Data Standards Advisory Committee, Meeting Minutes
Date: Wednesday 12 May 2021
Location: Held remotely via WebEx
Time: 10:00 to 12:00
Meeting: Committee Meeting No: 16
- Andrew Stevens, Data Standards Chair
- Jill Berry, Adatree
- Lawrence Gibbs, Origin Energy
- Peter Giles, CHOICE
- Joanna Gurry, NBN Co
- Joe Locandro, AEMO
- Frank Restuccia, Finder
- Lisa Schutz, Verifier
- Lauren Solomon, CPRC
- Barry Thomas, DSB
- James Bligh, DSB
- Ruth Boughen, DSB
- Rob Hanson, DSB
- Terri McLachlan, DSB
- Michael Palmyre, DSB
- Mark Verstege, DSB
- Paul Franklin, ACCC
- Mark Staples, Data61
- Athena Jayaratnam, OAIC
- Kate O’Rourke, Treasury
- Jessica Robinson, Treasury
- Jodi Ross, Treasury
- Fiona Walker, Treasury
- Louise Benjamin, ECA
- Melinda Green, Energy Australia
- Aakash Sembey, Simply Energy
- Dayle Stevens, AGL
The Data Standards Chair (Chair) opened the meeting and thanked all committee members and observers for attending meeting # 16 of the energy sector Data Standards Advisory Committee.
The Chair noted that good progress has been made in the last month with the Technical Working Group releasing v1.8.0 and v1.9.0 of the standards and completing Maintenance Iteration # 6. The Consumer Experience (CX) Working Group has been working closely with the rules team on CX changes related to the v2 Rules and have concluded their engagement with the Consumer Policy Research Centre (CPRC).
The Chair noted the Data Standards Body (DSB) held a series of workshops with the OpenID Foundation (OIDF) which were well attended and received.
The Chair noted that a new Software Engineer will be commencing with the DSB at the end of May.
The Chair noted that Louise Benjamin (ECA), Melinda Green (Energy Australia), Aakash Sembey (Simply Energy) and Dayle Stevens (AGL) are apologies for this meeting.
The Chair thanked the Committee Members for their comments and feedback on the Minutes from the 14 April 2021 Advisory Committee meeting. The Minutes were taken as read and formally accepted.
The Chair noted that the Action Items were either completed or would be covered off in scheduled discussions.
Advisory Committee Refresh
The Chair noted that the banking Advisory Committee current membership runs through to June 2021. Given the changes in engagement that Treasury are in the process of exploring and the requirement to implement a whole of economy, cross sector Consumer Data Right (CDR) he thinks it’s appropriate that we merge both our Data Standards Advisory Committees back to one Advisory Committee from July 2021.
Therefore, the Chair noted that both Committees will meet as one committee, between 10am to 12pm on the second Wednesday of the month from July 2021 until November 2021, which is when membership of the energy Advisory Committee is due for renewal. At which time the membership of the combined committee will be re-considered.
Consequently, the Chair requests any members who would like to opt out, or perhaps nominate someone else from their organisation with effect from July onwards to let him know.
ACTION: Members to advise the Chair if they would like to opt out of the Advisory Committee from July 2021
Working Group Update
A summary of the Working Group’s progress since the last committee meeting was provided in the Committee Papers and was taken as read.
A further update from was provided on the Technical Working Group by James Bligh as follows:
The DSB shared some insights from the workshop on “Energy | Draft Standards API Feedback”, which was held on 11 May 2021, as this will be instructive on how the DSB will proceed with consultation for the energy Draft Standards going forward.
At the workshop the DSB spent time talking about the standards statuses and the Design Paper that's open for consultation. The DSB then spent time eliciting participant insights around where they think their DSB needs to focus their energies.
The feedback received was a mixture of standards and policy related issues. From a standards perspective, one thing that came out strongly was the necessity to focus on generic tariff data. Another issue raised at the workshop, was on corporate and institutional customers, in terms of eligible customers and various sizes for large customers. Following the feedback, the DSB and Treasury (TSY) have reached out to John Milne from Australian Energy Regulator (AER), and will also reach out to the Australian Energy Council (AEC) to work through the feedback.
