Data Standards Advisory Committee, Meeting Minutes
Date: Wednesday 15 November 2018
Location: Data61, Level 5, 13 Garden Street, Eveleigh
Time: 14:00 to 16:00
Meeting: Committee Meeting No: 5
- Andrew Stevens, DSB Chair
- Kate Crous, CBA
- Martin Granell, AGL (via WebEx)
- Emma Gray, ANZ
- Mark Perry, Ping Identity
- Lisa Schutz, Verifier (via WebEx)
- Ross Sharrott, Moneytree (via WebEx)
- Lauren Solomon, CPRC (via WebEx)
- John Stanton, Comms Alliance (via WebEx)
- Stuart Stoyan, MoneyPlace (via WebEx)
- Gary Thursby, Westpac
- Mal Webster, Endeavour Mutual Bank
- Andy White, AusPayNet
- Viveka Weiley, Choice
- Patrick Wright, NAB (via WebEx)
- Warren Bradey, Data61
- Ellen Broad, Data61
- James Bligh, Data61
- Luke Popplewell, Data61
- Mark Staples, Data61
- Meena Tharmarajah, Data61
- Michael Palmyre, Data61
- Terri McLachlan, Data61
- Scott Gregson, ACCC
- Stephen Bordignon, ACCC
- Anjelica Paul, OAIC (via WebEx)
- Daniel McAuliffe, Treasury
- Luis Uguina Carrion, Macquarie Bank
The Chair of the Data Standards Body (DSB) opened the meeting and thanked all committee members and observers for attending Meeting No 5.
The Chair noted that Luis Uguina Carrion from Macquarie was an apology for this meeting.
The Chair noted that the working draft of the standards was published on Friday 2nd November 2018 and that the consultation period will close on Friday 23rd November 2018. Whilst submissions received up to this date will help frame the release of an updated draft of the standards it was noted that feedback will continue to be received subsequent to this date for on-going consideration of issues.
It was also noted that some of the feedback that has been received so far concerns potential differences in the 2nd November working draft, as compared with the draft rules framework and final rules which are yet to be published by the Australian Competition and Consumer Commission (ACCC). Whether these are perceived or actual differences is being worked through with ACCC. It was noted the DSB will continue to work with the ACCC and Treasury to respond to feedback on the draft standards.
The Chair also noted that it would maximise the impact of feedback if it was specific to key issues in the working draft included a recommendation on how best to deal with the issue, and was submitted via the DSB GitHub repository to maintain transparency for the community.
It was noted that the next deliverable for the Data61 team was to publish a new version of the working draft of the standards before Christmas. The Chair noted that whilst it looks like some of the pieces in the API standards are disjointed when represented as technical documentation, Data61 is moving into the stage of refining and revising based on feedback that has been received. The intention with the 2nd November draft was to be faithful to the micro-decisions made across the past three months, and as a result when rendered as Swagger there are some inconsistencies to be addressed. In addition, Data61 will increase the detailed information security content through regular updates on GitHub through to Christmas.
The Chair advised that the DSB was holding a Briefing Session on the Working Draft of the standards at the Sydney Start-up Hub this evening (15th November 2018) where it will be providing advice and a general update. The Treasury and ACCC will be in attendance to provide an update on the new regime and be available to answer queries from attendees. This session was massively oversubscribed and sold out with 60 registrations. Registrations have been received from banks, software companies, Fintechs, large global platforms and government sectors.
The Chair thanked the Committee Members for their comments and feedback on the Minutes from the 10th October 2018 Advisory Committee Meeting. The Minutes were taken as read and formally accepted.
The Chair noted that the status of the Action Items were either completed or will be covered off in discussion for this meeting. The minutes were taken as read and formally accepted.
Technical Working Group Update
API standards Working Group
A summary of the progress of the API Standards Working Group since the last committee meeting was provided in the Committee Papers.
The progress update was taken as read and further conversation followed.
A discussion was held on the 90 day re-authorisation of consents proposal for consumers. It was noted that the initial proposal released in the rules framework was to have re-authorisations occur every 90 days. However, after considerable feedback during the consultation period the ACCC is considering the timing further.
It was noted that a high level summary of the draft rules determined by the ACCC are due to be released in December.
