May ’19 | Phase 2 | Update 3

Consumer Experience Workstream Update

Dear Consumer Data Right participants and other interested parties,

The first round of research for Phase 2 has been completed and preliminary findings are beginning to emerge. Several agencies working in three streams rapidly produced prototypes to test with 30 participants in the first round. These prototypes were developed with a range of objectives in mind, including broad qualitative concerns like participant responses and expectations to data sharing for various purposes, but also more granular requirements like the testing of appropriate flows for revocation, consent/authorisation, management dashboards, authentication flows, and reauthorisation.

The prototypes can be found below in each stream’s update. Each prototype has certain components omitted or has tested slight differences  from the Rules and technical standards to provide focus. As should be the case with all prototypes, these were developed to generate insights and test approaches and they will be discarded if they are not appropriate solutions. As such, the prototypes should be seen as artefacts produced for research purposes as opposed to recommended flows at this stage.

An update from each agency can be found below:

STREAM ONE

Areas of focus: Consent Flow; accessibility; cross-sector sharing; joint accounts

Prototypes tested:

NB: These include a straight redirect flow to set a baseline and reduce variables. This will allow us to gauge the introduction of a more complex authentication flow for round 2, while also reducing cognitive overload to allow for greater in-depth discussion.

What we did

  • Round 1 of research — 14 interviews all-in-all, across VIC, NSW, QLD, SA.

What we found out

  • Recruiting for disadvantaged groups and a wide range of life experiences has enhanced the results— we were able to get some very helpful feedback from the perspectives of people who’d gone through financial difficulties, who had been vulnerable and had to deal with joint accounts, and who had not necessarily been in a stable position all their lives. This highlighted some accessibility problems for disadvantaged and/or vulnerable people, which will be worked into the Round 2 prototype.
  • Information that participants see clearly, often multiple times, is not necessarily understood. For example, even with the text about their data possibly being used to make future suggestions, participants didn’t necessarily internalise that, which led to their feeling betrayed when they realised their CDR data was analysed to enable the energy data request.
  • The joint account prototype provoked a lot of very strong reactions. It’s clear that we need to be more aware of very nuanced issues that deal not only with situations in the context of abuse and vulnerability, but about agency and who gets to know what when it comes to people’s data.

Recommendations

  • A more evaluative, subjective approach was successful in hearing people’s thoughts and stories to understand their issues and barriers; a more metrics-based approach will be used for round 2.
  • Developing a new prototype that addresses some of the parts where user comprehension failed.

What’s next

  • Synthesis of the interviews
  • Turn the insights from interviews into a list of changes that need to be made to the prototypes
  • Implement these changes for the Round 2 prototypes

STREAM TWO

Areas of focus: Consent/authorisation management dashboards; revocation flows

Prototypes tested:

What we did

  • Our primary focus for this week was scheduling, coordinating and conducting the first round of exploratory research with 10 participants

