Data Standards Advisory Committee, Meeting Minutes
Date: Wednesday 12 December 2018
Location: Data61, Level 5, 13 Garden Street, Eveleigh
Time: 14:00 to 16:00
Meeting: Committee Meeting No: 6
- Andrew Stevens, DSB Chair
- Kate Crous, CBA
- Martin Granell, AGL (via WebEx)
- Emma Gray, ANZ
- Mark Perry, Ping Identity
- Lisa Schutz, Verifier
- Ross Sharrott, Moneytree
- Lauren Solomon, CPRC (via WebEx)
- Stuart Stoyan, MoneyPlace
- Jamie Twiss, Westpac
- Luis Uguina Carrion, Macquarie Bank
- Mal Webster, Endeavour Mutual Bank (via WebEx)
- Andy White, AusPayNet
- Patrick Wright, NAB (via WebEx)
- Warren Bradey, Data61
- Ellen Broad, Data61
- James Bligh, Data61
- Luke Popplewell, Data61
- Mark Staples, Data61
- Michael Palmyre, Data61
- Terri McLachlan, Data61
- Stephen Bordignon, ACCC (via WebEx)
- Bruce Cooper, ACCC
- Jodi Ross, ACCC (via WebEx)
- Zoe Fitzell, OAIC
- Daniel McAuliffe, Treasury
- John Stanton, Comms Alliance
The Chair of the Data Standards Body (DSB) opened the meeting and thanked all committee members and observers for attending Meeting No 6.
The Chair welcomed new committee member Jamie Twiss from Westpac who is replacing Gary Thursby as the Westpac representative.
The Chair noted that at this meeting we will be focussing on two items, the Australian Competition & Consumer Commission (ACCC) Rules outline and the working draft standards.
It was noted that the Rules outline was shared with the committee members by the ACCC and the document was provided for the purposes of the Data Standards Advisory Committee meeting on 12 December to assist discussion and feedback. It was noted the document was still a draft and not for broader circulation beyond the members of the Advisory Committee. It was noted Bruce Cooper from the ACCC would discuss the key points as the next agenda item.
It was noted that the DSB undertook to summarise the feedback on the working draft of the standards which was included as Appendix A of the committee papers and via GitHub. Further discussion on next steps including the next version of the draft standards would be discussed in further detail later in the meeting.
The Chair thanked the Committee Members for their comments and feedback on the Minutes from the 15 November 2018 Advisory Committee Meeting. The Minutes were taken as read and formally accepted.
The Chair noted that the Action Items were either completed or would be covered off in discussion during this meeting.
Technical Working Group Update
A summary of the progress from the last committee meeting on the API Standards Working Group was provided in the Committee Papers.
The progress update was taken as read.
A summary of the progress from the last committee meeting on the Information Security Working Group was provided in the committee papers.
The progress update was taken as read.
A summary of the progress from the last committee meeting on the User Experience Working Group was provided in the committee papers.
The progress update was taken as read.
Summary of progress on working draft standards and December publication plans
Ellen Broad provided a brief update on the status of the working draft of the standards.
It was noted the DSB is preparing to release an updated version of the Working Draft of the Data Standards on Friday 21 December 2018. It was advised the updated draft will be more detailed than the 2 November 2018 version, taking into account feedback received from the eco-system participants. The December version will include a detailed information security profile, updated swagger and a human readable summary of the Working Draft of the Standards. It was noted that the DSB is continuing its work to incorporate within the standards the CX testing on language clustering, which is being done by Tobias & CHOICE. It was noted that a further review will be undertaken to ensure that the standards align to the Rules Outline. A three week period for feedback will commence from 1 January 2019.
A starting point for non-functional requirements (NFRs) will be published on GitHub on Monday 17 December 2018, with more NFRs for information security and CX planned, and will be open for feedback through to mid-January.
It was agreed to defer the discussion of the Use Case Review of how the draft standards will operate to the next meeting.