There were also questions raised at the workshop about known issues such as complaints and data from previous retailers. There were also questions from the retailer coming from the peer-to-peer (P2P) model as the Designation Instrument states that the Australian Energy Market Operator (AEMO) is the data holder for usage data. Some of the retailers have usage data and they are asking why can’t they just provide it which is an interesting question for standards, policy and legal question to face into.
Lastly, an item was raised at the workshop about implementation dates and stakeholders were looking for guidance for planning purposes and general understanding.
The DSB noted that the workshop provided some valuable input and they will focus some of their consultations in the energy sector according to the feedback to close out some of those issues.
The Chair asked the DSB whether the strong engagement in terms of feedback has continued in the energy sector.
The DSB noted that they’ve had strong participation from AEC who have continued to be really constructive with holding multilateral meetings which have been well attended. They noted in the last standards consultation, there wasn’t a huge number of responses, but some very significant responses. The workshops have also seen strong participation and the engagement is mainly with the larger retailers which is to be expected but it is still a concern. They are also not getting a huge amount of Accredited Data Recipients (ADRs) engagement.
Consumer Experience (CX) Working Group Update
A further update was provided on the CX Working Group by CX Lead Michael Palmyre as follows:
The DSB noted that the CPRC's report on vulnerability has been published on the DSB's community engagement page. CPRC's final draft report on the topic of consent is nearing completion which takes a slightly different approach to previous reports. It moves its emphasis from the problem space to four impact areas which are i). empowered consumers ii). meaningful participation iii). trusted systems and iv). inclusive and fair outcomes. There is a fair bit of analysis, outcomes, and indicators that signify successful impact and opportunities to measure and support these impacts.
The DSB noted that this report concludes a successful yearlong engagement with CPRC, who have expanded the DSB's ability to receive input from the community sector while also providing advice on key issues relating to consumers, particular those experiencing vulnerability.
The Chair acknowledged the incredible value of this engagement and the outcomes of the reports, which has been tremendous, particularly because of CPRCs knowledge of the CDR and to give relevance of the CDR context. The Chair thanked the CX Lead and CPRC and teams for their incredible work.
CPRC thanked the Chair and noted that they’re very keen to make sure that the CX research continues to inform the design of the standards and the regulations in particular to make this scheme effective going forward.
The DSB noted that v1.8.0 of the standards was released in April, which incorporated Decision Proposal 144 that relates to the simplification of the amending authorisation process. The CX Artefacts for amending authorisations have also been published to accompany those standards.
The DSB noted that in regard to the Design Papers, Decision Proposal 162 on joint accounts has been incorporated into the joint account Design Paper and will be progressed accordingly. DP162 may open in due course for consultation, but it has been paused whilst the Design Paper work progresses.
The DSB noted that the CX standards for disclosure consents has been drafted to support ADR to ADR disclosures (AP Disclosures), and in anticipation of the access arrangements referenced in the recent Treasury announcement and further analysis on the DH Dashboards issue to support the access arrangements.
The DSB noted that DP160, which covers non-individuals, business partnerships, and secondary users, has been published and open for feedback.
The DSB noted that they have a workshop coming up in relation to the Joint Account Design Paper which will be in place of the Implementation Call this Thursday.
The Chair asked the DSB to provide some further context around the Design Paper process.
The DSB noted that the Design Paper is a new consultation approach being trialled as a direct result of bringing the DSB into Treasury’s (TSY) where it’s easier for them to work closely. The Design Paper is intended to provide an opportunity for simultaneous consultation on Rules, policy, standards and guidelines for a change to the Consumer Data Right (CDR). The DSB said this process will enable people to grasp, not only what’s intended but what it will look like in practice and ensure they are fully informed. The Design Papers are preliminary to their other processes and will lead onto Decision Proposals which create the actual standards in support of the next version of the rules. The Design Paper process will allow opportunity for more robust, well informed feedback on the process.
The DSB noted that they still have the challenge of progressing the CDR in a timely manner and there is tension between the need to get everyone’s views and to make informed decisions. The DSB said the time they have available to go through all the processes is limited so the Design Paper window for consultation is relatively short and they encourage everyone to join the conversation on GitHub if they would like to have a conversational style of consultation.
