Minutes - 8 Jun 2022

Data Standards Advisory Committee, Meeting Minutes

Date: Wednesday 8 June 2022
Location: Frollo offices, 100 Mount Street, North Sydney 
Time: 10:00 to 12:00
Meeting: Committee Meeting No: 43

Download meeting minutes (PDF 237KB)

Attendees

Chair Introduction

The Data Standards Chair (Chair) opened the meeting and thanked all committee members and observers for attending meeting # 43.

The Chair thanked Frollo for hosting the Data Standards Advisory Committee (DSAC) meeting today. He noted that Tony Thrassis has been appointed the Chief Executive Officer of Frollo following Gareth Gumbley’s announcement that he is stepping down as the CEO. 

The Chair welcomes Tony Thrassis to the DSAC and noted that his term will be through to 30 November 2022, which aligns with the other members. He will be replacing Gareth Gumbley on the committee. 

The Chair thanked Gareth for his energy and insight that he’s brought to the DSAC and even more so for the success that Frollo has had in competing, operating and leading in the Consumer Data Right (CDR).

The Chair acknowledged the Cammeraygal people who are one of the people of the Dharug nation. He would like to acknowledge their custodianship of the land and acknowledge and respect their elders, past, present and those who are emerging. 

The Chair noted that it has been another busy month for the DSB with the release of version 1.17.0 of the Standards, version 1.16.0 of the Java Artefacts and updates of the CX Guidelines to accommodate the energy sector including guidance for offline customers.

There has also been a number of procurements including Thinking Cybersecurity to conduct an Independent Assurance Review of the InfoSec Profile; PricewaterhouseCoopers Indigenous Consulting to conduct an CX Artefact Accessibility Analysis; and the University of New South Wales to conduct research into the InfoSec Risk Framework. 

The DSB are adding a new member to the team in July.  The Engineering Lead will report to the Technical Team Leader and their focus would be around Reference Implementations and the provision of industry-grade open-source artefacts. 

The Chair welcomed Gayle Milnes, the National Data Commissioner to the meeting. Gayle has been appointed to implement the Data Availability and Transparency Act.  He has had meetings with Gayle to discuss ways in which the DSB can assist with the implementation of the scheme which oversees the data transfers and the data availability that the regime is required to facilitate. 

The Chair noted that Jill Berry (Adatree), Chandni Gupta (CPRC), Joanna Gurry (NBN), Stuart Stoyan (Advisor) and Glenn Waterson (AGL) are apologies for this meeting. 

Minutes

Minutes

The Chair thanked the DSAC Members for their comments and feedback on the Minutes from the 9 March 2022 Advisory Committee meeting.  The Minutes were formally accepted. 

The Chair noted that the DSAC were provided written updates on the DSB’s progress in April and May rather than forward looking and policy setting due to the Government being in caretaker mode. 

Action Items

The Chair noted that Treasury (TSY) has an action item to provide an update on the Consumer Campaign but as it’s too preliminary at this stage it will be carried forward to a future meeting. 

In terms of the October meeting, he welcomes feedback from committee members on whether a face-to-face meeting or remote is the preferred option. 

The Chair noted that ACCC have increased the maximum number of JIRA licenses per participant from 2 to 5 licenses, and thanked Paul Franklin for this.

Update from the National Data Commissioner

The Chair invited Gayle Milnes (GM) to provide an update on her role as the National Data Commissioner and her priorities. 

GM noted that it is great to be here today and she is keen to ensure alignment of the CDR and the DATA Scheme and make it easy for business and others across the community to understand the Australian Government’s initiatives to increase the availability and use of data. 

The DATA Scheme, established by the Data Availability and Transparency Act (the Act), commenced on 1 April 2022.  The Act establishes the National Data Commissioner to oversee the scheme and also the National Data Advisory Council to advise the Commissioner on the operation of the scheme. From 1 July 2002, the Honourable Senator Katy Gallagher, Minister for Finance, will be the responsible minister. 

The new scheme is a best practice scheme for sharing Australian Government data, underpinned by strong safeguards and streamlined, consistent processes. 