What we found out

  • Consent is a poorly understood concept by consumers. For example, “permission” and “consent” are perceived as effectively one in the same. As we know, from Australian and global privacy/data protection law, this is not the case
  • A psychological and/or emotional connection to the value proposition was crucial to valid consent. Simulating this, given constraints, was a challenge. We acted to mitigate this risk by designing a high value use case. Even with this case, aspects of the situational context (trigger) and context of use were too far removed from participants everyday experiences
  • Informed revocation was variable. Variance was dependent on ‘ability’ (education and career background, time of day conducting the session, connection to and understanding of the value proposition, literacy and technical knowledge, thinking style and personality). Many participants clearly expressed their current behaviour was to skim and/or bypass this type of effort
  • Participants expressed clear positive feelings towards the way consent-based data sharing information was broken down into layers and simple language
  • Participants acknowledged that a trustworthy ecosystem was critical if they were to engage in this type of data sharing.
  • Many participants expressed (attitudinally) the desire to have more power when sharing data about themselves. There was skepticism that this was possible and alternative ways of seeing themselves at the centre of power was difficult.
  • Themes emerged that align to existing research globally. Specifically:
    • Consumers feel that they have limited choice and power when it comes to data privacy (take it or leave it).
    • Prior and continual disempowerment leads to a disinterested attitude in the context of data sharing and digital experiences (see “The Tradeoff Fallacy” as an example).
    • Apathy leads to indifference. Individuals passively accept they have no power. This is projected as an attitude of not caring. However, further clarifiers reveal they do actually care.
  • Individuals sympathise with the need for organisations to process data to operate. They acknowledge that business models are built around ‘controlling’ and monetising data.
  • Skepticism is expressed when suggestions of being empowered are presented. Alternatives to the current status quo are hard to imagine.
  • When clear and relatable alternatives are presented, individuals assert a more proactive approach to data sharing. They expect to be protected. They expect a more compelling value in exchange for the data they share.
  • Participants clearly expressed a desire to manage access to their data via one mechanism (“… it’s one app”, “it’d be like MyGov”). It was difficult for them to imagine how this could work with multiple dashboards.
  • Building upon the previous point, participants also expressed privacy and security concerns relating to a central access point to all of their data.
  • Early insights indicate a high likelihood of switching towards this type of behaviour.
  • Using the BJ Fogg Model to uncover participants willingness to act (and sustain a new behaviour), the prototypes proved effective (easy to achieve the desired outcome i.e ease of consent revocation).

Recommendations

  • Emphasise the value, meaning and engagement of a given proposition to derive meaningful consent-based data sharing insights.

What’s next

  • Synthesising research outputs
  • Developing thematic insights and initial coding
  • Developing a preliminary set of hypotheses to explore further in round 2
  • Divergent and convergent design process for next phase prototype
  • Defining recruitment criteria for the second round of exploratory research (multiple locations including regional)

STREAM THREE

Areas of focus: Authentication flows, 90 day notification, reauthorisation

Prototypes tested:

  • All-in-one prototype including Decoupled, Redirect with Known Channel, 90 day notification, and reauthorisation flows: https://invis.io/5FRWJ7PJ829

What we did

  • Completed round 1 research: 6x Metro participants, 2x Remote, and 2x Rural

What we found out

  • Overall behaviour: Younger participants were more willing to share their feedback, more open and had a better understanding of technology and data. Data sharing control was unexpected as this is a different and new approach.
  • The Trust Mark tested well. All participants felt it could be trusted. Seeing the ‘Australian Government’ mark is seen as assurance, legitimate, and has followed proper accreditation process.
  • The data taken depends on the use of the app. Users were concerned that contact and personal details were being taken for the purpose of budgeting.
  • There is still an assumption that data can be accessed or used for marketing or by government.
  • Duration of data needs to be clear for future data use or past data use.
  • The redirect with known channel flow caused user confusion, as they thought they were being prompted to login twice — reworking of the instruction language to potentially remediate this needs to happen.
  • Decoupled flow — Most younger participants find this flow somewhat more familiar. They navigate to the page for entering code on the bank app quite easily. Expect to find it somewhere in account settings or similar. It’s an experience they are used to.
  • Reauthorise flows — A mix of people want to do this via a data recipient, but there are individuals who suggested they’d want to go to a bank in person.
  • Notifications were questioned by the participants as to whether they are valuable and meaningful. A few thought that to be accredited organisations would have to notify people as a requirement. Opt in is a possible preference and design consideration.
  • A few participants thought that they had to enter the data manually (rather than just consent for the data share)
  • Business data clusters — there were no issues with language use. However, participants were more cautious about sharing business data (depending on what’s being shared). They saw it as more risky as it contains not only their personal data but also potentially their client’s data.

Recommendations

  • More iterations need to be built into the flow to explain what is happening in the app and why; updates to be incorporated into the next round of prototype development and research.
  • Review the design and language used as some participants thought that they had to enter the data manually.

What’s next

  • Analysis and Synthesis of the data acquired from the field research
  • Share back findings from Round 1 with other streams to inform directions for Round 2
  • Develop round 2 prototypes

Keep in touch

Best regards,

The CX Workstream