Data Standards Advisory Committee, Meeting Minutes
Date: Wednesday 12 August 2020
Location: Held remotely via WebEx
Time: 10:00 to 12:00
Meeting: Committee Meeting No: 8
Download meeting minutes (PDF 193KB)
Attendees
- Andrew Stevens, DSB Chair
- Lawrence Gibbs, Origin Energy
- Peter Giles, CHOICE
- Melinda Green, Energy Australia
- Joanna Gurry, NBN Co
- David Havyatt, ECA
- Joe Locandro, AEMO
- Frank Restuccia, Finder
- Lisa Schutz, Verifier
- Aakash Sembey, Simply Energy
- Ed Shaw, Ausgrid
- Lauren Solomon, CPRC
- Dayle Stevens, AGL
- Barry Thomas, DSB
- James Bligh, DSB
- Rob Hanson, DSB
- Terri McLachlan, DSB
- Michael Palmyre, DSB
- Mark Staples, Data61
- Bruce Cooper, ACCC
- Michelle Looi, ACCC
- Fiona Walker, ACCC
- Ashley Bartlett, Treasury
- Aaron Lester, Treasury
- Ben Johnson, ERM Power
- Van Le, Xinja Bank
Chair Introduction
The Chair of the Data Standards Body (DSB) opened the meeting and thanked all committee members and observers for attending meeting no 8.
The Chair noted that the DSB are working on a discussion paper in relation to a view of the commonplace consents that exist in the market which will be completed in the next couple of days. The Consent Comparison Noting Paper includes not only the research work on types of consents but also some of the CX feedback through the various rounds of CX research. He thanked Lisa Schultz (Verifier) who supported the discussion on that. The report will be circulated to the Advisory Committee members for feedback and also added as a discussion point for the next meeting.
ACTION: Add the Consent Comparison Discussion Paper to the agenda for the next meeting
The Chair noted that Ben Johnson (ERM Power) and Van Le (Xinja Bank) are apologies for this meeting.
Minutes
Minutes
The Chair thanked the Committee Members for their comments and feedback on the Minutes from the 8 July 2020 Advisory Committee meeting. The Minutes were taken as read and formally accepted.
Action Items
The Chair noted that the Action Items were either completed or would be discussed later at this meeting.
Working Group Update
A summary of the Working Groups progress since the last committee meeting was provided in the Committee Papers and was taken as read.
Technical Working Group Update
A further update was provided on the Technical Working Group by James Bligh as follows:
The DSB noted that a lot of the activity in the Technical Working Group has been focused on the maintenance of the existing/ baseline standards, however that has not been without interest for the energy sector. Most of the changes made recently are to the Information Security Profile and are directly relevant to electricity.
The DSB noted that the expectation is that v1.4.0 of the Consumer Data Standards will be released today.
The DSB noted that the approved rules have requirements on how the standards consultation is conducted which came into effect on the 1 August 2020. A Noting Paper was provided to the committee outlining how their process aligns which they welcome feedback on. The ACCC has also been provided with a copy of the noting paper.
The DSB noted for the energy sector specifically, they had a fruitful retailer workshop on 4 August 2020 which was well attended, and the contributions were excellent. They are now well placed to do the retailer specific payloads and have given out sample indications via the workshop as to where they intend to go with the payloads to implement the designation, recognising that it's subject to the designation and the rules as they are developed. It was noted that, because of the contribution from the retailers, they are now in a position to at least get a draft position on accounts and billing. This work is being co-developed with the CX team and one of the key considerations for these particular data sets is that they get the boundaries correct so they do not include too much sensitive data or data that should be separately consented to in one consent. They hope to have the consultations out shortly.
The DSB have been working with Energy Made Easy (EME) and Victorian Energy Compare (VEC) on generic tariff data and provided them with their initial position for feedback and which is now open for public consultation until 21 August 2020. They also thanked Australian Energy Market Operator (AEMO) who gave public feedback on NMI standing data. They are also doing some initial work on usage, and as AEMO are experts on what they hold around usage, they are helping with the initial draft which will be made public shortly.
