Amending Consent Workshop

Dear Consumer Data Right participants and other interested parties,

On September 8th, 2020, the DSB's Consumer Experience Working Group ran a half-day online workshop to gather community feedback to inform the development of intuitive, informed and trustworthy amending consent experiences, which refer to changes to a consent after the consent has been established.

The workshop was well-attended and input was provided by a range of representatives from the financial industry, energy sector, the community sector, other industry representatives, and various government agencies. Key themes and queries rising from the workshop activities are covered in this summary, along with responses, next steps and links to useful materials.

The feedback and artefacts from the workshop will be used to inform both the direction of the CX Working Group and also any decisions to be made by the Data Standards Chair and ACCC as appropriate.

What We Did

Workshop attendees were given the opportunity to provide feedback on a range of amending consent concepts with the goal of:

  • Providing feedback in areas of improvement, note issues, and pose questions for clarification
  • Weighing up considerations for interim and future states
  • Development of feedback items into new ideas to explore and action

Workshop artefacts and outputs from the day are available on a public Miro board. Snapshots of outputs can be found below:

Key Themes

A wide range of issues and opportunities were identified in the workshop. The CX Working Group has consolidated these contributions into key themes, as follows:

Design Patterns

  • There is a need to emphasise 'what's new/changing' for amending consents, but this needs to be balanced with making sure consumers understand what their existing consent comprises
  • It is important to show the accounts associated with a consent
  • It is important to communicate the value of the change so consumers understand why an amendment is necessary and/or useful
  • The merits/challenges of accommodating multiple changes vs only allowing one change at a time need to be considered

Conflating Authentication & Authorisation

  • Attendees were open to simplification, but noted the need to highlight original terms vs what will change
  • The authorisation is where consumers see associated accounts, and this ability to review accounts should not be dropped.
  • The authorisation step is a form of playback and 'agreement' that the following will happen

Consent Duration

  • It would be beneficial to have more flexible 'duration' options
  • Consumers may not be aware that historical data will be collected and used

Workshop Queries

A range of queries were raised by workshop participants, which have been themed and consolidated into the below areas. The responses given are based on current state and possible future changes to the rules and standards; as such, some of the below positions are subject to change based on the proposed new rules consultation

Joint Accounts

Queries:

  • How does amending consent work for 2-to-authorise? Will the JAH2 be required to approve amendments?
  • How will notification work for both 1-to-authorise and 2-to-authorise?

Response: The ACCC is consulting on proposed new rules 'to the effect that regardless of which disclosure option is selected, if joint account holder A amends an authorisation, the data holder must notify joint account holder B of the nature of the amendment. The proposed rules do not provide for joint account holder B to ‘approve’ any amendments to the authorisation.'

The implication of this proposal is that Joint Account Holder #2 ('JAH2') will not be required to approve consent amendments, regardless of which disclosure option is chosen, but 'JAH2' will be notified when amendments are made that require JAH1's authorisation. This notification is not expected to occur when uses are amended, or disclosure consents on the Accredited Data Recipient (ADR) side are established, as the Data Holder (DH) has no oversight of these occurrences.

Consent Management

Queries:

  • How does overall consent management fit into this?
  • These are event-based, what does a user-initiated amendment look like?

Response: The proposed new rules allow consumers to amend their consents at any time through their ADR dashboard, in line with what is possible for the associated use case. It is also proposed that ADRs be allowed to invite consumers to 'amend a current consent where the amendment would:

  • better enable the accredited person to provide the requested goods or services to a consumer; or
  • enable the accredited person to provide modified goods or services that have been agreed to by the consumer.'
Data Holder Dashboards

Query: DH dashboards are limited in their utility if limited information is not available. Should consumers should have ability to manage all aspects of consent on both dashboards (DH & ADR)?

Response: The proposed new rules are only considering consent amendments to be possible on ADR dashboards. As the consumer's good or service, and legal consent, are on the ADR side, and the DH has no oversight of the purpose or related implications, making amendments to a consent on a DH dashboard may result in negative service impacts or a technical consent that differs from the original legal consent. If CDR participants consider more functionality on DH dashboards to be required, we encourage these points to be raised as issues on the GitHub standards maintenance page.

Consent Duration

Queries:

  • Is duration set to fixed amounts of time?
  • Does this include the ability to decrease existing consent duration?
  • Is it possible to offer consumers granular consent to elect date ranges?

Response: Provided the ADR offers this functionality, the rules and standards do not prevent an ADR allowing a consumer to select and amend durations at a granular level, so long as the consent period does not exceed 12 months.

Extending Duration

Query: When does the 'new duration' start? Is it from the day of a consumer actions the 'extension' or added to the end of the original consent?

Response: The 'new duration' is not added to the end of the original expiry date. If a consent is extended by 12 months, the new 12 month duration begins when the consent is amended.

Software Products & Use Cases

Query: Do we need to have separate products for separate uses?

Response: No. A single software product can offer multiple use cases. The introduction of concurrent consents allows a single software product to have multiple consents. This allows a single software product to have separate consents that are specific as to purpose.

Query: Does the software product have to be registered?

Response: ADRs must nominate software products they intend to operate in the CDR ecosystem in their accreditation application, or through a change request once they are active in the ecosystem. Each software product must undergo on-boarding and once active undertake client registration with Data Holders before consent and data sharing requests can be made.

Query: Do different consents have different data scopes?