The Chair thanked the ACCC for sharing the draft Rules outline with the committee and acknowledged the conditions specified on the cover page in relation to it being a draft and that the document was not for broader circulation beyond the members of the Advisory Committee.
The ACCC noted that the Rules outline provides a summary of the ACCC position following stakeholder consultation and that some positions from the Rules Framework have changed in light of that stakeholder feedback. The positions in the Rules outline will be reflected in the formal drafting of the rules, which are expected to be published for further consultation in the first quarter of 2019.
It was noted that the Rules outline is a work in progress and it will change moderately prior to publication to reflect evolving decisions. The document has been circulated to enable discussion with the Committee and the ACCC confirmed it is happy to receive input at the meeting from committee members but they will not looking for further written submissions.
It was noted that the draft Rules summary will be published prior to Christmas and the ACCC acknowledged Data61’s help in reviewing and ensuring the standards and rules are aligned and implementable.
ACCC advised that the re-authorisation/consent period by consumers has changed from 90 days to 12 months, with a regular 90 day notification to the consumer required. A discussion was held on what the 90 days notification means and it was confirmed that this is a reminder to the consumer of the approval they have previously given to accredited third parties to receive their data.
A discussion was held on revocation of consent or authorisation. ACCC advised that if a consumer withdraws their consent through the accredited data recipient, the accredited data recipient must notify the data holder. Further discussion was held on whether the data holder needs to advise the recipient when it receives a revocation request and whether the recipient would be required to delete or de-identify the data. ACCC noted it will review the application of the rule further and clarify wording in the final version of the outline.
ACCC confirmed that the Request for Tender (RFT) for the development of the Directory and accreditation system is ongoing and that they are limited on what they can say at this stage.
A discussion was held on the treatment of redundant CDR data and the consequence where a consumer revokes consent. The Committee discussed use cases where it would be of value to both retain data and where it is better to delete redundant data. The ACCC advised that accredited data recipients must destroy or de-identify redundant CDR data and that accredited data recipients must apply the OAIC and Data61’s De-identification Decision-making Framework (DDF).
A further discussion was held on the deletion of data and the definition of redundant data. ACCC has taken on notice the use of the term ‘redundant’. It was noted that, while this term is not used in the Privacy Act, Australian Privacy Principle 11 includes a similar concept by requiring an entity to destroy or de-identify personal information where it is no longer needed for any purpose for which it may be used or disclosed under the APPs.
A discussion was held on the revised position on joint accounts noting joint holders will have the option to elect whether sharing requires individual or joint authorisation and that this authorisation process will be managed by the Data Holders. In the absence of an election, all joint account holders, regardless of current permissions for other activities on the account, will be required to authorise the sharing of data from a joint account. Authorities will be able to be provided at account level, rather than for each individual transaction.
It was noted that ACCC will consider further the consumer experience issues and whether revocation of consent, consent and authorisation dashboards should be included in version 2. A concern was raised about the timing and that it could take 12 months to build this proposed process.
ACCC confirmed that accounts held by offline and former customers and minors will be included in subsequent versions of the rules. The ACCC noted it has changed its position on including minors in version one of the rules, as it was clear from the consultation process that stakeholders did not support their inclusion at this stage.
Further discussion was held in regards to the CDR consumer and what type of consumer is in scope for version one (i.e. the extent of small businesses). ACCC agreed to review point 3.12 of the Rules outline and make it clearer prior to publication.
A discussion was held on the meaning of “complex” accounts, noting that ACCC had received support that complex accounts should not be within scope for version one of the rules.