There are three types of entities that can participate in the scheme – Commonwealth government bodies; state and territory government bodies; and Australian universities – and three types of roles in the scheme: 

There are three types of roles in the Data Scheme: 

1. The Data Custodians” are Australian Government entities 
2. Under the scheme, “Accredited Users” can request access to the data 
3. The The “Accredited Data Service Providers” provide specialised data services such as complex data integration, de-identification and/or secure access data services to support data sharing projects; examples include the Australian Bureau of Statistics, or the Australian Institute of Health and Wellbeing.

By addressing legislative and other barriers to sharing Australian Government data, the DATA Scheme is focused on increasing the availability and use of Australian Government data to deliver better government services, policies and programs, and promote innovation.

For “Data Discovery”, the Office of the National Data Commissioner (ONDC) is working with Australian Government agencies to develop their data inventories. It is also building an Australian Government Data Catalogue to help users find data. 

“Dataplace” is a digital platform for scheme participants, and others, to manage data requests and support administration of the DAT scheme.

In terms of upcoming priorities, the scheme commenced on 1 April so ONDC’s focus is on standing-up the scheme.  From 1 June 2022 Government agencies can apply to be an Accredited User under the scheme, and from 1 August 2022 universities can apply.  Government agencies and universities can also apply to be Accredited Data Services Providers at this time. 

The ONDC is providing education and guidance for scheme participants and will consult on legislative instruments to support the scheme’s operation.  Dataplace is up and running and work on data inventories has commenced. 

Another priority for ONDC is collaborating with others to foster innovation and the data digital economy. This includes working with TSY and the DSB on the CDR. Areas for collaboration include data standards, noting the Commissioner can make Guidelines, which are legislative instruments about Data Standards, such as on data use and handling, which can set the ground-rules across the Australian economy; accreditation; and making Australian Government data available in CDR. 

One member noted that they are interested in access to Government Data for identification purposes, which is a significant issue globally with respect to fraud scams and identity takeover so they thought it was great to see this referenced. They also noted that a lot of the banks have been invited into the Australian Federal Policy (AFP) Joint Policing Cybercrime Coordination Centre (JPC3) Taskforce on cybercrime.  They are interested to see the protections the ONDC have in terms of sharing data. 

GM noted the DATA Scheme authorises the sharing of government data for three purposes only:

1. Government Service Delivery;
2. Informing government policy and programs; and
3. Research and development. 

Sharing is barred for compliance purposes. Some types of data and entities are barred from sharing, for example, for national security reasons. 

One member asked about data privacy.

GM responded that the DATA Scheme complements the Privacy Act 1988. Scheme participants are required to comply with the privacy principles. In limited circumstances, the DATA Scheme permits data to be shared without consent. 

One member stated that they would be keen to have a conversation about the Automatic Mutual Recognition (AMR) legislation because they believe it is a good use-case as its government data that could be consent / citizen driven.  They also see a big role for RegTechs supporting this scheme, not only for harmonisation with CDR, but also there are intermediaries operating in CDR that could be useful. They expressed a concern about wall-gardens when it comes to government data schemes, and they saw a role for participants in the CDR to participate in the DAT as intermediaries or providers.

GM noted ONDC was working with the Deregulation Taskforce on ways the DATA Scheme could support deregulation initiatives such as AMR, Modernising Business Registers and the Simplified Trade System. Other use cases include Closing the Gap and responding to national disasters. 

One member asked if the intent was to go through further scope designations where the scheme gradually gets extended to Australia wide?  Also what are the obligation on the entities that are included to participate.

GM stated there was no obligation on Australian Government agencies to share their data, but if they refuse to share, they are required to give reasons. One of the functions of the National Data Commissioner is to hear complaints and report on refusals of requests to share monitor sharing over time. 

One member noted that their organisation has a lot of data assets, which has a lot of interest from Government and Universities but their organisation does not qualify for the DAT. They said they understand the Energy Security Board is looking at ways to share information better with Governments, but they think there is an opportunity to leverage the DAT, which would be more efficient for their point-to-point interactions. 

In terms of scheme participation, this was something that could be considered as part of the statutory review of the scheme.

The Chair noted the nature of the risks in the data-transfers in the DAT and the CDR are quite different, and thanked GM for her presentation and if there is anything we can do that could help her in relation to the discussions with the Minister with some of the commonalities we are happy to help. 

You can view the latest information on the DATA Scheme here. 