Information Security Working Group
A summary of the progress of the Information Security Working Group since the last committee meeting was provided in the committee papers.
The progress update was taken as read and further conversation followed.
It was noted that Luke Popplewell has recently joined the team. Luke will be facilitating the Information Security Workshops and working on strengthening version 1 of the standards with Seyit Camtepe who is the Security Information Research Lead. Feedback to these updates was provided via GitHub.
User Experience Working Group
A summary of the progress of the User Experience Working Group since the last committee meeting was provided in the committee papers.
The progress update was taken as read and further conversation followed.
It was noted that Michael Palmyre has joined the team as UX Lead on the user experience workstream. Michael will be working with Meena Tharmarajah who is the strategic adviser.
A discussion was held on authorisation granularity, and the extent to which consumers need or should be able to select information they do and don’t want to share with third parties. It was noted choices made about granularity in version 1 need to be extendable to future versions of the standard. Testing depth of information and choice consumers feel comfortable with will be part of testing in the UX workstream.
It was noted that Data61 is in the process of developing a roadmap and process delivering guidelines on the consent experience for consumers sharing data and monitoring organisations with access to it. It was noted Data61 is hosting a kick off workshop with Tobias Design next week (20th November 2018) to define the best approach to testing and to put forward a proposal on how the DSB will test consumer consent.
A discussion was held on the Consumer Data Right (CDR) Map of Consumer Cases, Product and Data discussed at UX workshops in Melbourne and Sydney. Advisory Committee members queried why a box for “payment initiation” was included as a use case in that map. It was confirmed that payment initiation is out of scope for version 1 and therefore the UX workstream are not pursing this as a use case currently. It was simply included on that map as the map gives a holistic view of the broader regime, beyond 1st July 2019 (and payment initiation was greyed out and labelled as out of scope). It was reiterated that payments are not in scope for now and were only briefly discussed during the UX workshops.
A discussion was held on the proposed selection of the user population to be included in initial testing; whether it will cover people with impairments, vulnerable populations like the elderly and whether there will be scope for larger research if required. The DSB confirmed that it intended to screen consent patterns and language with a small sample size and to be advised by CHOICE with regard to vulnerable population inclusions, with a further quantitative component testing insights from the research with a larger pool of consumers. A concern was raised about the limited amount of testing that has been proposed. This concern was noted by the Chair.
A discussion was held regarding maximising control for consumers while still supporting a simple, easy to use experience. Advisory Committee members queried whether, beyond the DSB’s testing, the ACCC are proposing to do further consumer research? ACCC noted that they are very conscious of the time constraints, are not proposing their own research and will look to the testing undertaken by the DSB to help inform them of any significant gaps.
Working Draft Standards
Ellen Broad provided an update on the working draft of the standards that were published on the 2nd November 2018. It was also noted that Data61 launched an overarching Consumer Data Standards website which included a human readable summary of the Working Draft of the standards.
From August to October 2018 period, the DSB posted 33 decisions proposals and 3 noting papers, received 382 comments from 44 unique contributors with an average of 10 comments per decision proposal.
It was noted that the working draft of the standard does not currently include a detailed information security profile, and release of this will be accelerated over the next 5 to 6 weeks. In parallel, the UX workstream is accelerating with its first area of focus looking at how to map the payloads as drafted for 2nd November to permissions language that consumers can consent to. It was noted that some details in the draft standards may change as this mapping is undertaken to ensure consumers comprehend what data they consent to share.
It was reiterated that this is very much a working draft and Data61 is reviewing all feedback and working out what needs to be refined and adjusted. Changes will continue to be incorporated and updates made to the working draft based on the feedback. A second version will be published before Christmas. It was also reiterated that Data61 will continue to accept feedback after the 23rd November 2018 submission closure date, with priorities beyond 23rd November 2018 still looking to follow an iterative, open process. The team is also considering how to make the commentary from the previous Decision Proposals more visible and easier to discover by new participants to the eco-system.
A discussion was held regarding product comparisons as a use case, and the potentially unnecessary depth of information consumers might have to consent to sharing to access this use case as contemplated in the current draft payload. It was noted by the DSB that this feedback has not been previously captured. Advisory Committee members were urged to add specific examples of these kinds of challenges to the GitHub.
