Management and Revocation of Consent: CX Workshop summary

Dear Consumer Data Right participants and other interested parties,

On the 7th August, participants from 30 organisations representing Data Holders, Data Recipients, Consumer Advocacy Groups, and other industry representatives joined the CX Workstream and a variety of government agencies for a workshop in Sydney. 

The overall purpose of the workshop was to review and refine the proposed dashboards for consent management as well as a flow for the revocation of consent.

The feedback and artefacts from the workshop will be used to inform both the direction of the CX Workstream and also decisions to be made by the Chair of the Data Standards Body and ACCC as appropriate.

Workshop scope

The workshop scope included:

  • Consent management - consisting of a data recipient consent management dashboard and a data holder authorisation management dashboard, enabling a consumer to view details of their data sharing arrangement(s); and
  • Revocation - withdrawing the consent/authorisation for a data sharing arrangement. It is expected that this will occur via a consent/authorisation management dashboard.

Several assumptions were made to help frame the discussion on the day. A consumer may:

  • have sharing arrangements with multiple recipients;
  • be sharing data for several products/services with one recipient;
  • see both incoming and outgoing data sharing via a dashboard (where the data holder is also a data recipient); and
  • be sharing data from a joint account.

Sharing interpretations of the Management dashboard and Revocation flow

Following a similar approach to the CX workshop held in June on the Consent Flow, several organisations opened the day by presenting their respective views and interpretations of consent management and revocation.

In particular, we heard from:

*Note: some organisations have agreed to share their workshop presentations publicly. They are available from the links above.

Many of the perspectives presented shared a common view of the key features of a management dashboard and revocation flow.  Themes emerging across the presentations were:

  • It is important to get the balance right between presenting key information related to a data sharing arrangement and at the same time minimising the cognitive load for consumers;
  • The ability to access the dashboard from a clearly visible location within the data holder will help consumers to view and manage their data sharing arrangements;
  • There is need to consistently utilise simple and intuitive language (particularly around activities such as revocation of consent) so that consumers understand the implications of their actions and what will happen to their data; and
  • The inclusion of ‘frequency’ (of data access) in the standards would enable the data holder to mirror what the consumer is being shown by the data recipient.

These presentations were followed by the Data61 CX team sharing our perspective** on consent management and the revocation flow.    

**Note: This is a low fidelity prototype that is limited in functionality. It has been produced solely to communicate the mange and revoke concept. Clicking anywhere on screen will produce blue ‘hotspots’ that indicate where you can click/tap. 

The draft management dashboard and revocation flow presented by Data61 at the workshop is outlined in the consultation draft published on 8th August.

This direction has been informed by both the Phase 2 CX research and also ongoing stakeholder discussions and feedback.

Sharing perspectives on consent management and revocation

Prioritisation of key issues and opportunities

Workshop participants had the opportunity to reflect on all the different perspectives on consent management and revocation that had been shared.  Building on this, they identified areas which they felt presented the greatest issues and opportunities.

Through a group prioritisation activity we were able to identify five key areas requiring further attention, prioritised below in order of votes from workshop attendees.  These areas were framed with How Might We questions.

  1. Implications of revocation
    • How might we clearly communicate the implications of revocation (i.e. what happens to your data/service following revocation)? (25 votes)
  2. Temporal attributes of a sharing arrangement
    • How might we describe time-based qualities of shared data (e.g. date ranges, date data was last accessed, frequency of access etc)? (24 votes)
  3. Conveying purpose (of a data sharing arrangement)
    • How might we convey the purpose and use of data on dashboards and during the revocation flow? (24 votes)
    • How might we show information in a meaningful way without including purpose information on a data holder dashboard? (17 votes)
  4. Common language
    • How might we have consistent consumer facing language across the CDR ecosystem? (19 votes)
  5. Presentation of information
    • How might we organise information in a way that is meaningful to consumers? (13 votes)
    • How might we simplify information without being simplistic? (12 votes)
    • How might we show data sharing history (i.e. and archive/log)? (5 votes)

Potential solutions

The afternoon focused on group-based ideation activities to unpack and explore each of these key areas. Each group collaborated on solutions and alternatives that sought to answer the How Might We questions.

Exploring key issues and describing possible solutions

Workshop participants identified concepts that they felt would improve the consumer experience of the consent management dashboards and revocation flow. These included:

  1. A proposed concept for communicating the implications of revocation;
  2. A proposed concept for clearly describing the time periods applicable to a data sharing request (including from and to dates, frequency of data access and use, and date ranges for transactions);
  3. A proposed structure for presenting data sharing arrangements (emphasising the display of current and archived arrangements rather than views of incoming and outgoing data);
  4. A proposed approach to reframing purpose as ‘consumer benefits’, and either: drawing from a standardised set of benefits; enabling consumers to add purpose/tags that are meaningful to them; or allowing consumers to up/down vote purpose descriptions in order to surface those that are more meaningful than others;
  5. A proposed approach to ensuring consistent language, including: further testing with consumers focusing on language comprehension; defining mandatory/recommended language; and developing a glossary and guidelines to support implementation;
  6. A proposed concept for utilising standardised purpose statements and frequencies (of data access);
  7. A proposed concept for visualising the time periods applicable to a data sharing arrangement;
  8. A proposed structure for presenting data sharing arrangements focusing on minimising clutter and complexity; and
  9. A proposed concept for communicating the high level implications of revocation (without showing purpose) and nudging the consumer back to the data recipient for further detailed information.
Concept 3: Presenting data sharing arrangements
Concept 8: Presenting data sharing arrangements
Concept 5: Language glossary

Suggested focus areas for the CX Workstream

At the end of the day, workshop participants noted down areas that they felt the CX Workstream should focus their attention on next.  A wide range of suggestions were collected, and across those, the following areas emerged as being of particular importance to the group:

  • Communicating purpose - what, where and how purpose information should be displayed;
  • Frequency - viewing and managing the frequency that data is accessed;
  • Joint accounts - management of consent related to joint accounts with particular consideration given to vulnerable consumers;
  • Presentation of information - exploring how to improve comprehension, informed decision making, and prevent information overload;
  • Language - driving consistency of language across the CDR ecosystem;
  • Data deletion - handling of data after revocation of consent;
Suggested focus areas for the CX Workstream

Next steps

The CX Workstream is currently reviewing all of the workshop inputs (the presentations shared by Data Recipients and Data Holders) and workshop outputs (the concepts generated by the workshop group as well as the detailed feedback provided on the CX Workstream’s proposed management dashboard and revocation flow). 

The workshop contributions will be considered alongside Phase 2 research findings and community feedback on the consultation draft to inform revisions of the consent management dashboards and revocation flow. All possibilities will consider feasibility, compliance to CDR rules, consumer experience, and the level of safety, security and privacy. The outputs from the day will be used to help frame and inform decisions to be made by the Chair of the Data Standards Body and ACCC as appropriate.

Keep in touch 

  • Sign up to our mailing lists
  • See our past updates
  • Find other information on the Consumer Data Standards website
  • View the online presence of other technical workstreams on Github
  • If you would like to participate in any of our discussions across the four streams or provide any feedback, you can do so via email to cdr-data61@csiro.au.

Best regards,

The CX Workstream