February ’19 | Consumer Experience Workstream
CX Update Package
Dear Consumer Data Right participants and other interested parties,
The Consumer Experience (CX) Workstream has put together a release package for public sharing and community feedback. This update includes links to the Phase 1 CX Report, CX Standards outline, and Consent Flow Prototypes, which will live in the reports section of consumerdatastandards.org.au. This post also highlights key recommendations and considerations, as well as details on the 2 week feedback period that will close at 5pm on Friday March 15.
Please read this post in addition to reviewing the Phase 1 CX Report, CX Standards, and Consent Flow Prototypes. Links to each item can be found below in the relevant section.
Phase 1 CX Report
This report covers the findings and preliminary recommendations from several rounds of research conducted by Tobias, CHOICE, and Data61. The first draft of the CX Standards will be based on these recommendations and community feedback.
Prototypes of the Consent Flow
Data61 updated Phase 1 prototypes to incorporate recommendations and other considerations. The basis of these recommendations are in the Phase 1 CX Report.
These prototypes cover two use cases: Applying for Credit and an Accounting Tool. These use cases are not indicative of what will be prioritised or provided for in the standards; they were chosen for research purposes.
NB — The InVision (clickable) prototypes may lack some interaction. If the interaction doesn’t appear to be working, clicking/tapping the screen will reveal a transparent blue ‘hot-spot’ to guide you.
Apply for Credit Prototype
(Data recipient: aBank; Data holder: ABC Bank)
InVision Prototype: https://invis.io/STQLQSU645P#/348930756_1-0-_Credit-ABank-_Loading
Accounting Tool Prototype
(Data recipient: The Accounting Tool; Data holder: ABC Bank)
InVision Prototype: https://invis.io/VUQLQWFP8AM#/348914615_1-0-_Accounting_Tool-_Loading
CX Standards (DRAFT STRUCTURE)
This is the basic structure that we are proposing for the CX Standards. The first draft of the CX Standards will be based on the Phase 1 CX Report recommendations and community feedback, and as such the current CX Standards will be populated with content in later phases. We welcome feedback on the structure, what you feel we should/shouldn’t include, and what you feel should/shouldn’t be within our purview.
Focus areas for review
The key areas of this update that require particular attention include:
- CX recommendations for data clusters and corresponding language
- The proposed Consent Flow (consent, authenticate, authorise flows)
- The proposed ‘Redirect to Known Channel Authentication’model (NB this is only indicative and has not been tested)
- The proposed structure of the CX Standards
- Considerations for the CX Workstream’s next steps
Some broader recommendations that need to be considered are listed below. These recommendations will be incorporated into the CX Standards pending review and wider consultation.
1. Basic purpose of data sharing to be shared with the data holder
Based on our research, we recommend that the data holder receive the basic purpose of data sharing as part of the authorisation request. The current understanding of revocation is that revoking data sharing would cancel any associated product/service. This recommendation will allow consumers to better understand the consequences of revoking authorisation, including which services/products they may be cancelling. We believe this would go some way in mitigating revocation confusion (which was an issue) and would provide a more informed experience than revoking authorisation to e.g. ‘aBank’ with no context or other information. This recommendation is not in the Phase 1 CX Report but is being made in anticipation of further revocation needs; it is yet to be fully tested, but including the purpose of data sharing in Phase 1 Consent Flow testing did assist with comprehension during authorisation flows. This recommendation has been discussed with ACCC but needs to be considered further, including by information security professionals and the wider community.
2. Standardised communication of consent duration
We recommend that the duration of consent be communicated in standardised time-based units e.g. x minutes, x hours, x days, x months. This recommendation is specific to ongoing consent, but the research indicates value for consent duration generally as participant interpretation of ‘once-off’ and ‘one-off’ were very inconsistent. We also recommend that month-based consent durations align to calendar dates rather than number of days. For example, if consent was granted for 12 months on January 1st 2019, it should expire on January 1st 2020.
3. Provide multi-channel revocation
Participants indicated they would overwhelmingly choose to revoke their consent via phone, in-person, or email. At present, digital dashboards are proposed as the only means of revocation. We recommend that data holders and data recipients provide non-digital and email channels as initial contact points that can then guide consumers to digital channels to complete the revocation process themselves. The research indicates this is an important recommendation that will make revocation accessible and allow consumers who may not be digital-first users, but may provide consent physically (e.g. facilitated in-person requests) to initiate revocation in their preferred manner. This will be especially important for building trust, CDR adoption, and to protect the reputation of CDR if any unexpected developments lead to consumers seeking consent revocation.
