Data Standards Advisory Committee, Meeting Minutes
Date: Wednesday 11 July 2018
Location: Data61, Level 5, 13 Garden Street, Eveleigh
Time: 14:00 to 16:00
Meeting: Committee Meeting No: 1
- Andrew Stevens, DSB Chair
- Emma Gray, ANZ (via WebEx)
- Martin Granell, AGL
- Mark Perry, Ping Identity
- Lisa Schutz, Verifier
- Ross Sharrott, Moneytree
- Lauren Solomon, CPRC
- John Stanton, Comms Alliance
- Stuart Stoyan, MoneyPlace
- Luis Uguina Carrion, Macquarie (via WebEx)
- Mal Webster, Endeavour Mutual Bank
- Viveka Weiley, Choice (via WebEx)
- Andy White, AusPayNet
- Patrick Wright, NAB
- Warren Bradey, Data61
- Ellen Broad, Data61
- Terri McLachlan, Data61
- Mark Staples, Data61
- Stephen Bordignon, ACCC
- Scott Gregson, ACCC
- Zoe Fitzell, OAIC
- Daniel McAuliffe, Treasury
- Kate Crous, CBA
- Gary Thursby, Westpac
The Chair of the Data Standards Body opened the meeting and thanked members for accepting the advisory committee membership invitation. It was noted the outcome of the Consumer Data Right regime is of national significance, and a unique and once in a lifetime opportunity and the onus is on us to do it well.
Due to the tight deadline of implementing the initial open banking standards by 1 July 2019, we have invited observers to attend the committee meetings for coordination purposes.
Advisory Committee Introduction
The Advisory Committee members and observers provided a brief outline of their background.
Outline of Agency Roles
Treasury - Daniel McAuliffe
The Treasury’s involvement started after the Productivity Commission Inquiry Report on data was released in May 2017 by PM&C. In parallel in July 2017, the Treasury announced the Review into Open Banking in Australia, chaired by Mr Scott Farrell.
Treasury will be overseeing the development of the Consumer Data Right (CDR) legislation, with its design informed by the recommendations of the Review and adopted by the Government.
A draft Bill setting out the proposed CDR regime is expected to be released for consultation in the second week of August. The draft Bill which will be released for consultation will continue to be refined by Treasury to take account of comments during the consultation period.
The main tasks for Treasury will be:
- Consulting on draft legislation
- Providing updates to the Minister on progress regarding implementation
- Providing advice to the Minister on future designated sectors
- Providing advice to the Minister on rules submitted by the ACCC for consent
ACCC – Scott Gregson
The Australian Competition and Consumer Commission (ACCC) recognised the importance of the CDR through active participation in the Productivity Commission Data Inquiry. ACCC will be lead regulator of the CDR regime.
The ACCC role is to:
- Empower consumers and foster competition
- Provide education and guidance to consumers on the benefits of the CDR
- Recommend future industries/sectors to government to be designated participants in the CDR regime
- Develop rules and accreditation schemes
- Take enforcement action to ensure compliance by participants
Three key items for ACCC are:
- Working closely together with all the stakeholders and co-parties - Data Standards Body, OAIC & Treasury – on the formation of CDR rules and accreditation processes
- Transparency – to be as open as possible
- Maintain strong interaction with OAIC to ensure privacy concerns are a core element
OAIC – Zoe Fitzell
The Office of the Australian Information Commissioner (OAIC) was established to bring together three functions:
- Responsibility for Privacy protection
- Freedom of information function
- Information management function
OAIC has a number of roles in the CDR regime, including an advisory role, overview of the privacy protection elements, and consumer complaints handing once in operation. OAIC will be the first port of call for complaints from consumers regarding breaches of their rights under the CDR regime. It is anticipated that as well as handling complaints, OAIC will have some investigative and enforcement powers.
OAIC will work with the Data Standards Body to ensure that the consumer’s privacy is well protected, and be an observer on the Advisory Committee.
In regards to education and awareness, OAIC will provide guidance to industry and provide education on consumer rights and how they can exercise their rights.
Data61 – Warren Bradey
Data61’s involvement arose from its previous role as technical advisor to the open banking review. Going forward Data61 will lead the development of technical data standards and support the operation of the Data Standards Body. Data61 will be the initial arms and legs to meet the implementation deadline. Data61 will facilitate the development of the practical standards, make recommendations for adoption of the standards to the Chair, and run a series of technical working groups to assist in the development of the standards.
