Minutes - 13 Oct 2021

Data Standards Advisory Committee, Meeting Minutes

Date: Wednesday 13 October 2021
Location: Held remotely via WebEx
Time: 10:00 to 12:00
Meeting: Committee Meeting No: 36

Download meeting minutes (PDF 237KB)

Attendees

Chair Introduction

The Data Standards Chair (Chair) opened the meeting and thanked all committee members and observers for attending meeting # 36. 

The Chair noted that it has been another very busy month for the Data Standards Body (DSB) with the release of version 1.11.1 of the Consumer Data Standards and thanked the committee for their review of the Decision Proposals that are progressing well in the development of the candidate standards for energy. 

The Chair noted that we have onboarded Peter Nowotnik as Digital Producer, Ashwin Karad as Technical Writer, and Diana Runkle as CX Researcher in the DSB, which is part of the planned capability uplift.  The DSB also look forward to welcoming additional members to their team in the coming month. 

The Chair noted that the Data Standards Advisory Committee (DSAC) Design Challenge Consultative Group which comprises of Barry Thomas (DSB), Melinda Green (Energy Australia), Jill Berry (Adatree) and Claire Schwager (OAIC) had their first meeting on 22 September with a follow up meeting scheduled for 15 October.  He invited any members who would like to join this group should reach out to the DSB. The group has been set up to consider the ongoing challenges of attracting and supporting smaller entities and consumer groups into the standards design process. 

The Chair noted that there are some changes to the membership of the DSAC.  Firstly, and with some sadness, he would like to farewell Lauren Solomon from Consumer Policy Research Centre (CPRC) who was one of the inaugural members of the committee. He thanked Lauren and the CPRC for their commitment to the Consumer Data Right (CDR) and for everything they’ve done in the DSAC including the research papers, and in particular the one on consent, and how they operate amongst the vulnerable customers in our country. 

Lauren Solomon thanked the Chair for his leadership of the DSAC and the constructive dialogue we’ve been able to have. She said it’s humbling to be able to participate in such an important policy process, and if the CDR is designed well, it’s got a significant opportunity to improve the wellbeing of consumers. She wished all the very best to the committee.

The Chair welcomed Chandni Gupta who is the Policy and Program Director – Consumers in a Digital World at the CPRC and invited her to say a few words.

Chandni Gupta explained that she started at the CPRC around three months ago. She has worked previously at the Australian Competition and Consumer Commission (ACCC) with online product safety and prior to that she has worked at the Organisation for Economic Co-operation and Development (OECD) leading the policy development for product recalls and also looking at the interconnectivity between the safety and security of online products.  She said she is really looking forward to working with the committee and contributing from here forward. 

The Chair noted that Nigel Dobson from ANZ is stepping down due to recent organisational changes and Richard Hough is the new ANZ DSAC member.  The Chair thanked Nigel for bringing a whole different approach to the ongoing operational governance and maintenance of the regime not just the build of it. 

The Chair noted that Andrew Cresp from Bendigo and Adelaide Bank has decided to step down due to ongoing clashes with existing commitments. 

The Chair also welcomed Claire Schwager the Director of the Regulation and Strategy Branch as the new OAIC Observer. Claire is replacing Shona Watson who is going on maternity leave. 

The Chair noted that the DSB will be reaching out to members for their mailing address. 

ACTION:  DSB to reach out to members for their mailing address

The Chair noted that Paul Franklin and Daniel Ramos from ACCC are apologies for this meeting. 

Minutes

The Chair thanked the DSAC Members for their comments and feedback on the Minutes from the 8 September 2021 Advisory Committee meeting.  The Minutes were formally accepted. 

Action Items

The Chair provided the following update in regard to the Action Items: 

The Item for ACCC to present on how the CDR system is working is still outstanding and the DSB will follow this up arrange for ACCC to present at an upcoming meeting. 

