Minutes - 8 Apr 2020

Data Standards Advisory Committee, Meeting Minutes

Date: Wednesday 8 April 2020
Location: Held remotely via WebEx
Time: 10:00 to 12:00
Meeting: Committee Meeting No: 5

Download meeting minutes (PDF 200KB)

 

Attendees

 

Chair Introduction

The Chair of the Data Standards Body (DSB) opened the meeting and thanked all committee members and observers for attending meeting no 5.

The Chair wanted to acknowledge the COVID-19 situation that everybody is currently dealing with both personally and corporately and the magnitude of the challenges ahead.

The Chair noted that the CX Working Group completed two rounds of consumer research, produced a CX report and continued to consult on the standards and the guidelines.  The Technical Working Group closed the first consultation in the electricity industry sector, completed the second maintenance iteration and completed the v.1.3.0 content.

The Chair noted that the DSB held a meeting on the 6 April 2020 which was well attended by banking Advisory Committee members and delegates to discuss how the CDR should approach identity. The Chair noted that the DSB will circulate a summary of the meeting to members.

ACTION:  DSB to circulate a summary of the Identity Meeting to the Advisory Committee.

The Chair also introduced Jarryd Judd, the new Engagement & Support Manager who joined the Consumer Data Standards team and invited him to introduce himself to the committee.

Jarryd Judd noted that he was formerly with NAB and it was great to join the Consumer Data Standards team.  He noted that he comes from a product and technical background and he is taking point as the Engagement & Support Manager for the DSB.

It was noted that Peter Giles from CHOICE was an apology for the meeting.

Minutes

Minutes

The Chair thanked the Committee Members for their comments and feedback on the Minutes from the 11 March 2020 Advisory Committee meeting.  The Minutes were taken as read and formally accepted.

Action Items

The Chair noted that the Action Items were ongoing and others completed.

Working Group Update

A summary of the progress since the last committee meeting on the Working Groups was provided in the Committee Papers and was taken as read.

A further updated was provided on the Technical Working Group by James Bligh as follows:

It was noted the Technical Working Group initiated a consultation on Concurrent Consent a number of weeks ago.  It was noted that they had planned at this stage to have booked a workshop and be moving onto payloads and having additional things published.  In the context of what has been happening with the lockdown and everyone’s response to COVID-19, they have moved a little slower than anticipated.

It was noted that the DSB have extended the consultation on Electricity End Points and also scheduled a Workshop on End Points.  It was noted that they have been figuring out how to do a workshop similar to workshops in the past but without physical presence.  It was noted that they are trialling some collaboration tools which are internet based and the one advantage of doing it virtually is they will not be locked into a region with limited spaces.  It was noted that they will ask participant organisations to limit the number of people attending and there will be a pre-registration so they can manage attendees and communicate with them in advance.

The DSB encourages members to communicate information on the workshop, details of which will be sent out to the Advisory Committee, to their teams and to any industry bodies so that they can disseminate the information as they are trying to build up their mailing lists.

ACTION:  DSB to send information on the upcoming Workshop to Committee Members.

One member asked what the topic of the first workshop was and what do the future ones look like.

The DSB noted the first one will be focused along the same lines as the consultation on End Points and the key outcomes will be to i) validate the assumptions that are underlying the consultation, ii) to get at least one payload, as a strawman out prior to that workshop so they have something concrete from a data structure perspective to work through and iii) to build the community, the dialogue and engagement and to start to uncover what the likely problems are going to be in developing standards in electricity.

The DSB noted that the process in banking was that the initial workshops were quite broad but they were really instructive in helping them figure out where to go and how to narrow the focus.  It was noted that in regards to what future workshops looks like, it depends on how the first one goes and what hot areas need to be discussed in forum.

The Chair asked that based on the experience of workshops done in the past, who would be best placed to join these workshops? The DSB noted that this would not be a policy conversation, it is a Technical Working Group so they will be looking at data. It was noted that the appropriate personnel would be a combination of technical resources and a policy lead who would be shaping responses and working on this in the long term.  They would not recommend someone really low in the detail, like a developer or lead developer and equally it is not high-level strategic, this will be in the detail.