A number of working groups will be established to support Data61 in the design and testing of the open standards it develops. This will be an open process and include input provided by the Advisory Committee and working groups. Draft guidance materials, API specifications and implementation materials will be shared openly.
Terms of Reference
TOR Advisory Committee
It was noted that the committee will act in an advisory capacity to the Chair and provide strategic advice on the design and implementation of the consumer data standards, agree principles and support engagement.
The interim committee consists of a total of 15 members. The Chair noted the Data Standards Body received 44 applications and a further 2 after the submission deadline, for 46 in total. In selecting the membership of the Committee from applications the main focus was to draw in people with implementation skills in the core areas of focus given the tight implementation deadline. Hence the immediate focus on the banking sector.
The committee consists of the following:
- 3 customer – facing fintech SME’s
- 6 banks (data holders) of different sizes
- 2 technology provider groups
- 2 representing energy and telecommunications sectors
- 2 groups representing consumers
- 3 x observers from Treasury, ACCC & OAIC
It was noted initial appointments are for 12 months and membership representation will change over time to reflect the introduction of different sectors to be covered by the regime.
The interim Chair will lead the work of the Data Standards Body to develop technical standards and make recommendation to the ACCC on the adoption of standards.
In regards to implementation, a draft timetable will be outlined by Warren Bradey from Data61 in the next agenda item. Things will no doubt change in the timetable, and we will need to bring forward the planning as much as possible to ensure a successful implementation. In the UK, it is understood IT implementation testing was limited. The objective of the Data Standards Body is to provide as much testing and development as possible. We have knowledge of the UK experience and we will leverage the UK standards as much as possible and in line with Government direction we will be adopting the UK standards except where there is a need for localisation.
Committee members raised a number of comments regarding implementation of technical standards, and the interplay between rules and standards. These included:
- A need for consistency across industries within the scope of the CDR, with common principles across sectors wherever possible
- The UK rules are outcome based rules. Given CDR is broader than the UK focus on banking we could facilitate more commonality for consumers and competition rules. We will see that as we develop
- To the extent possible implementation needs to be kept simple. A key point is consumer education
- There will be 3 working groups at least to provide input for the technical development of the standards – data API’s, information security, consumer experience. More groups should be created as required
- A need to ensure working groups are coordinated closely, so as to avoid producing conflicting outcomes. The Advisory Committee can provide input into working group membership, drawing on experts from within their organisation and network
- The UK regime is banking specific, while the Australian regime is broader in ambition. One method of consent may not be effective across all sectors of the economy
- Identity is outside of scope for the technical standards. The Open Banking review recommended relying on banks’ existing identity authorisations to manage consumer identity, however the definition of relying on the 'outcome' of identification (Farrell report) as opposed to the transmission of specific identification information was challenged due to fraud considerations. The working groups will need to consider user experience design and future trends. Need to be able to design for changes and slot in new fields etc. in standards for future evolution
- The energy sector does not have the same kinds of authorisation processes as in banking. A modular approach to standards will be needed, to accommodate different sector levels of data handling
- The Advisory Committee should be open to holding authorisation requirements in banking to a higher standard than other sectors
- Sound security principles for handling data breaches will be required. Data security is a key priority – both for transmission of data and storage
- A number of organisations are subject to laws operating in different jurisdictions. Whatever standards are adopted should broadly align with standards emerging in the UK and USA
- Standards may differ by sector as they need to meet consumer expectations
- Need to define which businesses and classes can be covered initially and in subsequent phases of implementation
- It was noted that the scope of the regime will include natural persons and activities covered by an ABN
- It was recognised it is a consent driven model for the legislation – it is the consumer’s right to share not an obligation
- The right does not provide economy-wide protections for consumers, it is only for the portability of defined sets of data
- In determining which accounts will be covered in the initial phase the definition of “commonly available accounts” is one of the challenges
- It was noted that the legislation is not dropping any privacy standards but should be a supplement. The role of the Data Standards Body is to design the plumbing to get value, and the plumbing needs to be transparent and informed
- Note the first phase is the customer / product / data and need to create a comprehensive definition that is simple to recognise
- It was agreed the Data Standards Body and CDR generally will need to adopt an agile approach to the development of standards and rules and adjust as needed on a continuous basis based on consumer use cases
- It was agreed there is a need to ensure that that the extreme cases are understood as to their implications but not be limited by them in making sure that it makes sense from the customer perspective
- It needs to be working really well on day 1. What data gets shared and for which use case must be clear for customers to understand
- The process and standards will need to find what is useful, valuable and meaningful to the consumer
- It was noted that the rules will need to clarify the extent and granularity of data that is to be accessed upon consent from the consumer
Comments in regards to the Terms of Reference:
- The TOR appears to limit the opportunity to develop different standards for new sectors by its core reference to banking.