A summary of stakeholder engagement including upcoming workshops, weekly meetings and maintenance iteration cycles was provided in the Committee Papers and was taken as read.
Design Paper Introduction and overview: Peer-to-peer data access model in the energy sector
Jessica Robinson (TSY) , Fiona Walker (TSY) and James Bligh (DSB) presented on the Design Paper as follows:
TSY noted that they’ve had fantastic engagement to date informing what has ultimately resulted in a change of the data access model in energy to the P2P data access model to align with the banking model.
The feedback TSY received in the consultation process confirmed some of the feedback they had started to receive ahead of the formal process and reinforced the potential problems that may arise if they continued with the gateway model such as costs for retailers, and providing a model that would ultimately limit to some extent the ability for Accredited Data Recipients (ADRs) to work across sectors as they roll out other sectors.
TSY noted that in the recent Budget announcements, Government has committed to an economy wide CDR with telecommunications being announced as the third sector, with a 3-month process for TSY to assess the range of other sectors that CDR might apply to.
TSY stated that it’s important to make sure that the model being implemented in the energy sector took account of the benefits of having a system based on principles and universality and some consistency in the data access models being implemented.
TSY also said they had commissioned an independent report which Government assessed, along with the other information, and decided it was appropriate to shift away from the gateway model to the P2P model, which TSY noted obviously reduces the role of AEMO. AEMO still remain as a data holder which will address some of the potential time constraints that were associated with the gateway model, under which AEMO would have had to undertake major system changes to be able to operate as a gateway.
TSY noted that they are seeking feedback on design options for the P2P model by the 26 May 2021 via GitHub or via email (email@example.com). TSY will also take into account the feedback received at the energy workshop on draft standards and rules which was held on 11 May 2021.
TSY noted that the first key area of focus for further rules development is the staged approach to implementation. As they are moving to the P2P model, they will need to revisit the preliminary thinking they had on the approach to implementation and they would appreciate stakeholder feedback before they move to a formal consultation process on draft rules in the future.
They are considering whether a staged approach to introducing data holder obligations may be appropriate, which is similar to the approach implemented in the banking sector.
TSY noted that another key area of focus is the approach to smaller energy retailers of which there is a significant number that together only hold approximately 2% of the market share. Consequently, TSY are seeking views on whether there should be a threshold that determines whether or not an energy retailer is required to participate in the CDR as a data holder. TSY clarified that such a threshold will not stop a small retailer from entering voluntarily if they wish to do so.
One member noted that there were many authorised deposit-taking institutions (ADIs) with 20,000 customers who had to meet data holder obligations, but the threshold option was not available to them. They asked the question “Why is this being considered as an option for other industries?”
TSY noted that ADIs can seek exemptions under the regime, but for energy retailing there are quite a number of retailers that have well below 20,000 customers, for example some have only 400 customers and there’s a high degree of new entry coming into energy retailing. A threshold would reduce the burden on retailers, by avoiding the need for a very large number of small retailers to go to the Australian Competition & Consumer Commission (ACCC) and seek individual exemptions.
The DSB noted that this came up in the banking sector, but the difference was that ADIs have obligations on putting forward different digital channels and capabilities and requirements around cyber security requirements which meant they already had a lot of the infrastructure available to them.
The Chair said he hoped that the CDR will get to the point where the regime is so widespread and beneficial enough for consumers to say that if they go with one energy retailer they will not be able to do anything with their energy data and therefore they will chose someone else; and that it may become a competitive market factor.
The DSB noted that they need to look at an InfoSec question that they didn’t need to look at in banking. The DSB said, in the energy sector, energy has the dual data holder pattern under which retailers obtain data from AEMO. They will need to do standards level consultation on a B2B InfoSec profile and deal with questions around what APIs AEMO exposes to the retailers etc. The DSB said some of the questions that came up in the workshop were about the circumstances in which AEMO will be able to refuse a request, the implications of this and how it will be reported back to the customer etc. The DSB said these are important questions because they have major implications for implementation costs and the regime as a whole.
The DSB noted that the Design Paper includes some positions on this and encouraged the committee to put some thought and consideration into what would be appropriate as it’s a new paradigm for the regime.