4. Provide multi-channel communications
We recommend that data recipients and data holders provide additional communications to consumers such as a downloadable Consent Receipt, email confirmations, and other information including how to review and manage data sharing or where to go to raise a complaint or report misuses of data. This will allow consumers to have a verified source of truth rather than being required to recall or record the terms of their agreement themselves. These communications may form part of a notifications framework.
5. What to disclose at a minimum to satisfy the ‘unambiguous disclosure’ Rule (7.13(d))
There should be a clear understanding of what constitutes ‘unambiguous disclosure’ of data use. To satisfy the ‘unambiguous disclosure’ Rule (7.13d) research results favour that data recipients clearly state:
- Why each data cluster is required, and how far back in time data will be accessed.
- How each data cluster will be used, including if inferences will be made, applications will be influenced, or if CDR data will influence how services/products are priced or provided
- How data will be handled during and following the consent period, including: who will access the data; that data will not be used for unrelated marketing purposes; and that outsourced providers will be bound by the consent agreements.
- How data will be stored, including after revocation/expiry
- What will happen to CDR data following revocation/expiry, including redundant data
- And any other use, storage, or handling during or following the consent period
We recommend that the Consent Model reflects the WCAG2.1 guidelines and/or the GOV.AU content guide, but recognise that further work needs to be done to develop an accessible Consent Model standard. Further work should include testing readability, keyboard-only use, screen readers, text to speech, and possibly extending CX Standards to include other accessible formats like visual aids. This work would extend to those who have delegates, require a translator, or are assisted/requested in person to provide consent digitally but may not be digital or English literate.
7. Next steps
For Phase 1, the CX Workstream engaged with participants considered to be vulnerable or in vulnerable circumstances, including those in financial distress and those with accessibility needs. A diverse range of participants was sought so that a wide range of scenarios and needs could be better understood to inform the development of accessible CX Standards. While Phase 1 fulfilled many of the requirements for the Consent Flow, there are some known edge gaps in consumer representation, accessibility, scenarios, and other requirements that would benefit from deeper investigation to develop a comprehensive Consent Model.
Recruited participants for Phase 1, for example, did not include many younger participants (under 29), and this was skewed towards those who had experienced financial distress, and late adopters of technology. This has given us insight into some of these more critical needs for the CDR, and addressing these will facilitate CDR adoption more widely. There is a potential benefit to recruiting more Early Adopters in any agreed upcoming work as they are expected to participate in the CDR regime first and will have needs for seamless integration.
ACCC and Data61 are currently exploring the need to conduct further research based on the Phase 1 CX Report recommendations, broader considerations, and other program requirements. This will consider, where applicable, further research and testing for a version 2 of the Consent Flow (consent, authenticate, authorise), including any potential proposed redirect flows.
Further work being considered is expected to explore consent/authorisation management and revocation, re-authorisation, joint accounts, 90 day notification(s), and communicating accreditation. This work may also expand to accommodate the energy and telecommunication sectors. Although it is not Data61’s remit, this research will inevitably generate insights about consumer trust and privacy that will be communicated outward.
The CX Workstream is currently putting draft RFPs together to help identify further research and further validate the CX Standards; achieve additional consumer representation; provide standardised and necessary guidance on consent to data recipients and data holders; and facilitate consumer adoption of the CDR so its value can be realised.
There will be a 2 week community consultation period that will close on Friday, March 15th at 5:00pm. Feedback received during this time will be considered for incorporation into a first draft of the CX Standards.
You can provide feedback via email, specifying the document, page, and component you’re referring to; via comments on PDFs; or in comments on Google Docs. You can find links to these documents in the relevant sections above.
Please provide concise and actionable feedback wherever possible, and focus on the validity of the recommendations and/or the implications of findings and recommendations. We also welcome feedback on the scope of this work, the focus, and the usefulness of these presentations.
Keep in touch
You can sign up to our mailing lists here; find past updates here; and find other information on the Consumer Data Standards website. The other technical workstreams also have an online presence on GitHub.
If you would like to participate in any of our discussions across the four streams or provide any feedback, you can do so via email to email@example.com.
The CX Workstream