A discussion was held on the three workstreams (API Standards, Information Security & Consumer Experience) and how they work together to consistently test appropriate use cases. It was noted that the DSB intends to choose approximately four UX cases to help make sure its workstreams are aligning on delivery, but noted these use cases are not supposed to be exhaustive, nor for version 1 or later versions is the DSB trying to exhaustively capture every use case.
A discussion was held on consumer privacy issues, and the amount of data linked to the consumer that they consent to share in exercising their consumer data right. Managing privacy expectations and concerns, and making clear to consumers what information they are consenting to share, will be very important.
Advisory Committee members queried whether the standards undergo a Privacy Impact Assessment (PIA). Treasury and ACCC noted that the ACCC will work with the Office of Australian Information Commissioner (OAIC) to receive input from a privacy perspective on the rules that are governed by the ACCC. The standards give technical effect to the rules as described by the ACCC.
Advisory Committee members noted that the UK regulatory environment offers broader protections for consumers outside of Open Banking than are currently available to Australian consumers outside of the consumer data right.
Broader concerns around consent and protection of consumers need to be taken into account. The DSB noted that there are a range of policy and regulatory issues around protections for consumers. The UX workstream in the DSB doesn’t have a policy role. It will be focused on making the practical experience of consent for consumers, in the context of them exercising their consumer data right, as clear and informed as possible.
A discussion was held on APIs and the ex post review. It was confirmed that there will be a 12 month review at a granular level post implementation.
It was reiterated by the Chair that the standards will not be 100% right on day one (1st July 2019) and that a lot of work will be done from now till 1st July 2019 to ensure the standards cover the most important issues and are well tested. Going forward the standards will continue to grow and be refined to ensure they support innovative new technologies and evolving consumer expectations on how their data should be made available with their consent.
A discussion was held on the feedback that will be received from the draft standards and separating commentary into ‘high level’ feedback and ‘low level’ technical feedback. It was confirmed that the DSB will provide a summary of high level feedback to the Advisory Committee and community shortly after the submission deadline (23rd November 2018) and before publishing our next draft.
ACTION: DSB to provide a summary of high level feedback to the Advisory Committee and community.
Discussion was held on the need to provide a clear taxonomy of language employed in the standards. It was noted that particularly in product reference data, fields have different meanings for companies and there is a need to map this out with input from the banks. It was suggested the standards need to be more specific in this area and add descriptions about what each field means. It was noted this will be taken on board as the standards evolve and that Australian Banking Association (ABA) and other eco-system participants are assisting with definitions for day one (1st July 2019).
A discussion was held on non-functional requirements for API performance, and authorisation and authentication flows. Teams need visibility of these to build their internal systems. It was noted that a specific workshop had been conducted in Melbourne on these issues by the DSB and further work is being undertaken jointly with the ACCC and the outcomes will be shared as soon as possible, but noted realistically it will be towards the end of year.
A discussion was held on accreditation and ACCC confirmed that the legal drafting is still in process and that they will circulate the initial draft version as soon as possible. Advisory Committee members noted that clarification of what will be included in the next and later versions of the rules and standards would help with data holder and recipient budgeting and scheduling. It was noted that other data holders may be able to seek to register on day one (1st July 2019).
A discussion was held on the functional specifications and reporting requirements that will be designed by the ACCC. ACCC confirmed that this is currently under consideration and the requirements will be released as early as possible.
The Chair advised that numerous workshops and briefing sessions have been arranged to provide an opportunity for the wider eco-system to give feedback and discern emerging issues for incorporation into the subsequent drafts of the standards.
It was also noted that ABA are arranging a forum for more sensitive information security discussions.
The Chair noted that there was range of outreach areas to provide feedback, input and general information from the Consumer Data Standards website, the draft standards site and the GitHub for any issues.
The Chair advised that there is a meeting scheduled with AEMO, ACCC and DSB after the committee meeting in regards to the energy sector and the timing for implementation. There are also discussions at COAG scheduled to occur in December on progressing the energy sector as this is a priority for State and Federal Energy Ministers. Further updates in regards to energy will be provided in due course.
The Chair advised that the next meeting will be held on Wednesday 12 December 2018 from 2pm at the Data61 offices in Eveleigh.
Closing and Next Steps
The Chair thanked the Committee Members and Observers for attending the meeting.
Meeting closed at 3:45pm.