One member asked with respect to the liabilities and responsibilities under the peer-to-peer model, who is liable for privacy obligations once the data leaves their systems? They clarified that whilst implementors map the data flows they don’t map the liability flows, so if the data gets consumed or misappropriated where does the liability lie? And if a secondary party gets attacked with a cyber response where does the liability lie?
The DSB noted that this is the strength of the Design Paper concept, as some of these issues can only be resolved through the technical standards and some can only be resolved through the rules and enforcement arrangements. The DSB said this Design Paper is asking those questions and limiting it to one sphere and getting all the issues on the table at the same time, and they encouraged feedback to be provided in response to the Design Paper so they can face into it.
TSY noted there is an existing liability framework set up by legislation and further enhanced by the rules. One thing TSY said they will be looking at closely as they accommodate energy and move into other sectors is how that framework is working and whether it needs further enhancements, because the data flows are relevant to the consideration of the privacy issues. TSY said they had engaged an independent privacy assessor to look at how to manage the issues and risks that arise in relation to privacy as a discrete set of issues from security. TSY announced they have appointed Maddocks as the independent assessor. Maddocks is preparing a privacy issues paper, which they will put out with the draft rules to help inform discussions and feedback on those issues.
The Chair asked about the feedback option and whether it is proposed that where someone provides feedback via email that that feedback it is made open and public to the community.
TSY noted that the person submitting feedback will need to indicate in their email whether or not their intention is for the feedback to be published. TSY also noted that as they are blending different processes, there is an advantage of getting issues aired in a conversational sense via the Design Papers but they have to accept that there will be other ways people can communicate whether they’re via email, discussions or forums etc. TSY said that there will be no automatic publication of emails but if the person providing the feedback by email specifically asks them they will publish them.
One member noted in regard to interoperability, and as we get into a more complex environment, the issue is one of timeliness. They asked if there a view that we should have SLAs for process response times so that retailers, banks or Telcos don’t hang onto the information over a long period of time?
The DSB replied that is a standards question although certain aspects end up being addressed in the rules, but for the standards, there’s a lot of aspects which they’ve been incorporating from the very beginning. For instance, the DSB elaborated, going back to Farrell’s Open Banking report, the use of RESTful synchronous APIs inherently means a certain amount of timeliness. The DSB also clarified that the standards have an entire section in the standards called Non-Functional Requirements (NFRs) which talks about a whole range of qualitative aspects and qualitative functions which is in addition to the requirements of the rules.
TSY noted that the overarching obligation in the principles-based legislation and the privacy safeguards that apply to data holders is around ensuring that data is up to date, and accurate; having regard to the purpose for which it held. TSY said they recognise that in addition to the CDR’s obligations, as new sectors of the economy and their data are designated, that these sectors will also be subject to sector-specific regulation. TSY said they are not seeking to regulate the extent of the data held, beyond saying that when you provide it for the purposes of CDR it needs to be accurate and up to date. TSY then added that the Office of the Australian Information Commissioner (OAIC) has published guidelines on that to assist data holders with understanding CDR privacy safeguard requirements.
The Journey from accredited to active Presentation
Jill Berry from Adatree presented on the “Journey from Accredited to active: The CDR Standards in Action” as follows:
Berry noted that they are CDR platform, a turnkey for data recipients and they have been active since Monday. Berry said she would talk about their journey through the accreditation process as they are the fifth company to go through this in Australia. Berry also said she would talk about what does “active” and “accredited” mean.
Berry noted that for accreditation an application is assessed in order to become “accredited” and therefore “accredited” is not a useful status - it’s more a milestone, as it means that you have some policies and processes, fit and proper people and secure laptops with great technical controls but you still can’t receive data.
Berry then explained that after this milestone, an ADR would need to pass all the technical tests in the Conformance Test Suite (CTS) to be considered “active” before being allowed to receive CDR data. Berry suggested “accreditation’ has too much emphasis and “active” is the real celebration.
Berry noted that the first companies to go active were Frollo, Regional Australia Bank, Intuit and they were part of the initial pre-CDR go live testing which included 200+ manual tests against the Big 4.