The DSB noted that they are having regular calls with retailers facilitated by the Australian Energy Council (AEC). These are not consultations; they are bilateral and multilateral meetings to raise questions for clarification and discussion. The DSB are encouraging people to post on GitHub if there's any formal feedback. This type of forum helps the DSB gauge if they are going too fast or too slow and the feedback they have received is that stakeholders are keeping up but they would like a slower pace. The DSB noted that it feels like they are going at the right speed. Finalised standards are, by definition, impossible prior to final rules and the schedule that the ACCC has for Q2 for final rules means finalised standards are a fair way in the future as yet but it would be good to get a baseline draft so they are consulting on a full set of clusters as soon as they can. This will allow them to compare the rules as they evolve with the standards as they evolve in parallel.
The Chair noted that it is better to maintain a pace recognising that there are two to three separate review points still to come before the standards become final and binding.
The DSB noted that when looking ahead regarding engineering tools, they are very early in the process for the electricity sector but if there are any particular tooling that participants feel would be helpful, if they could start looking at that process early - the more lead time the better.
One member noted that they have been speaking to some of the banks to get a better understanding about what they’re getting into and they're talking a lot about speed requirements. When does that come out in the data standards?
The DSB noted that performance requirements are currently in the data standards. There is a section called non-functional requirements (NFR) that articulates them but they haven't been made binding because the expectation from both the DSB and the ACCC has been that it is very hard to set NFR’s with no implementation. They noted that for the electricity sector virtually all of those NFR’s are applicable mainly to AEMO as the gateway. There is only the data clusters that are specific to retailers that apply because AEMO wont cache that data. It was noted that when it comes to the majority of the data sets, it is AEMO that will have to meet those NFR’s on behalf of the ecosystem.
One member noted that they are re-platforming their digital landscape in support of five-minute settlement. They have very high-speed Cosmos databases and cloud platforms and a whole lot of technology that is required to meet the market conditions. They don’t think the performance part will be an issue and noted that they are not working off legacy for their gateway - it is all new technology stacks.
The Chair noted that this probably has its own group of challenges and risk, and the story out of the banking regime is that working out of legacy was a big issue for them so this news is encouraging.
The DSB noted that on NFR’s they have lined them up with existing channels that the banks already use and tried not to be more aggressive than the banks are themselves with their own digital channels. They have tried to avoid the Consumer Data Right (CDR) being seen as a second-class (i.e. lower performance) citizen.
One member noted the AEMO gateway is not a gateway in relation to the AEMO data sets. Under the current plans for the authentication model that doesn't solve anything, because the retailers still have to be involved in authentication in every single case and the NFRs will be relevant to how speedily anyone gets their data because it will depend on how quickly the retailers are responding to the authentication requirements.
The DSB noted that this was not 100% accurate. Authentication only applies at the time of consent and we currently don't have any NFR’s set around that particular part of the process. The NFR’s apply to the delivery of CDR requests which happen after consent is established. The authentication from that perspective to the current interface is not actually overly relevant and it is true that AEMO will have to be involved in every CDR request and effectively NFR’s are cast in terms of the service offered to recipients which is a gateway issue. The retailers have to comply with the NFR’s but only for the data clusters for which they are directly data holders for.
The member stated that this opens up something which he hadn't been aware of before which is the performance requirements on consent. One of the important use cases is when people are able to transact for example price comparison service in real time, and if there is no requirement or time on the consent, how do we get an outcome?
The DSB noted that for requirements on consent, it’s very hard to do objective, measurable response time NFR’s around a human interactive process. So, the fact that there is an absence of NFR’s, doesn't mean there aren’t compliance rules requiring a certain level of performance. The rules themselves require that the consent is done in a reasonable fashion, and that it's responsive and provides a good customer experience.
The DSB noted that they would welcome their contribution to the consultation of the NFRs which is currently open.
CX Working Group Update
A further update was provided on the CX Working Group by Michael Palmyre as follows:
The DSB noted that v1.4.0 of the CX Standards and Guidelines are being released today.
The DSB noted that they have the first findings from the Consumer Policy Research Centre (CPRC) engagement which is a review of the standards and guidelines based on how well they deliver on consumer needs and expectations.
The DSB noted that there was an Energy Data Language Workshop which was jointly run by the CX and Technical Teams which was incredibly useful and insightful. They have a strong foundation for moving forward with the first well informed iteration of data language and clusters.
The DSB noted that there is also a CX Workshop coming up on 18 August 2020 with a focus on Enhanced Error Handling. This workshop follows the series of banking error handling workshops but the CX approach will be much broader. They will be talking about error handling, error states, but they’re also broadening it to be more about things that could go wrong for the consumer when they're interacting with the consent model. They encouraged energy stakeholders to register for the workshop as it will be a great opportunity to come in early and look at what could go wrong and think about how the energy sector is being conceived currently. It will be a very broad and generative workshop and a lot of opportunities to highlight unhappy paths.