ACTION: DSB to follow up with ACCC in terms of their presentation on how the CDR system is working

Working Group Update

Technical Working Group Update

A further update was provided on the Technical Working Group by James Bligh and Mark Verstege as follows: 

The DSB noted that they have been sending the DSAC lots of Decision Proposals for final review which is part of the process as they head to the 1st of November to have candidates’ standards for energy.  They have two open consultations which close on the 22nd October and working through the final decisions for the ones that have closed.

The DSB is also anticipating version 1.12.0 of the standards, which will incorporate the energy decisions, to be published by the end of this week. This version will include Decision Proposal 191 – Retailer to AEMO InfoSec Profile, Decision Proposal 193 – Energy Non-functional Requirements and Decision Proposal 208 - Binding NFRs change. 

The DSB will start work on version 1.13.0 which will incorporate the end points into the main standards.  Up until now, the work the DSB has been doing on energy standards has been separate so this work is not confused with the main standards.  The DSB are also working on incorporating and translating the register standards from the existing published site that has been maintained by ACCC over to the main standards site and a decision on this consultation will be sent to members shortly. 

The DSB noted that with the Maintenance Iteration, the DSB are looking at an uplift around digital wallet support for companies like PayPal but making that agnostic across all data holders (DHs) and to make product reference data (PRD) more feature rich. They are also looking to extend the Maintenance Iteration by about four weeks which will allow them to incorporate energy within the maintenance cycle and be able to consult on the backlog which will then take them to end of the year, allowing a shutdown over the Christmas period, and recommencing in February. 

The DSB noted that on InfoSec, they are progressing well with Decision Proposal 209 – Transition to FAPI 1.1 Advanced Profile, which was the first recommendation out of Decision Proposal 182 – InfoSec Uplift for Write. The DSB are also making sure they have alignment for the energy obligation dates for next year so there’s build certainly around the information security profile and now that v3 rules have been completed, they will be doing a consultation around accredited data recipient (ADR) to ADR security standards.

The Chair noted that Maintenance Iteration # 9 will be the last for the year and the consultation process will pause from mid-to-late December through into January in recognition that this is a period of significant leave and system freezes and upgrades that happen in January. 

The DSB noted that with the transition of the register standards the DSB are now consulting on minor changes to the register standards, with the support of the ACCC, in the Maintenance Iteration.

One member asked in terms of the future road map, is there any early thinking of the timeframe for transition to FAPI 2.0?

The DSB noted that they laid out the intention in Decision Proposal 182 – InfoSec Uplift for Write. The feedback the DSB has received was to universally determine the migration plan to FAPI 1.0 first, noting that Data Standards are on a implementers draft from 2018.  The work is not substantive, but it does need to keep in mind that the CDR is a live ecosystem.  The main challenge is for transition without breaking things.  The main aim of the DSB is to get to FAPI 1.0 and then the DSB will consult on the transition thereafter.  The DSB noted that FAPI 1.0 is about 80% complete on the journey to FAPI 2.0 as they have already adopted Pushed Authorisation Requests (PAR) which is one of the most significant foundations of FAPI 2.0. 

The Chair noted that the DSB work is about coming from the 2018 implementers draft to FAPI 1.0 and we wanted to send a signal to the community that we are heading to FAPI 2.0 and the details in Decision Proposal 182 – InfoSec Uplift for Write outlines this. 

The DSB noted that they would like to emphasise that the decisions that the Chair make indicate from a strategic perspective, that we will be adopting the ritual authorisation mechanisms (RAR) direction. 

The DSB noted that FAPI 1.0 is the most significant InfoSec consultation the DSB have done, which is cross sector. The DSB gave consideration about the sequence, which will simplify and reduce the costs of implementation for energy retailers, and it will allow them to adopt an out of the box complaint FAPI solution.   

Consumer Experience (CX) Working Group Update

A further update was provided on the CX Working Group by Michael Palmyre as follows: 

The DSB noted that one of the major milestones was the publication of Decision Proposal 213 – CX Standards | Energy Data Language Standards which closed on 22 October.  The DSB encouraged DSAC members to provide feedback via GitHub. 