The DSB noted that in regards to a plan, there are two things that have emerged from the first consultation. One is, why are we doing the consultation now, as they thought we had to wait until the rules and the Designation were written?  The DSB noted that no decision they make will be binding through these consultations and decision papers because until they have a Designation Instrument (DI) and approved rules they can’t make binding standards.  It was noted that what they found with banking was these initial technical consultations raised issues which then informed the rules and the DI in that process and that there is a lot of synergy between the three streams of activity.

The Chair noted that, in terms of the timetable for energy, we are working on this now in this virtual form, using our normal processes of decision proposals and consulting on those decisions proposals with a view to developing draft standards.

It was noted that the next step is when the DI is established by the Treasurer, which we are expecting prior to 30 June 2020, we will review the draft decisions that have been made to ensure they align.  It was noted that the current work is in line with the draft DI.

It was noted that based on that work, the DSB will continue to engage with the ACCC in relation to any changes required to the rules to cater for energy and electricity in particular and they will be inputting in that process in the same iterative way as was applied under the banking context.

DSB was noted that as the ACCC progresses and publishes the consultation points, rules framework, and rules etc. they will contribute to those, review the draft decisions, and adjust the decision proposals that are already been consulted on as required.  It was noted that they may need a further round of consideration.

It was noted that when the ACCC publishes the rules and the impact on energy, the DSB will review those for a third time and the draft decisions and provide feedback to the ACCC.

It was noted that when the Treasurer consents to the rules, the DSB would then at that point, conduct a fourth review.

The Chair noted that they are proceeding on a business as usual basis and working entirely virtually to achieve the results.

One member asked whether the workshops will be for energy specific participants, as they note that the Technical Working Group and the CX Working Group participants are largely from a banking background.

The DSB noted that this workshop will be an energy focused workshop and one of the reasons that they are doing pre-registration is to ensure that if they have stakeholder groups that are underrepresented they can actively seek attendees.  It was noted that this is not going to be exclusive to a set of participants as the policy has always been that anybody who wishes to register for these workshops can attend, even down to an individual citizen who just has an interest, as the DSB want a diverse set of options and perspectives.

One member noted that in terms of participating in the first consultation on endpoints, it's sometimes hard to get the right people there without knowing what the topics are going to be in advance and they would like a forward view of workshops.

The Chair noted that the DSB would provide a couple of paragraphs on the purpose of the workshop to Advisory Committee members.

ACTION:  DSB to circulate the purpose of End Point Workshop to Committee Members.

Another member noted that the DSB may want to think about potentially giving some pre-reading or some samples of which data sets they’re going to use as the challenge model as they think this will focus the mind and will give the technical and policy people the right context and will help add more value to the outcomes.

The DSB noted that that is exactly what they anticipate doing and that another reason for the pre-registration is so they can communicate both an agenda and a straw man to registered participants in advance.

One member noted it would also be useful to provide some questions in advance that could push people to think before they turn up in the room. It was noted that consumer and community sector organisations under pressure as a result of COVID-19 won’t pre-register for an event unless it's super clear what it is for.

The DSB noted that the first consultation has closed and they will respond to the feedback via GitHub.  They will be pre-raising a series of issues, without content, which will provide an indication of what they think the forward plan of work is and based on community feedback they will prioritise the order of how the issues are addressed and the speed with which they're addressed. They anticipate doing this before the end of the week.

A further update was provided on the Consumer Experience Work stream by Michel Palmyre as follows:

The DSB noted that there have been some interruptions with COVID-19 which has definitely impacted research, but they have transitioned quite well into conducting all of their research remotely.

As noted in the committee papers, the DSB have finished two rounds of research with a third round of research just completed.  It was noted that this has shifted back to a focus on banking with joint accounts. They are conducting a consultation on Joint Accounts and a consultation on CDR Logo Use in the consent model and CDR system more broadly.