Working Group Update

A summary of progress since the last DSAC meeting on the Working Groups was provided in the DSAC Papers and was taken as read.

Technical Working Group Update

A further update was provided on the Technical Working Group by James Bligh and Mark Verstege as follows: 

The DSB noted that during caretaker period a lot of work was done in the background with respect to the telco sector.  The DSB have a number of consultations on telco ready to go as soon as they are approved.  

The DSB noted that there has been a lot of activity around the Maintenance Iteration (MI) 10 as it supports the energy sector which is currently in implementation phase. MI 10 is the largest iteration the DSB have ever had, which led to version 1.17.0 of the standards.  MI 11 is underway and they are prioritising the energy sector.

In terms of Decision Proposal 240, the DSB noted at the March DSAC meeting there was a conversation around data quality issues including a proposal to consult on ADR metrics that could be a way for the data and the experience of the ADRs to voluntary make that available to the regulator or wider in a form that’s consumable. The DSB said this consultation was quite broad and had lots of questions rather than specifics, but the universal feedback was this was not a path that anybody wanted to travel.  In light of that, the DSB said it is not moving to a decision of the Chair and they have summarised the feedback on both the consultation thread and in the papers. 

The DSB noted that there were lots of good ideas in the consultation discussion thread on GitHub, in particular test accounts were identified as a real problem in the banking sector ecosystem in Australia because a test account being used in a production environment is a real account.  

The Chair asked the DSAC for any views on this as it seems that no participants supported the issue, which would have been a voluntary provision for Accredited Data Recipients (ADRs) in relation to Data Holder (DH) performance and data quality.  The Chair said this is in contrast with the concerns that have been raised at the DSAC in relation to incident management, DH to DR and vice versa.  The Chair expressed uncertainty, therefore, as to where the balance was in this regard.

One member responded that there are a small group of ADRs that are currently facing some challenges and real problems, but as more ADRs enter the system there will be a huge demand to triage and manage these problems, which will proportionately become more profound. They noted that this problem dovetails into how incidents are managed and assessed for the CDR. They said they are supportive of where the issue currently stands, but they think it will need to be looked at in the future when more ADRs come aboard.

The ACCC noted that the question of data quality is an important issue which they are taking very seriously. They identified two types of tools they have in order to deal with potential data quality issues, one being operational tools, including 24 incidents raised in JIRA relating to data quality since JIRA commenced in March 2021. The ACCC also receive specific complaints from time to time which they treat as compliance and enforcement matters, and for this they have a suite of compliance and enforcement tools. 

ACCC noted that there seems to be a bigger issue than those 24 incidents reflected and they are keen to receive more data from the ADRs.  The ACCC said there is no mechanism for consumers to say I’ve got my CDR data and it’s wrong.  The ACCC noted they need quality data in order to understand exactly the size and nature of the problem.

The Chair enquired what the process was to raise matters with the ACCC, and the ACCC replied that they had JIRA, but the ACCC then asked the DSAC members what they thought.

ACCC noted an issue reported of a generic response from some DHs to every card purchase as a ‘Purchase’ without containing the necessary merchant details for that purchase.  The ACCC said that once this issue is resolved by the relevant vendor, it may resolve a similar issue for a number of the non-major banks.

ACCC noted that they are about to launch the sandbox that participants will be able to use to test either against the mock-tools in a hosted environment, or for multilateral testing against each other’s solutions. The ACCC said they encourage participants to support testing with real, complex testing solutions and data that effectively represents the real world as this would go a long way to solving the problem of data quality. 

ACCC noted that they have seen comments on LinkedIn suggesting that the conformance test suite (CTS) could test payloads. The ACCC said that while they are continuing to enhance the CTS, they have some genuine doubts about whether the CTS will be able to deal with the variety of data and solutions that exists across the complex legacy environments in the banks. 

ACCC noted that the process for raising incidents in JIRA exists but noted that only 24 incidents have been raised regarding data quality. The ACCC stated they have increased the maximum number of JIRA licenses from two to five per organisation, and they are open to do whatever they need to do to better understand potential data quality issues and they would love to hear from ADRs. 