Berry said that new data recipients need to do conformance testing which includes 20 manual tests against the CTS, and that the CTS and the Register were built by NTT, but that the testing is much smaller than the initial pre-CDR testing.
Berry noted that the testing now includes everything along the end-to-end consent lifecycle. Berry said that when Adatree planned their testing timelines, which was based on them being totally complaint and aligned to the standards, they estimated that it would take approximately 4 hours, but to be on the conversative-side planned for 3 weeks.
Berry then said, however, that they got accredited on the 26 February, completed the CTS on 29 April and Active on 10 May, which did not meet their expectations. Berry stated it actually took them 10.5 weeks (73 days), and they had no gaps in the standards and no bugs. During this process Adatree said they raised 15 bugs with the CTS which raises a question of whether the CTS is totally conformant to the current standards.
Berry noted that through the bugs they raised, the CTS will be better experience for future participants, and they would encourage automation for rapid onboarding and encourage the CTS team to set expectations for timelines and steps. Berry reiterated that they also would like to see more detail on “active”.
Berry noted that for anyone who is interested in being an ADR or are on the regulator side, they are running two events with Trend Micro, RSM and DNX.Solutions about “Open Banking in a Box: Launching your Practical Guide to Becoming an ADR”. Reach out directly to Adatree if interested.
The Chair thanked Adatree for their useful insights on the journey.
Paul Franklin from the ACCC provided a general update as follows:
ACCC noted that the Commonwealth Bank of Australia (CBA) and Adatree have gone live which is welcome news and it is good to see the increase in the number of active data recipients.
ACCC noted that they have met with Adatree last week, who provided similar feedback as provided in their presentation, and noted that the CTS is new and if there is an opportunity to improve the CTS, they will look to see what can be done.
ACCC noted that at the Intersekt Festival in Melbourne next week, the ACCC team will be holding a round table discussion on go through the accreditation process and the onboarding process and testing. The ACCC said they had hired additional resources to support the testing and onboarding process and they encourage anybody going through the process to reach out to the ACCC with any questions or concerns.
ACCC noted that their main priority is onboarding non major banks in preparation for 1 July which is the next big date.
The Chair noted that in regard to the Adatree experience, and the late June peak that everyone is anticipating for CTS in action, is the feedback they have received being explored and resolved before the massive peak at the end of June?
The ACCC reiterated that they have put on additional resources to deal with the peak in activity and have been doing a lot of follow up with the ADIs making sure they’re engaging with the CTS as early as possible.
Kate O'Rourke, First Assistant Secretary, and CDR Division Head, from Treasury provided an update as follows:
TSY has reviewed the engagement across the CDR and the different consultation fora. TSY identified a gap as there is a high level of interest from people in the CDR community to engage early at a big picture, design and strategy level.
Consequently, TSY held their first CDR Framework and Design Strategy Forum last Friday and received post UK feedback on the forum. This forum will be held monthly and they are looking forward to working through some of the issues and getting input from the community. TSY proposes to establish communities of practice for more detailed workshops if there’s an issue that a subset of people are interested in.
TSY noted that the Budget announcement on the Digital Economy Strategy was released on 6 May by the Prime Minister with the full strategy released in the Budget. TSY encourages those that are interested in the wider digital issues to review the Governments Digital Economy Strategy.
ACTION: DSB to provide the Digital Economy Strategy link to members
TSY noted that they are working on the rules development to broaden access arrangements to the CDR including reforms in relation to trusted advisors, insights and accreditation issues. An announcement was made by Treasury on 30 April 2021 on what policy positions have been reached and rules are being developed for formal consultation.
ACTION: DSB to provide link to the TSY announcement on the 30 April.
One member noted that the CDR Framework and Design Strategy Forum last Friday was fantastic. They noted that given where Energy is at now, it’s an interesting sector because it’s going through a huge transformation with renewables and different types of energy bills etc. They said that if you were to shop around today versus three years’ time, it would look very different and they think they need to bring renewables into it.