The DSB noted that they should not think of those things as banking specific, even though that is the starting point, and they encourage people from the energy sector to submit feedback on the proposals as they are relevant cross-sector.

The DSB noted that they have provided a significant update on the work that they have done in the last month on the website, and also included the phase three reports covering rounds one and rounds two.

One member asked in regards to workshops, will the same approach be used in the CX stream as the Technical stream, particularly given the energy sectors interaction with customers and customer experience?

The DSB noted that they are going to shift to conducting online workshops and they are currently working out a way to do that.  Typically, the CX workshops have been structured slightly differently to the Technical Workshops as they have a lot of heavy participation, group collaboration, idea generation etc, and they are sorting out some online tools that can facilitate that.

The Chair asked what the estimated timing for the next CX workshops is.

The DSB noted that they haven't come up with a time as yet as they wanted to wait to see what came out of the energy data set consultation and also there is some more work that needs to be done in authentication but they hope to conduct a workshop sometime in the next six to eight weeks.

One member noted that a lot of CX workshops have been with consumers and focused on consumers, and do they want to keep the industry engagement and the consumer engagement separate or do you want both groups in the same workshops?

The DSB noted that they are conducting ongoing consumer research and for the workshops, they encourage open participation from industry and consumer representatives but noted that getting people from the community sector to attend is harder to do then perhaps getting industry participants to attend.  It was noted that this was part of the reason that the DSB has engaged the Consumer Policy Research Centre to conduct some community consultation to address that gap.

CX Report Findings

Michael Palmyre provided an update on the Consumer Experience Reporting findings as follows:

The DSB noted that they have summarised the key points that are related to the energy sector from the Phase 3: Round 1&2 Report that was published.

The DSB provided an overview of the consent model and consent flow, noting that some members of the Advisory Committee are familiar with the process and work to date and it would be useful to get on the same page with the steps involved in the consent flow and content more generally and for those who perhaps aren't as familiar with the process.

The DSB noted that the “Consent Model’ means the points where a consumer interacts with the CDR ecosystem and its CDR participants.

The DSB noted that the “Consent Flow” is the key piece and involves the “Consent” step where an ADR requests consent to collect and use data from a consumer, the “Authenticate” step where the consumer verifies themselves with the data holder and the “Authorise” step where a consumer authorises the disclosure of their data from the data holder to the ADR.  It was noted that the emphasis here is the ability to share data but the CDR is about much more than that.

It was noted that there is consumer control that is afforded through the CDR and they have an emphasis on the “Outcome / Managed” step which is a point, whether it's dashboards or other channels in the process, where a consumer can exercise control after they've actually shared their data. They can manage and review their data sharing arrangements on a dashboard, they can request right to delete, they can withdraw their data sharing arrangement etc. It was noted that research has shown that there is the perception that once you've shared data, you share it once and for all.  It was noted that communicating that that is not the case and that there is greater control assuages some of the concerns around data sharing.

The DSB noted that this is outside of scope, but the “Pre-consent” step is of critical importance and is the stage where an ADR builds trust in the process and provides more background on the value proposition which increases trust and confidence and increases the propensity to share data in the first place.

The DSB noted that in regards to the Phase 3 Research findings, they focused on energy over two rounds and in the preliminary findings they generally found there was low trust in retailers, low levels of interaction with those retailers and low levels of digital adoption in the energy sector. It was also found that energy data was not easy to comprehend and there was more willingness to share energy data than financial data.

It was noted that what they wanted to do in the Phase 3 research was to understand a little bit more about these things and to validate them and get a picture of why that was the case for some of the findings.  It was noted that they also set out to get a general understanding of behaviours, pain points and needs in the energy sector, the response to sharing energy data with a refined consent flow, and to generally to understand trustworthiness and how privacy is viewed when it came to CDR in the energy sector.