One member noted that the data quality problem is circular.  As an example, they said they cannot plug their consumers data into the Money Polls product because they cannot get that data on a drip feed basis. The member asked if, as part of the onboarding process, could an ADR be provided with mapping / guidance that says what is right, and what to be cautious about with a particular data set. They also asked if the ACCC could be an ADR in order to allow the ACCC to check data quality?

The ACCC responded that even if they established an ADR-like functionality for technical verifications purposes, CDR data can only ever be shared with the consumer’s consent. 

One member noted that the eco-system’s response to Decision Proposal 240 wasn’t of universal support, but DP240 was an effort to find a way to elevate this topic, although it wasn’t the ideal solution.  The member noted it was around how the ACCC gets evidence about the performance of a DH’s end-points. They said it would be useful to explore something more fundamental around the concept of legislating for DHs to provide production accounts that participants, in an open banking ecosystem could use. If that were available it would remove an operational burden upon ADRs who are currently creating test accounts with DHs in order to verify their service. They said it is a burden for banks and DHs and in the absence of any other production data access mechanism, it will continue to be an ongoing burden.

Paul Franklin noted that before the New Payments Platform (NPP) was launched there was a group referred to as ‘family and friends’ across all of the banks who were given access to test versions to make payments and see how it worked. He questioned whether a similar group in CDR could use existing tools to check their own CDR data in order to identity any data quality issues.

A member noted that this ongoing issue of data quality will come to a head when the CDR reaches a critical mass, which is probably when the major banks become significant ADRs, and therefore the volume and scale of the CDR data flows will also become significant. They said that when this materially impacts the CDR services of the major banks, the issue will become salient and would no longer be ignored.

Another member said that the benefits realisation work being undertaken by TSY is relevant to this conversation, but especially with respect to specific use cases, because this will require certain data in specific contexts.

Another member noted in regard to a previous discussion on release schedules with visibility via a calendar, that the DSB has put this in place, and the rigour of the process has materially improved, which is very much appreciated.  They noted that the CDR revocation endpoint change in version 1.17 varied from previous guidance to not just include some parameters but all parameters within the transition period.  They noted that this has become a breaking change for them as they are now in the transition period and they are hoping that the transition period will be extended.  They have already built the code, and it’s in their release path, but there is a real impact in either leaving it in or pulling it back out. It would be great to a have a similar timetable for the CTS release, as the CTS is not keeping pace with the Data Standards. They said they are currently testing future obligations in the CTS from the last release, which was January, but it’s failing against the new Data Standard, as they are not in sync.

The Chair thanked the members for their feedback and it’s a good reminder for the CDR Rules, Data Standards and enforcement how fine-grained this issue is because this is an area where guidance and the Data Standards varied right at the very end. 

The DSB asked the member whether they would like to expediate this change if it’s still an issue.

The member said they would just like the transition period to be extended so from the point that the additional criteria for all parameters was put in, it’s six months from that time. 

The Chair noted that under the Data Scheme and the legislation, the ONDC establishes Guidelines which are effectively the same as CDR Data Standards and Rules.  The Chair noted that the DSB also establishes guidelines, but the Data Standards guidelines have “optional”, “suggestions”, “may” or “could”, and one of the things the DSB could potentially do is align their language with the language in the DAT. 

Consumer Experience (CX) Working Group Update

A further update was provided on the CX Working Group by Michael Palmyre as follows: 

The DSB noted that there has been a lot of background work that’s been happening and in particular around telecommunications.  They said that pending the establishment of policy positions and timing, they have developed a draft roadmap for telco research, CX standards development and guideline design.  They also have some thoughts around data language standards, which is potentially a sector agnostic issue.

The DSB noted that in terms of the energy sector, they have published additional offline customer guidance covering the authentication flow, and an offline customer DH dashboard access example. The DSB said their research has concluded with the outputs being analysed. 

The DSB have also concluded some CX research for additional descriptions of energy data, which was raised in Decision Proposal 213 last year. This is also a component of the CX guidelines that they’re hoping to incorporate and is relevant to telco as it’s useful for information to be made available for those that seek it.

The DSB noted that the PwC’s Indigenous Consulting engagement is well underway in relation to the accessibility review of the CX guidelines and standards which is to understand current and emerging obligations relating to accessibility.  They said they have had seen some draft deliverables including a coded prototype which they are reviewing for accessibility.