- Do the same objectives apply to any sector? It was agreed this should be considered by the Committee further.
ACTION: Data61 to revise and re-issue the Terms of Reference in view of the comments of the Advisory Committee, particularly with regard to broadening the reference from Open Banking to CDR.
Ways of Working
Meetings – location, duration, correspondence between meetings
It was noted attendance at the Committee meetings is for individual committee members only and alternates are not proposed to be included. If members are unable to make a meeting, the Chair and Director will schedule a convenient time to meet to capture members’ input.
The meeting schedule was reviewed and a schedule of dates was agreed to be circulated.
ACTION: Circulate new dates/venues to Committee Members and observers.
Publication of minutes
The Committee agreed to the following:
- specific comments will not be attributed to individual members as part of the published minutes
- draft minutes to be circulated to committee members for comments prior to publication
Principles for standards proposed in Open Banking Review
The Committee reviewed the principles that were released in the Open Banking Review and the following comments were made:
- Design principle is valuable
- Need to weigh up what is valuable today vs what is valuable tomorrow so we enable future innovation
- A dynamic approach should be taken to standards development which will mean what goes live on 1 July may need updating regularly and a timing for updated versions will need to be agreed
- Security and privacy are absent in the proposed list and it was noted that this was on purpose as they were considered core to all principles of data transfer. The Committee suggested these principles should be included for completeness and to keep these issues top of mind in the development of the data standards
- Extensibility point needs to be defined more clearly as it was seen to be interpreted differently by several Members
- Agreed to add principles of Valuable and Useful to the list.
- Usability should be extended to include comprehension and control for consumers.
ACTION: Review whether Security & Privacy need to be added as a new principle
ACTION: Review Extensibility point and provide an updated version in the minutes for review
ACTION: Review whether Valuable and Useful need to be added as a new principle
ACTION: Review whether ‘Usability’ should be refined to include that consumers must be able to both comprehend and control what is happening to their data
Timetable for Standards
An outline of a draft timetable for the Standards was discussed with the committee members and will be shared when it is finalised.
The following timings were noted:
- Treasury expect to release draft legislation for industry consultation in the 2nd week of August 2018
- ACCC will release a draft framework of rules by early September 2018 for initial consultation
- Data Standards Body will release initial draft of core API standards for discussion
- In October 2018, Bill to be introduced to Parliament
- In February 2019, the draft legislation is expected to be passed by parliament. This will create legal entities and formally enable the creation of rules and standards.
- Transparency is important to the whole process
- The sector will need to work jointly with the Data Standards Body and ACCC in developing system solutions that can be tested and go live by 1 July 2019.
ACTION: Review other examples of Standards from around the world. Add agenda item for a future meeting to consider how Open Banking has been handled in other jurisdictions beyond the UK.
What is the Data Standards Body looking for from the Committee Members in regards to engagement?
- Active participation at committee meetings to discuss key issues for standards and issues that may need to be referred to ACCC as the rule-making authority
- Support and broader participation of organisation in technical working groups
What are the technical working groups?
- API standards
- Information Security
- User Experience (e.g. consent)
Will the technical working groups meet in person?
- It is proposed that the working group sessions will be largely held remotely via slack/GitHub or similar to minimise travel
ACTION: Align meetings and workshops of technical working groups with the committee meetings as appropriate
ACTION: Review membership of all working teams with the Steering Group to ensure that the right people were involved
Meeting schedule to be updated and circulated with the draft minutes.
Closing and Next Steps
The Chair thanked the Committee Members and Observers for attending the meeting.
Meeting closed at 3:58pm