The DSB noted that one interesting concept that came out of this, was to provide an additional description to help provide a bit more completeness when it comes to descriptions of data. The DSB are consulting on whether or not it should be mandatory.  The DSB said this is due to the lower levels of data literacy for the energy sector compared to banking.

The DSB noted that the making of the v3 rules has brought some work for them as outlined in Noting Paper 207.  The DSB will be conducting research on joint accounts, which will be consulted on in DP162.  Research is also planned for trusted advisor and insight disclosure consents for insight disclosure consents, in order to establish how accredited persons can meet the requirement to explain CDR insights to consumers and for trusted advisor and insight disclosure consents, and to ensure that consumers are aware that their data will leave the CDR ecosystem when it is disclosed.

The DSB noted that in terms of profile scope in response to issue 404, which identifies a gap between technical and CX standards for the profile scope. A decision proposal is currently being reviewed and finalised and will be published for consultation soon. A placeholder has been created in DP216.

One member asked about any CX Guidelines changes for the implementation of the CDR representative model.    

The DSB noted that they have existing guidelines on outsource service providers and they’ve also received requests for adjusting them to provide guidance on CDR reps and the sponsors affiliate model. The DSB are working on this and they will be making a recommendation to consolidate a lot of the disparate information, according to the expectations from the research, and making it clear what is a requirement compared to a CX recommendation. 

Another member asked how do you intend to carry out research in terms of making sure that the DSB strike the balance with app developers or FinTech’s providing the most optimal frictional experience versus what the consumer expects to see? 

The DSB noted that using insights and trusted advisers, for an example, there is no real requirement to follow a different process for that flow.  The DSB are working on information to describe the insight and trying to strike the balance in making information accessible without introducing additional cognitive load and they intend to conduct a workshop of this.    

One member asked in terms of the research and the actual informed consent, ‘will they be looking at not just sharing, but also so that the consumer understands that once the data leaves the CDR and what that means’? 

The DSB noted that there are two aspects to the CX standards for insight disclosure.  The first one is about explaining what the insights might reveal or describe and the other one is the disclosure. The DSB have a range of options for the insight description. The DSB explored a number of things and the only thing that made sense to them was to add a description of a realistic example of what it might look like.  For the disclosure notification, which is the other aspect after you disclose it, this is open at the moment and they are trying to find the balance between causing too much aversion to doing that but making sure someone is informed of what is happening. 

Stakeholder Engagement

A summary of stakeholder engagement including upcoming workshops, weekly meetings and the maintenance iteration cycle was provided in the DSAC Papers and was taken as read. 

The Chair noted that interesting we have had 2100 unique users in the CDR Support Portal over the last month, and nearly 600 over the last week.  The Chair said the Support Portal is proving to be a very useful tool and is attracting increasing numbers of unique users but also access of those users in the process. 

Issues Raised by Members

CDR Regime Performance

The Chair welcomed John Harries and Sanjave Walia from Westpac who presented on the “Open banking implementation – from a data holder’s perspective”. 

John Harries thanked the Chair for the opportunity for Westpac to present to the DSAC. He noted that he has been involved in the CDR since early 2020 and has kept the sponsorship of the implementation of the CDR reforms and Open Banking in his capabilities.  He noted that Sanjave has been the Program Director since the start.

Westpac wanted to acknowledge and thank ACCC and Treasury for the clarity around governance, which they said had been good, and the Working Groups for providing context that helped them internally to brief their peers, senior managers, group executive so that they understand the wider remit.

Westpac noted that sessions like this are important and sharing their experience on how things can operate better will ultimately benefit consumers and businesses that use open banking. 

Westpac noted that given the timeframes, the development of the CDR regime and ecosystem has been a massive achievement.  It is important to recognise that we are firmly in the build phase of the CDR ecosystem and there is still material requirements to come. 