Stakeholder Engagement

A summary of stakeholder engagement including upcoming workshops, weekly meetings and the maintenance iteration cycle was provided in the DSAC Papers and was taken as read. 

Issues Raised by Members

The Chair thanked all members who have tabled items for discussion at the meeting.     

Incident Management in the CDR Ecosystem

Rob Hale (RH) from TrueLayer talked about the ongoing review and enhancement of the incident management process in the CDR ecosystem.

RH noted that there are numerous objectives that CDR participants share. These include transparency, visibility, clarity of impact and timely resolution of incidents. This would help foster a more reliable and stable operating environment with more consistent service delivery. RH said if that can be achieved then consumers will like what they get, increasing conversion, adoption and participation.

RH noted that the CDR Incident Management system is used by the Register, ADRs, DH and the CTS who interact independently and log incidents in JIRA, which the ACCC manages.  RH said some key points of this system is that it’s managed by a single entity; has limited visibility for participants; the DSB has no visibility; there is subjective assessment; it lacks a Service Level Agreement (SLA); there is no escalation method; it is a manual process; it relies on participant goodwill and capacity; and it assumes participants are motivated to resolve the issues.

RH noted that CDR incidents impact consumers. Some key points are that they are unable to use a product or service and have an immediate need for action; they are frustrated because issues take too long to resolve and service providers can’t provide an ETA. While complaint processes exist, they are onerous so consumers look elsewhere and the CDR band and reputation is impacted.   

RH noted that CDR incidents impact ADRs. Some key points are that they have to deal with frustrated consumers who are often seeking immediate resolution, but they are unable to obtain or offer an ETA as they are reliant on DH collaboration, and are subservient to the DH’s timeline, which ultimately can damage the ADR’s brand as complaints are aimed at them. Servicing these requests is inefficient as they are dealt with asynchronously and require ongoing context switching between numerous open issues affecting multiple consumers and DHs.

RH also noted a third perspective of incidents – that of the DH. DHs are fielding numerous requests at any one time which also requires heavy context switching. Each ADR will have a different configuration and software application and engineers will be competing with other internal priorities. DHs are not obligated to respond to these issues and often face high complexity even trying to recreate issues, sometimes requiring the involvement of third-party providers.

RH suggested four themes on how we could improve it: 

1. Set expectations through defined operating principles;
2. Define an escalation process for portal incidents;
3. Incentivise all participants to respond to incidents; and
4. Ensure solutions can scale to meet future needs.

RH expanded further on each of these with specific examples and proposed that a working group of active participants and nominees from government agencies could be formed to work on this topic and make formal recommendations to DSAC.

RH suggested members should engage with the issue and suggested GitHub issue 509 could be used to provide feedback.

One member noted that they are completely supportive of having a working group look at recommendations as they are quite invested because the current process is not working.

The ACCC noted that they are very supportive of improving the process but they are not sure it is a DSAC issue.  The ACCC noted that there is no rule that imposes an SLA on participants, but the ACCC actively monitors and follow up incidents. Some incidents require technology changes to be implemented, and sometimes it’s a complex change.  If there is a production issue that prevents data sharing, the ACCC would expect the relevant DH to put in a production fix. The ACCC noted SLAs could be helpful but they need to find the right avenue to impose an SLA, potentially via the CDR Rules.

The Chair suggested that the ACCC may want to put a Working Group together on this as it needs a balanced approach and the DSB, TSY and DSAC members would be happy to participate.

The ACCC noted that they are happy to host the Working Group. The ACCC noted that there is an operational impact on the current arrangements because in the absence of a defined escalation path, and multiple escalation pathways such as via TSY, the Ministers office, or posts via LinkedIn and having a clear process would help both participants and CDR agencies.

One member noted that they’re happy to support it even though they are not a live DH as yet as it is hard to get the lessons of what existing DHs have gone through and they feel that energy is not well placed to do this because it is invisible to them. 

One member noted that their concern with any potential SLA would be an arbitrary timeline for everything, without a nuanced consideration of the implications for the ecosystem because of interpretation issues, which comes back to the Data Standards.