Response: The introduction of concurrent consent will allow different consents to have different data scopes. This facilitates specific as to purpose consents, while also mitigating the need to bundle different consent terms into a single consent.

Query: Is it possible for the amendment to be a change in purpose? As in, you signed up for X product and shared data... now we'd like to change X to Y product?

Response: New CDR rules are being proposed to allow ADRs to invite consumers to 'amend a current consent where the amendment would:

  • better enable the accredited person to provide the requested goods or services to a consumer; or
  • enable the accredited person to provide modified goods or services that have been agreed to by the consumer.'

This implies that ADRs can evolve their offerings over time and invite consumers to amend the use terms of their consents accordingly, but additional 'uses' and amended 'purposes' must relate to the goods or services that the consumer has requested. The rules consultation paper states that this constraint is being considered to 'ensure accredited persons are not ‘spamming’ consumers in order to seek additional data or uses.' If an ADR invites a consumer to amend their consent to receive an evolved offering, the ADR needs to ensure that the consumer comprehends the change and maintains control of their consent.

Amending vs New Consents

Query: How does an ADR choose between amending existing consent and creating a new consent?

Response: The proposed new rules suggest that ADRs can invite consumers to amend existing consents to help deliver the current or a modified version of the goods or services the consumer has requested. The scenarios presented in the workshop outlined how amendments may occur based on this assumption

A new consent may be required if the purpose, duration, or datasets are distinct from the existing consent. The intention would be to limit the number of 'uses' that are bundled into a single consent, noting that the rules currently allow 'direct marketing' to be added as an additional use, and the proposed new rules introduce 'general research' as an additional use too.

If a new consent were required, the ADR could choose to create a concurrent consent. Concurrent consents could be appropriate to establish consents that are 'specific as to purpose', comply with the data minimisation principle, and where different durations/datasets may be required. For example:

Consent 1: ADR requires [datasets 1 and 2] for [3 months] to provide [x purpose]

Consent 2: ADR requires [datasets 3 and 4] for [12 months] to provide [y purpose]

Authentication

Query: How can authentication be made stronger and more seamless?

Response: Various participants have raised a range of authentication models, such as decoupled authentication, and what is referred to in UK Open Banking as 'app to app', along with the use of biometrics and other mechanisms beyond the use of One Time Passwords. The CDR authentication model was put in place to establish a consistent baseline, but the DSB is looking into opportunities to simplify authentication and establish stronger and more seamless links between customer and consent for amending consent purposes.

ADR & DH Communication

Queries:

  • How will the type of desired change be communicated between Data Recipient and Data Holder?
  • Will there be enhancements to allow ADR to pick/choose specific use cases and for DH's to provide relevant experience to consumers
  • What's the view of having messaging back and forth between ADR and DH to confirm what's happening?

Response: Simplified amending consent experiences are being considered for a 'future state' so they can be consulted on further, but an 'interim state' will be proposed to provide consumers with the ability to amend consents as soon as practical.

An interim state amendment could work as suggested in the proposed rules consultation draft, where 'the technical implementation will be as per the current data standards. That is, while a consumer may be legally amending their consents, technically the process will be to call the revocation endpoints of the relevant data holder(s), and create a new consent with the “cdr_arrangement_id”. This means that the technical process for amending consents and authorisations will be to remove the existing consent and authorisation and replace it with a new one.'

A 'future state' amending consent experience will need to consider and consult on how existing requirements might be enhanced to allow ADRs to specify the change that is occurring, if this solution is considered appropriate.

Consent Purposes and Granularity

Queries:

  • Is it easier to have separate consents for different purposes?
  • How do we move towards fine grained consent?

Response: The DSB is currently considering how to support more fine-grained consents, including by better supporting ADRs to structure consents in a way that better supports their use cases while being specific as to purpose and compliant with the data minimisation principle.

Value Propositions and Triggers

A number of workshop participants sought more context for when consents might be amended, including how value propositions and 'triggers' may be framed. The following reports contain more complete, end to end, flows that were tested in consumer research. These prototypes simulated value propositions that could trigger consent amendments, and the reports provide results and recommendations based on this research that touch on the themes and concerns raised in this workshop:

The CX Working Group is also developing wireframes to illustrate how key proposed new rules currently being consulted on could work in practice. These wireframes illustrate a range of value propositions and triggers for various amending consent scenarios.

Next Steps

CDR participants are encouraged to engage with the proposed new rules consultation, which propose that consent amendments be allowed and suggest a proposed compliance date of July 2021. The CX Working Group will consult on an 'interim state' to support this compliance date, with a future state for simplified amendments planned for a later stage.

To initiate this discussion, the following wireframes have been developed to outline a possible 'interim state' for amending consent scenarios where datasets, duration, and uses are amended. Further interim state scenarios for amending consent are being considered, including the adding and removing of accounts from existing consents.

NB: These wireframes were developed to illustrate how the interim state for amending consent could look, but are not to be taken as decisions or compliant examples.

Contribute

In line with the proposed new rules consultation, an interim state amending consent proposal will be published on the GitHub standards page for community consultation. In the meantime, we encourage CDR participants to post queries, issues, and proposed changes on the GitHub standards maintenance page. You can also provide feedback directly to us at contact@consumerdatastandards.gov.au.

If you'd like to keep up to date with the CX Working Group you can sign up to our mailing lists, subscribe to this blog, and keep an eye on our reports page for the outputs of our consumer research and community sector engagement.

Best regard,

The CX Working Group