It was noted that at a more granular level, they also wanted to explore what authentication might look like for the energy sector and what identifiers might be easy to access and comprehend as well.

The DSB noted that the energy research consisted of two rounds totalling eighteen people.  They held in-depth research, each session lasting for 90 minutes and included a wide range of ages from eighteen to over seventy but skewed towards older participants (over fifty). It was noted that this was in contrast to the previous research they conducted for energy which was skewed towards younger people. It was noted that as a result, they now have a wide age range and it was always their intent to recruit a diverse and wide range of participants in their research.

The DSB noted that for the research sessions, they used prototypes as artefacts for insight generation. One use case being “Track and Manage your Energy Use” and the other being “Tracking your Carbon Footprint”. It was noted that they asked questions which related to trustworthiness and propensity to share and one activity they conducted, which was borrowed from New Zealand's Data Futures Partnership work, used the trust benefits scale. This gets participants to score how much they trusted the process and how much benefit they saw in the use case.  It was noted that this ties back to a strong propensity to share and they generally saw less high propensity to share data.

It was noted that they also used the Likert Scale to understand a bit more at a score level how people responded to CDR compared to current ways of sharing data.

It was noted that what they have found is that generally participants saw CDR to be better than existing ways of sharing data.  It was noted that by existing ways, they are referring to passive ways of sharing data, opt out situations and a general feeling of disempowerment when it comes to data sharing.  People are resigned to the fact that they have to share data to access an outcome.  The research has found that positive views of the CDR are in part because of the greatest control around data sharing, familiarity with certain parties involved, ACCC in particular and regulation occurring and the also the accreditation of those data recipients.

It was noted that on the point of familiarity, there was generally a high level of trust in ACCC and seeing that ACCC accredited entities to participate and seeing that they regulated were all important factors even though there was generally a low level of trust in government in general. ACCC was seen as an entity that acted in consumers interests.

It was noted that despite the findings of low levels of trust in retailers, the presence of the retailer increased trust in the process because they were familiar and authoritative.

It was noted that this was in contrast with the point around levels of confidence in the Government's capabilities. This related to both the handling of data and also regulation more generally. It was noted that there was a low level of confidence that even though you could trust the ACCC to act in your interests, that they would actually be able to regulate to the extent that was outlined.  At the same time there was a low level of confidence in the Government's ability to handle digital data, or data in general based on people’s experiences with MyHealth Records and inaccurate results from government’s energy comparison sites.

The DSB noted that looking at existing literature (e.g. Edelman Trust Barometer 2020) what they have found is “High Trust in ACCC and (certain) government bodies acting in public interest” and “low confidence in government capability including handling data” pairs quite well with the Edelman findings around institutions not necessarily being seen as competent and ethical (ethics being conducive to trustworthiness) and also low level of confidence in the ability to regulate.

It was noted that this emphasises that the CDR does not exist in isolation and there is a broader landscape that it is operating here, and there are many other events which will influence how willing people are to participate in CDR and this is really important thing to consider when we're thinking about adoption of CDR generally.

The DSB noted in regards to understanding consumers propensity to share energy data, the majority of participants generally have high levels of trust, saw high levels of benefit in the use case and generally they can deduce that that is conducive to high levels of willingness to share data. It was noted that there was a strong pairing, it wasn't just about having trust in the process, it was also seeing a benefit with that ADR accessing your data that was also conducive to trust.

The DSB noted that it is sensible to say that high trust and a high benefit is conducive to propensity to share data. In isolation, it's not just about trustworthiness in the ecosystem, transparency being consent driven and having control, accreditation and regulation are important factors when it comes to trustworthiness in the process but the benefit in the actual value proposition of the ADR is critical. Especially moving people through that process successfully in a way that is informed and that they have consented to.

