Should is not supported and Must is supported to ensure a description is clear and concise of what it is.
Option 2: Time of Insight Generation
• Must is supported so a consumer knows at what point of time the insight is being given consistent with other CDR results they may receive directly from ADRs.
Option 3: Purpose of Insight
• Must is supported so the consumer is clearly aware that it is not directly or not direct CDR data and insights use.
Option 5: Actual Insights
• Must is supported to ensure as with option 1 it is clear to the consumer what and when about an insight.
Option 6: Insight Generation
• Neither Must or Should is supported as it is viewed this is not information a consumer will require if Option 1 is clear and would be “excess information” overload.
Disclosure Notifications
Option 1: CDR Protections
• Must is supported as it would be consistent with the Consumers CDR right tenet for the their information/data to be deleted or de-identified.
Option 2: Non-AP Handling
• As an ADR in sponsoring or providing data to non-ADRs has a responsibility and must have a process for ensuring/confirming their compliance with CDR rules to enable themselves to be compliant. This option is not supported as it would add an impost in time and effort that could not be justified or in practical terms able to be carried out or needed.
Option 3: Non-AP – Known Regulations
• Consistent with the basis of not supporting option 2 this option is not supported. The consumer will be already expecting and would be assured by the non-ADR in their services conditions that it will be compliant with the CDR rules in providing the insight.
Option 4: Non-AP – Unknown Regulation
• This is not supported and could not enforceable.
Option 5: Non-AP Data Handling Summary
• This option is supported as it will provide consumers with a concise summary without information overload of unnecessary details outside the scope or intent of the CDR Rules.
Option 6: Complaint Handling
• As an ADR in sponsoring or providing data to non-ADRs has a responsibility and must have a process for ensuring/confirming their compliance with CDR rules to enable themselves to be compliant. However, creating this extended obligation on an ADR to be actively involved is not supported. The non-ADR would and must have its own complaint policies and procedures provided to a consumer that it would enable the non-ADR to be compliant with its sponsorship conditions.
Option 8: Notification Record
• This is supported to be consistent with the direct consumer DH/ADR CDR consumer standards and experience.
Implementation Considerations
It must be made clear to consumers whether data is CDR or non-CDR/insights being provided by the NON-ADR.

[CDR-CX-Stream]

Thanks to everyone who provided feedback. This conversation will now be locked while the submissions are considered and the DP222 standards are finalised.

[CDR-CX-Stream]

Thanks @darrenbooth for the follow up query. We are in the process of developing a response.

[CDR-CX-Stream]

This decision was approved on 28 January 2022 and as such the CX standards for insights and trusted adviser disclosure consents have now been made by the Data Standards Chair. The decision record can be found in the original post.

As per Rule 7.5A, insight and trusted adviser disclosure consents are now permitted.

[CDR-CX-Stream]

Following a request for clarification, the below statement in a previous response:

There are existing mechanisms in place which would allow an insight-like disclosure to occur from ADR to ADR without the need to use an insight disclosure consent.

will be further clarified by adding the following:

The relevant existing mechanism which would allow disclosure of CDR data from an ADR to an Accredited Person is an AP disclosure consent. For example, an AP disclosure consent could currently be used to disclose CDR data that would underpin a CDR insight without an insight disclosure consent.

The original post will be edited to include this clarification.

[CDR-CX-Stream]

This decision was incorporated into the v1.16.0 release.

This issue will be closed but a response to this query is pending. We aim to post that response here and/or reflect a clarification in the CX guidelines relating to insight and TA disclosure consents.