ACTION:  ACCC to provide an update on the configuration of Working Group at next month’s DSAC meeting

ACTION:  DSAC members to reach out to the DSB or the ACCC if interested in joining the Working Group

The DSB noted that they consult on the standards, but the mere fact that RH raised these strategic issues on GitHub, this is an indicator that there isn’t a public forum to raise pain that they are feeling.  With the establishment of the Working Group they would strongly recommend some sort of external input for people to have a voice as well.

TSY noted that they will ensure that the CDR program has the right number of CDR fora and the right people attending in order to address the right issues. 

The Incident Management in the CDR Ecosystem slide deck in included for reference. 

Treasury Update

Kate O’Rourke, First Assistant Secretary CDR Division, Treasury (TSY) provided an update as follows:

TSY noted that the CDR program falls within TSY portfolio and the Hon Dr Jim Chalmers MP is the Treasurer. There are three other Ministers within the portfolio - the Hon Julie Collins MP (Minister for Housing, Minister for Homelessness, Minister for Small Business), the Hon Stephen Jones MP (Assistant Treasurer and Minister for Financial Services) and the Hon Dr Andrew Leigh MP (Assistant Minister for Competition, Charities and Treasury). The Minister responsible for the CDR is Minister Stephen Jones.

TSY has had an initial briefing with the Minister Stephen Jones and he had a great level of interest and knowledge about the CDR Program.  It is expected that the CDR will maintain momentum and direction. 

TSY and the DSB published a Design Paper for CDR in the Telecommunications sector seeking input on the development of rules and standards to implement the CDR in the telecommunications sector.

TSY noted that they have also consulted on the CDR Sectoral Assessment for the Open Finance sector – Non-Bank Lending (NBL) and are reviewing the submissions. TSY said they are ready to provide further guidance and plan the next steps for NBL. 

TSY have been working on action and payment initiation which is an incredibly important part of the CDR future.  TSY noted that to implement action and payment initiation would require legislative change.

TSY are in the early phases of consultation on opportunities and benefit analysis around whether to include Government data sets in the CDR. The exploration of Government data sets was included in TSY’s CDR Strategic Assessment Report that was published on 24 January 2022. 

TSY noted that work has been progressing on the Statutory Review during the Caretaker period.

TSY noted that they have continued to work on benefits realisation and success measures for the CDR. TSY stated they would be keen to present on this at the next meeting in July.

ACTION: TSY to present on benefits realisation and success measures at the July meeting 

One member noted that Minister Hume’s portfolio was quite specific in terms of the digital economy strategy, but there are elements in the digital strategy, such as identity, which may not be addressed in these early days of the new Government.  They asked who they should reach out to in terms of that – TSY or via their government affairs team to get clarity. 

TSY noted that the Office of the National Data Commissioner and the Digital Transformation Agency are moving to the Department of Finance under Minister Gallagher. The Digital Technology Taskforce has been transferred to Department of Industry under Minister Husic.

One member asked what is the outlook on the CDR consumer campaign?

TSY responded that that work has continued on this, including further research but it will be a government decision on next steps.

ACCC Update

Paul Franklin, Executive General Manager ACCC CDR Division provided an update as follows:

ACCC noted that some of the early participants have completed their two-yearly attestations to the ACCC, and audits by the OAIC.  The ACCC will consider these responses individually and provide responses in due course. 

The ACCC have released new versions of the participant mock tools including a mock energy DH and updated the mock register and mock DR to include receiving energy and banking data. The ACCC said these tools are published free of charge to all participants.

The ACCC are on track to release the testing sandbox later this month, which will support the multilateral testing in the energy sector and also testing for other participants in banking who have moved to Financial Grade API 1.0 (FAPI).

The ACCC said they are looking at the processes within DHs for nominating business representatives.

The ACCC noted that NextGen.Net Pty Ltd and Skript Pty Ltd are now live ADRs and Way Forward Debt Solutions Ltd were activated as representatives of Basiq Pty Ltd.

Meeting Schedule

The Chair advised that the next meeting will be held remotely on Wednesday 13 July 2022 from 10am to 12pm.

The Chair also welcomes any feedback from the committee on whether we should hold one or two meetings a year face to face.

Other Business

No other business was raised.

Closing and Next Steps

The Chair thanked the DSAC Members and Observers for attending the meeting.  He also thanked National Data Commissioner Gayle Milnes for attending the meeting. 

Meeting closed at 12:10