The DSB noted that familiarity and comprehension of energy data is low.  Energy sector and data literacy was generally limited to usage and costs and most participants struggled to understand more industry-specific terminology such as ‘Distributed Energy Resources’ and ‘NMI’ (National Meter Identifier). It was noted that the working hypothesis is that people have more of a need and desire and existing behaviour around accessing, using, seeing their financial data, compared to their energy data. If was noted that this does raise the question of how important it is to facilitate informed consent in the energy sector, when not everyone is really understanding what that data is.

The DSB noted there were a few participants who were concerned that the data could be used for surveillance services or shared with the Government and a lot of people, perhaps with vulnerable backgrounds, were concerned that the Government might use it for tracking purposes. It was noted that it is just as important to emphasise what will not happen with the data as what will happen.

The DSB noted that in regards to the point on “irrelevant or sensitive data causes aversion” broadly clustered data caused concern, e.g. when payment arrangements, details about hardship and concessions, and contact details were bundled with other data sets.

The DSB noted that in regards to authentication in the energy sector they tested examples of identifiers so they could understand what it looks like for consumers moving through the process in the energy sector. They started with ‘Account Number’ in the energy prototypes to understand familiarity and ease of access. They found the majority of research participants understood what this was, were able to find it on their bill, or know where to go to find it.

The DSB noted that they also tested NMI as an identifier and participants did not always know what NMI was.  This was not received as well.

The DSB noted that the authentication model they are using for banking, One Time Passwords (OTP), fits really well, at least conceptually based on the way that consumers received it in the energy sector. It was noted that there was a large level of comfort with the OTP authentication model for energy consumers, with this round of testing skewed towards older participants whereas the research last year was skewed towards younger participants, who were also comfortable with this model. Which gives them a high level of confidence that an OTP delivery process for authentication is going to be acceptable.

The DSB noted that they wanted to have a discussion around what it might mean to use certain identifiers when it comes to consumer adoption and how intuitive authentication is in the energy sector.  The working assumption at the moment is that a variety of identifies could be used (like customer ID or account number etc) for the data holder to verify that the customer is the customer, and that customer is associated with the data requests.

The DSB noted that this raises the question around how intuitive those identifies could be, not just for the energy sector, but cross sector, as the CDR expands to be economy wide. The identifiers could be multiple as other sectors are designated. Sector-specific identifiers could lead to confusion if NMI, MIRN (Meter Identification Registration Number used for gas) etc. are advertised as authentication identifiers, versus a consistent and familiar attribute like an “account holder”.

One member noted on the authentication piece, how hard is it to set up a landing page?  Another member noted that building a landing page is easy, it is all the complexity behind it that is the issue.

The DSB noted that the experience from banking is there has been a lot of effort inherent in the InfoSec profile, but this was because they had to do the entire authorisation server. If we’re just talking about that authentication piece, the landing page to validate a user ID and account ID etc. this typically, in a technology context, is a pretty minimal footprint for the larger retailers.  For the smaller retailers it is a different scenario.  The DSB noted that the ACCC have been working with AEMO, Treasury and the DSB in the background on a paper talking about different authentication options as this a topic that is technical in nature but has policy, security and designation implications. The DSB encourages careful review of this consultation.

The Chair noted that this is a good example as to why we have a Technical Working Group and a CX Working Group because the determination of standards has to balance all of these factors, and the issue of comprehension, trust, benefit, purpose and the concerns are all considerations for both the technical considerations and for information security.

One member noted that the energy retailers are doing a lot of that authentication and whether there is any thought of AEMO being that authenticator.  The DSB noted that the ACCC paper has been canvassing those options and looking at varying degrees of AEMO’s involvement in the authentication process.

One member noted in regards to the use cases we’re interested in (which are “price comparison” and “DR purchase”) all you need is the information, which is currently in the AEMO datasets, not the retailer datasets.  It was noted that there is a simpler model, which is once the password goes to the customer, the password is also sent to AEMO and the ADR can then be the recipient of the password from the consumer and pass it to AEMO who then gives the message that it matches. It was noted that you don't need the consumer to transact with the retailer at all once the retailer has punched out the password.