A discussion was held on reciprocity and Authorised Deposit-taking Institutions (ADIs) (apart from the four major banks who will be data holders from 1 July 2019) who are accredited data recipients (ADRs). It was noted it is proposed they will become reciprocal data holders from 1 February 2020 and ADRs who are not ADIs but who hold designated data will be reciprocal data holders from 1 July 2020. A concern was raised about the four major banks being the only data holders from day one (1 July 2019), that this was not a fair level playing field, and that we could be creating a sizeable disadvantage to smaller banks who are keen to participate in the regime from day 1. ACCC confirmed that they don’t have the bandwidth to open this up and advised that this is a policy question not a Rules questions as it was a recommendation of the Open Banking review that smaller banks would have a delayed entry into the regime. It was agreed by ACCC to review this topic further.
Discussion was held on accreditation and ACCC advised that in version one there will be only one general level of accreditation that will enable accredited data recipients to receive any type of banking CDR data where consent has been provided by the consumer. The ACCC advised tiered accreditation will be needed when the CDR is extended to other sectors. There will also be no fee for application to become accredited and the ADRs will be able to receive all CDR data in scope for banking. ACCC advised that applicants must provide evidence and meet the criteria for registration to the accreditation process. It was noted accreditation details will be released in the first quarter of 2019.
A discussion was held on the criteria for the general level of accreditation. ACCC advised that the applicant must be a fit and proper person to manage CDR data and have adequate practices, procedures and systems in place to manage CDR data and information security risks. In regards to insurance, the ACCC advised that they are not proposing to mandate insurance, but the draft guidelines will require they have adequate insurance or a comparable guarantee in place. In regards to the information security risk this will be done through an independent audit of infrastructure and processes proposed by applicants.
It was noted that applicants will be required to provide a description of the service they intend to offer customers as an accredited data recipient but individual use cases will not be accredited as part of the process. This information will need to be supplied at the point of accreditation and in any annual reviews. ACCC confirmed that any change in the nominated address for service will need to be notified to the data recipient accreditor.
A discussion was held on the ISO 2700 standard and clarification as to whether this, and other recognised information security standards, would be accepted from day 1 to support accreditation by data recipients. ACCC advised it would review what guidance it can include and provide feedback.
A discussion was held on CDR customer data being provided directly to the customers and whether that data needs to be provided through an API. ACCC advised that in version 1 the data does not need to be shared via an API but can be shared directly with the consumer under pre-existing channels. A concern was raised as to the practicality of the difference in approaches and ACCC took this on notice.
A discussion was held on the accreditation criteria and international jurisdictions and how this will be managed. ACCC took this on notice.
Treasury advised that the bill for the Consumer Data Right Legislation didn’t get introduced to Parliament on the 6 December 2018 as planned. However, the Government believes there is still a pathway to get it through parliament and passed within the timeframes. It was noted that there is increased risk with the delay which the government is actively looking to minimise. Treasury advised that there are only seven Parliamentary sitting days in February 2019 and that it will be aiming to have the bill passed in the 1st week of April 2019, which means it would then be legally effective from the 2nd week in April at the earliest.
A discussion was held on any implications if there are delays to the Open Banking timetable and whether it will cause delays for the Energy sector. Treasury advised that the schedule for Energy hasn’t been adversely affected at the moment but it might face some delays if the banking sector has any significant slippage. Treasury is looking to issue a discussion paper on data sets and data holders for energy in the first quarter of 2019.
A discussion was held on the Phase 3 Products “personal loans” & “consumer leases” and the rationale for these being Phase 3 Products and not Phase 1 Products? It was noted the timing is purely for practical implementation reasons.
The issue of reciprocity was discussed and whether more sectors should be included early to minimise any competitive distortions that may occur in the economy. It was noted this is a policy issue and should be raised by participants with the Treasurer.
The Chair advised that the next meeting will be held on Wednesday 6 February 2019 from 2pm to 4pm and will be hosted by CBA at their Melbourne office.
The Chair advised that the 13 March 2019 meeting will be moved from Canberra to Sydney to allow more members to participate face-to-face.
Closing and Next Steps
The Chair thanked the Committee Members and Observers for attending the meeting.
Meeting closed at 4pm.