One member asked if these workshops are open to retailers. The DSB confirmed that the workshops are open to everyone.
Community Engagement
The DSB noted that the Data Holder call has been rebranded to the CDR Implementation call and these calls broadly relate to how we make CDR implementation work and are also a great opportunity to speak to the DSB and the ACCC.
The DSB noted that the outputs from these interactions are progressively being added into the help desk (Zendesk) and they are trying to get to a point where every question that has been asked is discoverable. They are also in the process of setting up an extension of that help desk which will facilitate the community to help themselves by sharing their insights and their journeys as data holders or data recipients.
CX Research Stage 3 Findings
A further update was provided on the CX Working Group by Michael Palmyre as follows:
The DSB noted that they have conducted three rounds of research from June to August this year covering the topic of amending consent. What they wanted to find out in this work was how might we be able to provide intuitive, informed and trustworthy amending consent experiences. This differs from just simply consenting in the first instance, and the reason for that is there are different aspects to consent for example “adding or removing a use of an existing consent”, “adding or removing a dataset from an existing consent”, “extending the duration of an existing consent” and “adding or removing accounts from an existing consent”. Typically, consent is up to 12 months so this is good for the first consent but how would that consent be amended? What about where the ADR uplifts their offering by having a new use for the datasets they've collected? Or the consent naturally comes to an expiry date and the consumer wants to continue sharing their data for that consent? Or, with natural CDR phasing, where the ADR may not have access to detailed authorisation scopes or certain account types until a later phase?
The DSB noted that as part of this work they explored a number of different prototypes and there were specific questions that they wanted to explore. They established a baseline by re-engaging some participants, as part of a longitudinal study, to understand how much trust they placed in the process the first time they went through it, how much did they comprehend, and how well could they recall the terms of consent etc. They used various tests like the Likert scale and a comprehension and recall test. This established a baseline to understand and assess the amending consent experience against the first instance of providing consent.
The DSB noted that some of the specific things that they wanted to test included how to simplify consent amendment, for example: can you preselect certain components without impacting trust and consent quality, and could that pre-selection be leveraged to visually distinguish those components to signify new versus existing consent terms? Could we summarise the key points and what impact does this have on trustworthiness and consent quality?
The DSB noted that they used a modular approach to simplify consent amendment based on the different dimensions of a consent (duration, datasets, use & accounts). They simplified flows based on each specific change but did so in a way that multiple change components could be included to tailor the flow to the outcomes being sought.
The DSB noted that the first amending consent concept was for “amending duration”. In this concept, the flow could be simplified by dropping the account selection and authorisation flow components to effectively conflate authentication and authorisation. The same could occur for the “amending datasets” flow. The “amending use” is slightly different. For example, a use-only consent assumes that a consent has no disclosure or collection occurring anymore, only use. As use happens entirely on the ADR side, not the data holder side, it inherently simplifies the process as there is no authentication required. For “amending accounts” they are looking at how the flow can be more intuitive. Currently adding or removing accounts could be done on the DH dashboard, but this means the ADR might not have much oversight. We developed a concept where this process would be initiated on the ADR side, where only the account selection step is surfaced following authentication.
The DSB noted that these concepts are modular, creating enough flexibility for amending consent flows to focus on a single change component or multiple components in the one flow such as, for example, extending the duration while amending accounts.
The DSB noted that these concepts were tested with 48 consumers across Australia, in which the amending consent experience was compared with existing data sharing experiences and expectations. The consumer types consisted of a mix of individuals, sole traders, small businesses who had a mix of different levels of literacy and privacy awareness.
The DSB have developed a canvas with aggregated insights from the last 14 months with 96 participants, which shows generalisable and consistent themes in relation to data sharing and CDR. These themes remained consistent and important for amending consent experiences. For example, CDR is considered better than existing practices, but participants are still cautious about data sharing; they value transparency and regulation, which builds trust in the parties and the ecosystem; the value proposition needs to be relevant and articulated; the presence of known and authoritative parties fosters trust and legitimises the process.