The ACCC suggested that we add this as an agenda item to an upcoming meeting for further discussion.

ACTION:  ACCC to present the use case options for authentication as a future meeting

Treasury Update

Daniel McAuliffe from Treasury provided an update as follows:

Treasury noted that in terms of the Designation Instrument (DI), they hoped to have the DI out for consultation already, but COVID-19 related drafting legislation took away resources.  It was noted that it is currently being drafted and they hope to get it out in the next couple of weeks for consultation and the instrument made by the 30 June 2020.  It was noted that this is the instrument that turns on the ACCC rule making power and specifies the high-level data sets are covered and which entities can be made to hand over that information.

Treasury noted that they did announce in February where they landed after their Designation Instrument Consultations paper, and they are still intending to draft in accordance with that earlier announcement.

Treasury noted that they are hoping to have the draft DI out in two or three weeks, to consult for maybe three or four weeks and signed off by the Minister before the 30 June 2020.

Treasury noted that in parallel with that, they are having an independent Privacy Impact Assessment (PIA) conducted on privacy implications of the DI.  It was noted that that consultation is building upon the earlier PIA in the CDR and noted that they will not be revisiting some of the analysis but what it will be doing is looking at the ‘delta’.

Treasury noted that this will be a high-level assessment for the purpose of turning on the energy sector and when the ACCC writes its rules there will be a further PIA to look at the potential privacy risks which will also be done prior to 30 June 2020.

Treasury noted that in terms of timing, it is clear that COVID-19 has had some practical impacts on the implementation of open banking and that the potential for any delays in that sector will continue to be assessed in the context of any flow on effect to the energy sector.

Treasury has noted that they are aware that retailers have written to the Minister for Energy raising concerns that there are a number of other things they have to focus their attention on because of COVID-19 and they’re concerned about the capacity to divert resources to development processes.

Treasury noted that at this time, it is too early to say what the long-term impact will be to the timeline and how it is likely to be affected and that they hope to have more certainty over the next couple of months. They noted that they are not making any decisions to slow down and they are still moving forward as fast as they can and they don’t think there has been any significant COVID-19 direct impact at this stage.

One member noted we cannot underestimate the impact that COVID-19 has had to their business which is pretty significant and certainly not short term and there is a real risk, potentially for some of the smaller players particularly, of the ability to focus a very small resource pool across the business on something like this is coming weeks and months which could be quite problematic.

Another member noted that if energy retailers think there's something significant that’s going to be impacted by COVID-19 which will then have a flow on affect that they might like to engage with energy consumers as well as the Minister.

One member noted in regards to the COVID-19 human impact and some of their team dropping out of projects midstream due to major product pivots to support hardship processes for people and everything has totally changed in the last few weeks.

The Chair noted that we are not talking about development as yet as its not appropriate to start development work until the standards and rules are established which the Minister needs to consent to.  He noted that the banking delays are in relation to development and testing and not on rules consultation and standards.

ACCC Update

Bruce Cooper from the ACCC provided an update as follows:

The ACCC noted that in regards to timing, Treasury has advised that the DI is on the way and the ACCC’s preference is to wait for that before they publish a rules framework for consultation as they will not need to make too many assumptions that might need to be adjusted at a later date. It was noted that they might revisit that, the timing of publishing the rules framework, if the timing on the DI changes.

ACCC noted that in regards to the impact of the pandemic, they have been looking across a range of agency-wide activities on the impacts of COVID-19, and whether stakeholders are impacted by their ability to respond to a consultation or by enforcement activity.  It was noted that the ACCC does not intend to press pause on CDR implementation but to proceed cautiously and being sensitive to the impact of the pandemic on others.

Meeting Schedule

The Chair advised that the next meeting will be held remotely on Wednesday 27 May 2020 from 10am to 12pm.

Other Business

No other business was raised.

Closing and Next Steps

The Chair thanked the Committee Members and Observers for attending the meeting.

Meeting closed at 11:45