Westpac then provided their presentation which included the “Highlights” and “Challenges / opportunities”. 

Westpac noted some key points during the presentation:

• The open and transparent engagement between Treasury, ACCC and DSB through the rules and standards development helps provide a solid foundation and reduces the amount of rework
• Westpac said they’ve seen more coordination between the rules and standard development; seen CX designs and prototyping earlier in the process; and more clarity around obligation dates around the standards which ultimately helps planning
• A lot of effort went into the initial data holder testing together which was a positive, but it is not scalable. Doing robust industry testing has a lot of benefits and has a strong correlation to the quality of the outcomes
• From a data holder perspective, information sits across legislation, rules, explanatory, memorandums, standards, guidance, noting papers, and the CDR support Portal etc. and collectively it’s a rich set of information but there are challenge stitching it all together
• Having a structured cadence of developing back log of change requests and the prioritisation and moving to a more coordinated and defined release cycle
• Need to have due consideration to implementation guidelines when it comes to backlog grooming
• Having early engagement with security vendors to ensure they incorporate the security standards into their products well ahead of implementation obligation dates
• Making sure that the tools that support quality like the CTS and the mock registry have the opportunity in advance of implementation to incorporate the new standards
• The CTS has a lot of value, but it’s limited in scope. Having a more comprehensive testing regime for onboarding new participants is important moving forward
• Advocate to look at historical issues around common defects being raised through the JIRA ecosystem and the CTS covers that moving forward
• The ACCC’s JIRA tool is a good start, but the functionality is pretty basic and quite challenging. There is an opportunity to look at how we can support capturing better information and reporting 

One member asked in terms of operational governance and report, how do Westpac capture information and leverage that for their own internal reporting?

Westpac noted that in terms of performance of the system, they do a lot of monitoring and measurement of how their systems are performing and they have operational dashboards which also feed into management information reporting.  In terms of the JIRA ecosystem, that’s not integrated, as it’s part of ACCCs tools and has limited capabilities to pull information. It is a manual process.

One member asked if there are any particular methods or artefacts that could have helped banking that energy should be thinking of now.

Westpac noted that it would be good for the support portal to link to the rule reference which gives traceability. 

The Chair noted that this is an evolving reform which has many elements and wondered if data holders have changed the way in which they’re monitoring governance and planning.  The Chair said it is a classic information management challenge, and it might be good to look at both sides i.e., inside the agencies and the data holders and to see the response which will be helpful to incoming sectors.   

One member noted that as a data recipient, they have the same conversation with different data holders about their interpretation of the standard and/or a rule. Having that published somewhere will help future data holders and future industries. 

The Chair noted that one of the challenges is that the DSB does not have access to the JIRA database, and they don’t see those issues.  The DSB are talking to ACCC about this and trying to resolve. 

One member asked if Westpac had any customer issues or a lot of calls for customer data? 

Westpac noted that they are in the early stages, but it is growing, and it will only take a couple of big cloud providers that could tip that scale.  Westpac said the key thing for them is how to anticipate the growth and plan for it. 

DSB noted that in terms of QA tools, the engineering stream is looking for choices and how they invest in that space.  The DSB would appreciate feedback from Westpac on what they think would help.   

The Chair extended this out to anyone who would like to provide feedback to reach out to the DSB.

One member noted that the CX team have provided a CX checklist which lays out key requirements and recommendations that is very useful. 

One member asked is we can look at different ways to work with government to support industry to be more agile and fit in to some sort of release schedule? 

The Chair noted that their first approach, as we get to additional sectors, is to preserve the universality of the standards and the rules.  In the case of energy, there are unique payloads and data holders that are not in the banking sector, but they are trying to keep those to an absolute minimum. In terms of timing there is a whole range of different timetables operating at the government level and we can only provide advice. 

Another member noted that having a fixed cadence that allows government timing to be wrapped into it, is preferred and very important.