The DSB also tested the level of trust placed in the process and CDR over time and following repeated interactions with the consent model. Using the Likert scale, they had consumers self-assess how trustworthy the process was and found that the level of trust in the process increases with increased familiarity, though the addition of unknown parties did decrease trustworthiness.
The DSB noted that in regard to comprehension, the first time going through that consent flow the ability to accurately recall consent terms was higher than expected (78%). This increased to 94% accuracy after completing amending consent flows. This highlights how important the time-limited nature of consent is and that it's an important intervention to ensure that consent remains current and informed, while also facilitating comprehension and consent and data literacy.
The DSB noted that the need to “opt in” rather than “opt out” is analogous to an unsubscribe model. People saw it as important to receive reminders at regular points because it provided transparency.
The DSB noted that in regard to simplifying amending consent they found pre-selecting those components didn’t reduce consent quality and that participants understood pre-selection to signify datasets, uses, and accounts that they had previously agreed to share.
The DSB noted that in regards to conflating authentication with authorisation, it did not negatively impact trust or comprehension.
The DSB noted that they are confident that the designs are a good starting point for providing intuitive, informed and trustworthy amending consent experiences but they do have questions around the use only consents and it would be useful to further define those so they can be properly supported and understood. For comprehension, recall remains very high and that was definitely understood well by participants as well as trust and consent quality when flows are simplified.
The DSB noted that these are all preliminary proposals that need to be reviewed for technical and policy impacts. There is a Miro board outlining all of the concepts.
The DSB noted that a report on amending accounts, which considers a number of other issues and possibilities, will be published in the coming weeks.
The Chair asked the CX team whether for the conflation of authentication and authorisation model, had they researched if someone had an existing consent arrangement in say energy, and they wished to then add banking data (i.e. from another data holder in another sector) and how did this work?
The DSB noted that they hadn’t explored that but will look at that in the next round.
One member asked if a copy of the slides could be made available and the Chair noted that a link to the slides will be provided in the minutes.
Another member asked if there had been any work, or plans to do work on how consumers understand the relationship between the retailer and CDR and the consent flow and their ADR’s? They noted that this is great in isolation, but it might be confusing for consumers.
The DSB noted that in the last round they researched adding or removing accounts from an existing consent for example, they conducted a survey of existing apps to understand how this currently occurs and the analogous situations for things like subscriptions. There was a general expectation that this would occur on the ADR side and their view on this is that where consumers are receiving a service from the ADR, that's also where they will realise the value of consent amendment. It could also happen other ways like the rules currently require a ninety-day notification to be sent to the consumer to say, “did you still know who you’re sharing data with”?
One member asked if we researched whether people thought 12 months was an appropriate timeframe for consent and did it vary based on the types of data that they would be consenting to share? Also is there any scope to give control back to the consumer?
The DSB noted that they didn’t do it in this round but they have done it in previous rounds of research. The important thing to note is that no one queried the timeframe but in previous research it really depended on the use case.
One member noted that on the user centric piece, it depends on the person, on the use case and they may have different attitudes depending on the data. They asked if they have surveyed them about an activity they're already doing and asking everyone the same questions?
DSB noted that their research sessions have always started with a generative discussion around what the participant’s existing data sharing experiences are, who they share data with, what apps do they use etc so they can get an understanding of where they may already be sharing data, and how they feel about current ways of sharing data. Generally, participants have felt disempowered and resigned about current data sharing practices, as our switching canvas artefact shows, and this is supported by global bodies of evidence. CDR is generally seen as a more privacy preserving measure compared to those existing experiences.
The member asked that at the moment the assumption is that we have one set of screens that cater for the feedback that you're getting from humans. They are interested in how over time that might be abstracted. At the moment we're assuming that the innovation and evolution of consent is a central process and could this research turn into principles that allow the data recipients potentially to innovate within guiderails.
The DSB noted that they are beginning to partly do this by experimenting with chunking up things into different components and allowing amending consent experience, not just a one size fits all, something that is tailored more to the outcome.
The Chair thanked the CX Lead for his presentation and noted that this is one of the real joys with an opportunity to explore and establish these concepts for Australia.
ACCC Update
Bruce Cooper from the ACCC provided a general update as follows:
The ACCC noted that, in regards to a previous conversation about what will prompt a consumer to use a data recipient’s dashboard to manage their consents, it is important to note that the consumer will be able to see what consents are in place in dashboards maintained by both the data holder and data recipient. In the banking context the consumer will be able to identify what data is being shared and with who every time they use the internet banking app.