TSY noted that it does take time between the decision by Government to choose a sector, then designate and then apply. TSY said that during that time, there’s a lot of movement and energy is an excellent example of that and then taking into account sectoral assessments that are occurring which is an important part of their work. TSY is also doing a pre-sectoral assessment which gives them a snapshot of how different sectors are lining up and the consumer benefits or the options that may evolve during the course of the pre-assessment. TSY said being alive to the eco-system by having a regulatory framework that allows evolution and different data sets or factors that consumers can take into account will be supported by Rules that are universal, simple and principled based as possible.
TSY noted that in terms of the future evolution of the where we get to with sectors, that there is an important distinction between the data that’s required to be shared by data holders and voluntary data sets. TSY said they hoped the CDR will develop and evolve where competitive market forces incentivise data holders to share data on a voluntary basis. TSY stated that currently the designated data sets for the Energy sector do speak to some extent to the renewables issue, but as the sector develops they could look at a further sectoral assessment with an eye to increasing the mandatory data sets, but that won’t stop data holders responding to a desire from consumers for voluntary data sets and making them available under the CDR.
The Chair noted that as more data is available on a mandatory basis by consumers and we get increasing volumes, this operate vs initial implementation orientation in the CDR will take hold. He further noted that the consideration of operations, and enhancements, in the mandatory sense, as well as the maintenance piece, is going to become more important than it is today.
A member also noted that the primary goal of the CDR is that economy wide data sharing safely. One of the barriers to more of those emergent data sets being shared, is the running between privacy regimes. They said, you have the CDR privacy controls and you have the normal Privacy Act controls, which has a huge iceberg effect. But they said the CDR is like kryptonite in your legacy systems, once the data is in the system, it’s got to be accounted for throughout its lifecycle which is at a different level.
They also noted that there are three points to the CDR i). get the data without screen scrapping ii). how you do the consent and iii). life cycle management. They hoped that point three “gets a serious look”. They asked that if you wanted to share data, why would they do it through CDR when they can do it any other way under the Privacy Act? Because they said there is a lot of prescription in CDR.
TSY noted in regard to the framework as a practical means and the regulatory consequences that flow and the requirements that apply fits in with the wider context. They need to think about the rules and the framework in the context of both the economy and from a sector specific perspective. TSY said the member’s point around privacy is an important and challenging one for them. TSY stated they were connected with a wider team whose work involves privacy, and they are keen to make developments taking into account the issues that they’ve worked through in CDR.
The member noted that price is a signal for sharing of data, and they wouldn’t preclude if there are some cases where TSY would have to make the data holder share as there is no other way, and there are other cases where Data Holders would voluntarily share to gain value from it.
The Chair noted that it is beyond privacy, because if you look at where the CDR is going on access and trusted advisors then basically the professional accreditation for the trusted advisor dictates the terms and conditions of which the data is used then by that advisor as they are outside the regulated space.
TSY noted that this is good one for the Design Forum because it goes to the scope of the CDR and also the role of Government in terms of all data funnelling through one framework and as CDR sits within a broader data economy.
TSY noted that we are on an evolution here and when you think about when the CDR legislation was originally passed by Parliament there was no general Privacy Act review on foot, which is now occurring, and TSY will have to see where that process leads them and the implications for CDR.
One member noted that it needs to be broader than just CDR, as the CDR covers a lot of the consumer side of things but there are lots of customers outside of retail environments that share data very broadly across Government and private sectors. They noted that outside of the Privacy Act they have something like 150 company to company data sharing arrangements and they are very alert of what needs to be covered by the Privacy Act. It is about the expectation and common practice that certain types of information should be readably shared as it drives a lot of economic activity and better social outcomes. They noted that the CDR is certainly a huge contribution to that aspiration but it is very broad in terms of different use cases and types of information.
TSY noted that one of the key pillars of the digital economy strategy is setting up a national data strategy which is a very specific piece of work which will be led by the Department of Prime Minister & Cabinet (PM&C) over the coming months. They would encourage members to contribute to the broader discussion around developing a national data strategy, which will look at how CDR fits with government and private sector data sharing and the various Commonwealth, State & Territory Frameworks.
The Chair advised that the next meeting will be held remotely on Wednesday 9 June 2021 from 10am to 12:00pm.
No other business raised.
Closing and Next Steps
The Chair thanked the Committee Members and Observers for attending the meeting.
Meeting closed at 11:52