Minutes - 12 Feb 2020

Data Standards Advisory Committee, Meeting Minutes

Date: Wednesday 12 February 2020
Location: Data61, Level 5, 13 Garden Street, Eveleigh
Time: 10:00 to 12:00
Meeting: Committee Meeting No: 3

Download meeting minutes (PDF 190KB)

 

Attendees

 

Chair Introduction

The Chair of the Data Standards (DSB) opened the meeting and thanked all committee members and observers for attending meeting no 3.

Welcome to 2020 and I must say, to what has been a pretty eventful summer for a lot of people. For those that weren’t touched by embers and fire many have been touched by water inundation. Our thoughts go out to those people that have been affected by those events.

It was noted that on the 20 December 2019, the ACCC announced a delay to the CDR implementation timetable with a move from February 2020 to July 2020 for the initial go live. A review by the Department of Finance at the midpoint of the implementation has made certain recommendations around governance of the regime’s implementation, and therefore a Consumer Data Right (CDR) Governance Board has been formed made up of the heads of ACCC, Data Standards Body, Treasury and a few supporters from those organisations. The CDR Board is meeting on a monthly basis to focus on the governance of the implementation of the regime, with the first meeting having taken place on Monday 3 February 2020.

It was noted that we have made some changes to the DSB team. Mark Verstege is a new member of the team who we have managed to attract from Suncorp. The Chair asked Mark to introduce himself.

Mark Verstege noted that he has come from Suncorp which is a bank/insurer. His previous role was Principal Architect and Manager of Architecture for Digital Identity and prior to that he worked on identity and access management platforms and also has previous history around standing up API services in NBN and other areas.

The Chair noted that there have also been some changes in the CX team with Minh Nguyen & Monica Pen joining the team. They both have experience in banking and energy working with Services NSW and CBA with expertise in prototyping, design and research backgrounds.

Minutes

Minutes

The Chair thanked the Committee Members for their comments and feedback on the Minutes from the 11 December 2019 Advisory Committee meeting. The Minutes were taken as read and formally accepted.

Action Items

The Chair noted that the Action Items were ongoing and others completed.

It was noted that in regards to the two ongoing Action Items on “Principle 2” in the Framework document, we have had a lot of feedback and at this point the main focus is the consultation on the principles which is ongoing on GitHub. It was noted we are seeking input into the proposed changes to the governing principles for standards development, and the consultation is open to the end of February 2020.

Working Group Update

A summary of the progress from the last committee meeting on the Working Groups was provided in the committee papers and was taken as read.

The Chair noted that we released version 1.1.1 of the standards which dealt largely with errata and minor defect resolutions, none of which was material and all of which had been foreshadowed via GitHub.

It was noted that version 1.2.0 was released on 31 Jan 2020 and which contained a small number of changes and a big uplift in the CX Standards and Guidelines. This version is the baseline version for the Phase 2 implementation milestone in July and also has a high proportion of what will be required for November in the banking case. It was noted that we have indicated generally that for v1.3.0, which would include some results of additional consultation in relation to concurrent consent, would be made available after July 2020, with a current target of 31 August 2020. It was noted that we are trying to give those building for November enough development runway but our timing will also be dependent upon future versions of the Rules from the ACCC. It was noted that at the CDR Governance Board, the work we have all been doing collectively has been regarded very strongly.

A further update was provided on the Consumer Experience work stream by Michael Palmyre as follows:

It was noted that DSB published v1.2.0 for the CX Standards and Guidelines to provide clarity to CDR participants and facilitate Phase 2 CDR implementations for banking. It was noted that these have been published online and have been locked down for the July implementation but ongoing consultation and feedback is expected.

It was noted that DSB have published the Principles consultation which includes the CX principles. The team are refining the CX Principles further and considering a range of measures and metrics to facilitate principles alignment. The CX research will put various measures and metrics to the test to gauge their usefulness. Research outputs will be published and comments from the community on useful CX metrics are welcome.

DSB noted that they have two new CX members to help with ongoing design and research activities. It was noted that they are into a Phase 3 of CX research and design activities, having commenced with a Phase 1 at the beginning of last year and a Phase 2 in the middle of last year. It was noted that Phase 3 will research a number of key issues and a lot of those intersect with energy but they are using banking as a foundation for now. It was noted that details on the scope of Phase 3 are available on their blog. This includes a brief for the first few issues, a proposed research schedule, and the various artefacts and prototypes that they’re using in the research. It was noted that the prototypes are not necessarily indicative of future standards or guidelines and as such should be understood as artefacts to stimulate the generation of findings. It was noted that the outcomes of this research will be published on an ongoing basis.