The ACCC also noted that in regards to the discussion on whether 12 months is an appropriate time for expiry of consents; originally the ACCC considered that consent should last for only 3 months. There is a balance that needs to be struck between protections that go with data becoming obsolete when a consent expires and convenience of longer, or indefinite, periods of consent.
The ACCC noted that in regard to the comment on principles, there is a suggestion that some of the consent requirements are too prescriptive. Again this is an area where it is necessary to strike a balance. It was noted that one of the issues the UK faced was that the initial highly principled approach led to consumer experiences that were varied and caused some confusion. The ACCC is seeking to provide additional certainty without being over-prescriptive and indicated that it welcomed feedback on whether the current approach had found the appropriate balance.
The Chair noted that its worth reminding ourselves at regular intervals that the intention of the CDR is not to hand control of consumers data from a data holder to a data recipient. We want to hand control of that data to the consumer and therefore getting a balance on this point is an important element of it. He recognises over time, as people become more familiar, this will be a really significant piece of work and thinks that consent will never be the same again in Australia.
The ACCC noted that they held a webinar workshop on Tuesday 11 August on the draft energy rules framework and wanted to thank all the members that attended for their contributions. The consultation closes on the 28 August 2020 with the next step being to consider the responses to the issues that were raised and come out with a draft set of rules which they will consult on again with a view of putting out the rules next year.
One member asked about the comment raised about consumers knowing from their internet banking what data they are sharing; can you expand on that for energy? As much as they would like customers to use the energy portals it is not quite as top of mind or as frequent as the need to go there as internet banking.
The ACCC noted that AEMO might be part of the solution but they are not a household name either. They needed to factor that in the work as they go forward and it is a difference in the sectors.
Treasury Update
Aaron Lester from Treasury provided an update as follows:
Treasury would like to introduce a new member of the team who has joined this week – Ashley Bartlett who will be helping out on all things in CDR energy.
Treasury noted any potential decisions on CDR implementation for energy in the budget would be still under consideration by Government. They are continuing to work through their queries internally and externally on the external dispute resolution but still haven’t come to any definitive position as yet.
The Chair welcomed Ashley to the CDR more broadly. He also asked when can Treasury give us, even at a high level, some indication of what we might expect in the budget.
Treasury noted that it will more than likely be 7 October 2020, the day after the budget.
One member asked where is Treasury at in regards to the third/fourth cab off the rank for designation?
Treasury noted that there has not been any initial work on a further sector. The inquiry into Future Directions is due to Government in September and they are waiting to see where that lands. They noted that future sectors don’t have the transitional provisions that were in the legislation that allowed banking and energy to move a bit faster. There will need to be the full sector assessments for any future sectors which will initially slow them down, but their intention is to start to speed up the roll out across sectors.
The member noted that now we are past the transitional point, if a consumer advocate in another sector wants to progress the CDR for their sector, is the first port of call ACCC or Treasury? Treasury noted at this point in time it would be Treasury noting that there is no specific process for selecting what is the next sector, and it is a policy decision for Ministers.
The Chair noted that the prospect of having the rules and the standards in such a position that sectors could self-designate where they could approach Treasury or Government and say they would like the CDR to apply in their sector is still a little way off.
The ACCC noted that the announcement for the third sector remains as telco as far as they understand it. They also have the function of the sectoral assessment.
The member also asked that in the energy space, we have a designation of data sets which we are all comfortable with, but they can identify the next set of data sets they want to add? Is that back in the ACCC court to recommend to Treasury?
Treasury noted that is correct, but at the moment they are not looking at extending the designation instrument until obviously the first part of energy is functioning.
Other Business
The DSB confirmed that during the meeting Version 1.4.0 just been released and is now available.
The Chair noted that they will meet with the ACCC to determine the proposed key issues to address at the upcoming meetings.
ACTION: DSB & ACCC to meet to determine the key issues to be discussed at meetings
Meeting Schedule
The Chair advised that the next meeting will be held remotely on Wednesday 9 September 2020 from 10am to 12:00pm.
Closing and Next Steps
The Chair thanked the Committee Members and Observers for attending the meeting.
He also thanked the committee for their ongoing commitment in advising the DSB and for providing such general and fulsome support to the DSB, ACCC, Treasury & OAIC.
Stay safe and well.
Meeting closed at 11:25