The Chair wanted to clarify that it is the effective date that the standard is mandatory that is part of the fixed cadence, not when the work is done but when the change must be implemented. 

The DSB noted that they are bringing the register standards into the normal maintenance iteration which will decrease the number of releases across the register and standards as they will combined. 

Treasury Update

Kate O’Rourke, First Assistant Secretary CDR Division, Treasury provided an update as follows:

TSY noted that v3 rules were published on 5 October.  TSY have been delighted to see the positive commentary in relation to the rules changes and the momentum building in CDR. TSY has been watching discussions around emerging use cases, for example Adatree’s use case in this week’s press.

In reference to the Committee’s earlier discussion on the timing of rules and other changes, TSY noted there are often other factors relevant to timing considerations, particularly at the ministerial level.  TSY also noted that the timing of particular rules changes is often the subject of extensive submissions in the consultation process on those rules, with many case-specific submissions received. There is nonetheless a case for thinking about some form of cadence and TSY will continue to consider this issue from the rules side. 

TSY noted their interested in the work that the DSB, ACCC and OAIC are doing about v3 rules guidance, standards and CX and to see how it all comes together.  TSY said they are working on v4 rules for energy and actively working through the submissions on the telecommunication’s sectoral assessment. 

TSY noted that they are not at a point where they can provide an update on the Strategic Assessment and the Future Directions Report, but they look forward to providing an update soon. 

TSY noted the importance of the 1 November milestone, both the data sets for the major banks in the non-individual and partnership accounts, and the non-majors’ banks inclusion of phase two data sets. Both will be important for ADRs, as the ADRs are building out what they can use and what they can offer to consumers. TSY asked if there are any issues associated with the 1 November date, if members could bring them to TSY’s, DSB’s or the ACCC’s attention so they can help with it. 

ACCC Update

No update was provided at the meeting by ACCC.

The Chair did note that on the 1^st October, ACCC released the CDR Mock Data Holder with a CDR Mock Data Recipient solutions, published as open tools on GitHub, together with a CDR Mock Register previously released.  The Chair said these tools can be used by participants and vendors as reference implementations for testing their own solutions. 

Meeting Schedule

The Chair advised that the next meeting will be held remotely on Wednesday 10 November 2021 from 10am to 12pm. 

Other Business

One member noted that at a previous meeting there was a presentation on success metrics, and they think that is very important to measure, report and track them.  They have asked if this can be an action. 

The Chair noted that we have an open item with the ACCC to present as they are responsible for the monitoring and the performance so we will try and arrange that presentation for the next meeting.

ACTION:  DSB to reach out to ACCC to see if they can present at the next meeting

The member noted that 1 November is a line in the sand for data holders to start sharing. There is an alarming number of them that aren’t live and are there any plan to address this?

The Chair noted that he cannot provide exact details but does know that the ACCC are working very closely with vendors and the organisations that use those vendors on this. 

TSY noted that ACCC included in a recent newsletter their compliance and enforcement posture in terms of Phase 2 data sharing obligations for designated data holders.   

The member also noted in terms of a CDR communication and education campaign. With the recent media coverage in the mainstream news around the COVID hotspot alerts, they have noticed a lot of negative comments from conspiracy theorists, and it is really important now more than ever for a communication and education campaign about the CDR for consumers.  They asked, ‘is there anything happening in terms of this?’

TSY noted that they are progressing a procurement process for a broader communication campaign and are close to being able to select a big PR firm that will help drive a much more significant campaign style approach. TSY are also working across government to identify where they can join forces on supporting data literacy and digital literacy efforts.  TSY said this will be a significant effort for the broader digital economy, and they should be able to provide a further update in the next month. 

One member noted in terms of the campaign, that the CPRC have done a lot of research on digital literacy and on vulnerable customers, and if there is a way they can participate they would certainly be open to it. 

Closing and Next Steps

The Chair thanked the DSAC Members and Observers for attending the meeting. 

Meeting closed at 11:40