DSB noted that there are several issues in scope for Phase 3 research, which will include exploratory research for the energy sector, along with research on joint accounts, de-identification and deletion rules, Rule 7.2, re-authorisation, the simplification of the Consent Flow, energy data language, and fine-grained control.

DSB noted that the energy research will begin with a very broad and exploratory stage which is being done to test initial thinking and create some stimulus for discussion.

DSB noted that in regards to the “joint accounts” issue, they are currently looking at that from a banking angle but it is worth thinking about it from an energy angle as well, because they have analogous situations in the energy sector.

One member noted that one design consideration is that they may have a household which has two consenting for banking and one consenting for energy, and that it is a many to one scenario. It was asked if scenarios of one household with many people to many services have been allowed for in the design principles?

DSB noted that the CX principles are at a high level in order to apply across sectors but it is the more granular details that they want to come out through the consultation.

The Chair noted that this is a good scenario and in the case of the banking example, the major banks had different ways in which they dealt with this. For example, where two parties had the same username and password, effectively to the bank there was one user, but two people are acting. It was noted that the banks have looked to sort this out and are now encouraging people to have their unique identifier, username and password. It was noted other people could initiate change and this potentially has implications for authentication.

DSB noted that in the energy work, they are using banking as a baseline and they have used account number as the unique identifier for the purposes of authentication. This is to see what the consumer response is to this serving as an identifier, but its appropriateness for authentication purposes for the energy sector will need to be considered.

The Chair asked about the scenario where a block of flats has one connection and whether that still exists. It was noted that this is still the case and there would be multiple consumers who can transact on the account. It was noted that it could also be a body corporate acting on their behalf.

One member noted that another scenario for joint accounts could involve the owner and tenant as well - multiple versus single. One member noted that they get into a lot of issues where the owner needs to get something on the metering but the tenant won’t allow it. The owner/tenant model is really tricky. The Chair noted that it is worth looking into this at the exploratory stage.

One member noted that multiple occupants have embedded networks, but embedded networks are still isolated and you can still isolate different supplies. For some multiple occupant situations, different supplies cannot be isolated and so you can turn one fuse off and the whole block goes off.

One member noted that what is missing here, which is maybe a pre-cursor to the CX work, is a map of the foundational relationships between meter, the household, the premises etc. and how they fit together. You also have State and Federal legislation which adds further complexity.

One member noted they will work on a document and present it to the committee members at the next meeting.

ACTION: Member to present the foundational relationship map at the next committee meeting.

One member noted that often companies offer bundles which is a collation or aggregation which adds another complexity. It was noted that the bundling example is a good one.

DSB noted that in regards to the “re-authorisation” issue, this is effectively renewing the existing consent when it is nearing expiry. It was noted that this does not currently exist in the rules for banking so they are exploring some current situations for it and also whether it can be simplified and whether simplification compromises the quality of consent.

DSB noted that in regards to the “Fine-grained control” issue, this is effectively how much control consumers have over the terms of consent, including how much data is shared and how granular that control can be. This also relates to how granular the disclosure of data by a data holder can or should be. It was noted that they are approaching this from the angle of consumer comfort and preferences, but also want to understand how it has been handled in other jurisdictions.

One member asked what the thinking was in terms of expanding the CDR to non-accredited parties under fine grained control. DSB noted that this is more a rules discussion around outsourced providers and intermediaries etc. The Chair noted that the ACCC have announced that they have a consultation underway on the issues on intermediaries.

DSB noted that in regards to the “de-identification and deletion” issue, this is something that became especially pertinent with the right to delete being introduced with the passing of the CDR last year. It was noted that they are testing a few scenarios that exist in the rules around how redundant data is handled and the consumer response to this. It was noted that redundant data is data that is no longer needed to provide the service to the consumer or required to be kept for legal purposes. It was noted that there is a question of what happens to that redundant data, whether it is deleted or de-identified, the consumer response to that, the consumer ability to elect that it be deleted when it becomes redundant.

One member asked whether we are considering this for fine-grained control as well? DSB noted that this has come up in fine grained control and they are definitely intersecting overlaying areas. It was noted that there are difficulties with supporting partial removal of data from an existing consent as it may break the use case.

DSB noted that Rule 7.2, which relates to an “ADR becoming a data holder”, is also being tested. This rule will allow a data recipient to instead be a data holder of CDR data. This changes various privacy safeguards and controls and they want to test if consumers understand this difference.

DSB noted that in regards to the “simplification of consent” issue, they are trying to find out the most important things to surface, what can be removed, and different ways to present the terms of consent to facilitate comprehension and encourage privacy conscious behaviour.

One member asked if there is going to be an instance where someone wants to track historically the consents given and changed? DSB noted that the rules require ADRs and data holders to keep a log of consents and authorisations, but there is a requirement to show expired consents and authorisations on ADR and data holder dashboards, respectively.

The Chair noted that it has been raised that if I ask for deletion of the data, does it delete the lot? The Chair does not think it should as the history is important for audit and regulatory purposes.

One member noted that deletion in energy is specific to the data sets, and different data sets must be stored for different periods of time under energy legislation. For example, records of consent must be retained for 2 years but metering data has to be stored for at least 7 years.

DSB noted that on the audit trail question, the standards themselves don’t dictate an audit trail to be kept. The ACCC have reserved the right to ask for data in a reporting context and have been nonspecific on this. In the banking sector, the banks are universally keeping everything just in case they need it to demonstrate compliance.

ACCC noted that the Explanatory Statement for the rules has some information around record keeping which is useful. It was noted that they recognise that some people will have an obligation, for audit purposes to keep information for 7 years, particularly in the banking sector which allows for things like responsible lending. They don’t think you need to keep a copy of all the data you collect, and records should only keep personal information to comply with the rules. ACCC noted that if you keep personal information, they want to ensure that you do that with all the security controls that are necessary, but there is a limit on the need to retain the actual data more around the permissions given so that there is an audit trail for us.

The Chair noted that on the point of bundling, if you imagine an aggregation use case that has energy, banking and Telco etc, you are going to inherit the joint account structures from one or some of those. It was noted that in the work that the CX team are doing on joint accounts, the DSB needs to think about the bundling scenario in the aggregation use case.

A further updated was provided on the Technical work stream by James Bligh as follows:

DSB noted that in regards to energy, we have a consultation open for the Principles. In the Framework document, a couple of significant decisions around parties and joint accounts were flagged under the authentication and authorisation questions. It was noted that these are significant questions that will not be resolved quickly and the sooner we commence addressing them the better.

DSB noted that Treasury have announced in-principle data sets and to get ahead of the curve, they have started the technical work on the standards based on these data sets. They are starting with the URI structure as this is important to work out the interrelationships between the data sets. DSB noted that they have an advantage for electricity in that for a lot of the data sets they have a proxy in the data that AEMO collects and that is what they will be using. For tariffs, they have Energy Made Easy and Energy Compare and for billing they will need to do further consultation.

DSB noted that they have a draft consultation document on URI for data sets that is aligned to the in-principle Treasury data sets which they have socialised with the ACCC, AEMO and Treasury and are awaiting feedback. It was noted they plan to share the document with this group and once the Chair is happy, they will go out for public consultation.

DSB noted that once that is settled, they will move into payload structures for the various datasets and systematically work through that. They are working on having a full set of resource end points, at least in draft, by the end of May.

ACCC Update

Bruce Cooper from the ACCC provided an update on the Rules and the register as follows:

ACCC noted that the Treasurer has provided his consent to making the CDR Rules on the 4 February 2020 and under the standard Commonwealth Legislation protocols they came into effect on the 6 February 2020. As the result, all the instruments and decisions that rely on the rules being issued can now be put into place like making the standards binding, publishing the accreditation guidelines, opening up for accreditation and OAIC can publish their guidelines. It was noted that having the Rules made was a great step forward.

ACCC noted that in line with the revised timetable that was set on the 20 December 2019, which related to only part of the banking sector, they have started some consultation in relation to non-major ADIs, and more relevant to this meeting, how the rules can be expanded to apply to intermediaries other than those businesses that directly have consumer relationships as data holders and who might be able to assist with data holders and data recipients exposing the data for the purpose of CDR. It was noted that the consultation on the proposed revised timetable for non-major ADIs is open until 21 February 2020.

The Chair noted that we are very advanced in our work now that Legislation, the Designation Instrument, the Rules and the Data Standards that will apply for the implementation for Phase 2 are in place.

The Chair asked ACCC to give a brief update on the testing, the assurance work and how it is progressing and the registry.

ACCC noted that at a high level, they have redesigned the test plans with the idea that there will be a managed roll out from May 2020 which will allow the sharing of live consumer data from May 2020 in a controlled way so by the time we hit 1 July 2020 everyone’s systems are verified as working and able to cope with production volumes. It was noted that the change of the timetable has been really valuable from that perspective and they have enough time to do a managed roll out to make sure that when they formally go live, everything is working as it should.

ACCC noted that they are confident that all of the registry is working as it should, most of the banks and a good number of the data holders have been able to get the information they need from the registry and then connect with the data holder if a data recipient etc. It was noted that there is a series of tests, around 211-213, that they need to undertake with the industry end-to-end testing which is progressing slowly but they are increasingly confident that they will get to May in good shape. It was noted that the controlled roll out will initially be a small group and we will build up slowly.

ACCC noted that in relation to energy, they are engaging with retailers through the Australian Energy Council on a number of issues with the aim to inform the development of the CDR rules that apply in the energy sector. These issues include things like the level of take-up of online services and retail practices with respect to the use of identifiers for consumers.

ACCC noted that they are settling a Minimal Viable Product (MVP) initially for CDR in energy which is likely to involve looking at the scope of the data that would be subject to the first round of CDR. This includes which data fields would be included in the data sets and which customers are eligible to access energy data via CDR. It was also noted that if they approach implementation for data holder obligations in a similar way to the banking sector, they will need to recognise the fact that there are a large number of smaller retailers and it may be appropriate to initially target the bigger ones.

One member asked when the MVP will be ready. ACCC noted that the implementation timing is the 2^nd half of 2021 and they are looking to have a Rules Framework for energy in the first half of this year.

One member noted that there have been concerns raised about implementing the timeline based on the fact that five-minute settlements are coming in 2021. Another member noted that the five-minute settlements and running with the gateway model should not be onerous on the participants.

ACCC noted that they are hoping to see a draft Designation Instrument in March/April 2020 but they are beholden on other things falling into place. In was noted that the MVP will be determined by the complexity and the issues that are thrown up and the commitment by Government to progressing the implementation in the energy sector. It was noted that consultation will take place on the MVP.

One member noted that ACCC have a complicated set of choices to make for MVP for electricity because of the gateway model and the range of options available. To reduce implementation challenges, for instance, they can segment out billing and do that later because that’s going to be heavy on the retailers, whereas all other data sets are very light on the retailers. The matrix for decision making is complex.

One member noted from a retailer point of view, they understand that the ACCC is engaging with the Australian Energy Council (AEC) members but there are a lot of smaller retailers, who are non AEC members who could provide a lot of value.

ACCC noted that they are looking at considering how to manage small retailers, and whether there will be exemptions for small players or a staged implementation. It was noted that one thing they are currently considering is direct to customer access to data which is one of the 3 elements of CDR that might not be part of the initial MVP in energy space because it is a highly regulated at both the national and Victorian levels.

ACCC noted that they are required to do Regulatory and Privacy Impact Statements and that the MVP will also be shaped by the DSB’s CX testing which they are working on closely with DSB.

ACCC noted that they are considering some of the relative sensitivities relating to energy data and the different views amongst the consumer and privacy advocates about tiering, which is not yet available in the banking sector. This is something that may be useful in the energy sector where we can facilitate accreditation of data recipients at a slightly lower cost in regards to less sensitive information.

One member noted in regards to the sensitivity of the energy data given that we have specific license conditions that need to be taken into account. For example, we have load data that has to reside in Australia and cannot be accessed outside of Australia. The Chair asked for the member to provide a summary of license conditions at the next meeting.

ACTION: Member to provide summary of license conditions at March Meeting.

Treasury Update

Aaron Lester from Treasury provided an update as follows:

Treasury noted that they are working towards having a draft Designation Instrument for consultation towards the end of March 2020 with the aim of finalising by the end of June 2020.

Treasury noted that they are updating the Privacy Impact Assessment (PIA) for the specific data that they’re proposing in the Designation Instrument with the intention of having that done by the end of June 2020.

One observer noted that Treasury has announced that there will be a review on write access for CDR and asked whether this will impact energy or mostly about banking. It was noted that it will impact all CDR sectors.

Meeting Schedule

The Chair advised that the next meeting will be held on Wednesday 11 March 2020 from 10 am to 12pm at Data61’s office in Sydney.

Other Business

The Chair noted that there is an edit required in the papers in section “3.1 Technical Working Group Update”. It reads “James Bligh has been training Mark and handing over the operational accountability for the banking standards so that he can focus on the emerging standards for electricity.” It should read “operational accountability for the baseline standards”.

ACTION: DSB to update paper with edit to section 3.1

One member noted that in regards to the regulatory front and the analytics and data opportunities. Over time, the data holders will make a move, as part of normal account identity or product initiation procedures, and as an intermediary where everyone has day-to-day requests. This may cause a friction point.

One observer noted that there are rules considerations, customer experience considerations but also technical considerations. The ability to actually authenticate an individual that is pre known is a lot lower in this industry than it is in banking which has had “know your customer” (KYC) for a long time. It was noted that the prevalence of actually being able to identify an individual that holds an account with a retailer is a lot less and AEMO currently has a designated gateway but they have no insight into individuals or customers. It was noted that we will have technical constraints that we will have to face that will constrain the options for CX as much as the rules constraints.

Closing and Next Steps

The Chair thanked the Committee Members and Observers for attending the meeting.

Meeting closed at 11:10