Data Standards Advisory Committee, Meeting Minutes

Date: Wednesday 10 July 2024
Location: Held remotely via MS Teams
Time: 10:00 to 12:00
Meeting: Committee Meeting No: 64

Download meeting minutes (PDF 2.81MB)

Attendees

The Chair thanked the DSAC Members for their comments on the Minutes from the 12 June 2024 meeting. The Minutes were formally accepted.   

Action Items

The Chair noted that the Action Items will be dealt with today. 

Forward Agenda

The Chair noted that a list of proposed topics that the DSB would present to DSAC members had been included in the papers. 

Digital ID Update

Nathan Sargent from the DSB updated the DSAC on the progress of the Digital ID Legislation and the Data Standards function and noted the interaction between CDR and Digital ID as a future focus. 

The DSB noted that the Digital ID Act which sets out the legislative framework for Australia’s Digital ID system is due to commence on 1 December 2024.  The Act builds on the Trusted Digital Identity Framework (TDIF) which operates as government policy on Digital ID and is owned by the Department of Finance. 

TDIF currently underpins Australia’s Digital ID system, which includes MyGov ID and has a voluntary accreditation scheme for public and private sector operators. The Act formalises the Australian Government Digital ID system (AGDIS) and sets a timeline to open up to private sector organisations, along with embedding privacy in consumer safeguards and strengthens the governance arrangements within the framework, including establishing the ACCC as the Digital ID regulator and expanding the role of the OIAC.  The Act also creates a new role of Digital ID Data Standards Chair with requirements to make and review Digital ID Data Standards both relating to Digital ID accreditation and technical requirements for participation in the AGDIS of the Australian Government system.

The DSB noted that once the legislation commences in December, the responsibility of the Digital ID Data Standards will come to the Data Standards Body.  The policy lead for Digital ID sits with the Department of Finance, who have been consulting on accreditation rules and standards and the AGDIS standards.

The initial version of the data standards will be made by the Minister for Finance as the Digital ID Data Standards Chair, with the expectation that the finance minister will appoint a new Digital ID Data Standards Chair to make and review the Digital ID Standards after the scheme commences. 

The DSB will be working closely with the Department of Finance over the coming months around governance arrangements and processes that will need to be applied when they take on the standards. The DSB expects the interaction between CDR and Digital ID to be an increasing focus for both the DSB and for CDR standards.

One member asked if the Data Standards Chair will also have the responsibility of Chairing the Digital ID Data Standards?

The Chair confirmed his current term terminates on 1 March 2025 and the recruitment process for the Data Standards Chair has just kicked off.  The role comprises of two statutory appointments under the CDR and the Digital ID schemes and will be undertaken by a single Data Standards Chair. 

One member raised concerns that private operators of digital ID systems are going to be more important to CDR than the government users within the AGDIS. 

The Chair noted they have been careful in the standards not to set standards for what they describe as “competitive” or in the “innovative space”. They have also not defined how people should deliver their use cases. 

The DSB noted that there is a pathway to allow private entities to become or be incorporated into AGDIS, and whilst there are federations operating outside of the AGDIS, in the future it’s not envisioned to be only a wholly government scheme. 

One member noted that there is benefit for private sector identities to participate in AGDIS. They are looking at what is required to become TDIF accredited.

One member noted that they are part of the Connect ID solution which is an identity service provider, and they are very supportive of having choice.  There is also a strong need for interoperability around the user experience and that it is frictionless and painless. 

Deceptive Patterns Landscape Assessment Report

Nathan Sargent from the DSB provided an update on the UniSA (Landscape Assessment of Deceptive Patterns, called Patterns in the Dark (circulated out of session on 19 June).

The DSB noted the landscape assessment report is a literature survey and is general in nature rather than being specific to the CDR.  It sets out a definition of dark patterns and provides a taxonomy for how we might be able to consider and classify dark patterns. Dark patterns are relevant to the CDR, and the data standards, because they have the potential to undermine informed consumer consent, consumer control and autonomy.

The next step after seeking DSACs input is to publish the report to inform the broader thinking on dark patterns.  They noted the feedback already been provided on the report. This feedback has been forwarded onto UniSA for consideration.

The DSB has also invited UniSA to present more broadly on the project at a future DSAC meeting. 

One member noted that they were concerned that the report appeared to take a limited view dark patterns and doesn’t take into consideration what’s already regulated, what other jurisdictions are doing and what it looks like for Australia.  They believe that dark patterns should be front, and centre of the work considered within CDR.   

One member would like to see us looking at dark patterns that exist in the CDR space and also look at how the rules and standards can play into that.  They have identified some existing dark patterns in the rules, standards, websites and apps which they are willing to share.

The Chair invited the member to present a list of existing dark patterns, particularly around the standards, and agreed to include this on the agenda for the next meeting.

ACTION:  Member to provide an update on dark patterns identified in the CDR at the next meeting.

One member asked for an update on the progress of the second report that UniSA is due to deliver. 

The DSB noted the second report had been completed. This tests the CDR legislative framework against the 157 dark patterns that were identified in the report.  The DSB is currently reviewing the report and may be in a position to circulate it to the DSAC in future.

The Chair noted his support for the second report to be shared with the DSAC for their feedback.

Working Group Update

A summary of the Working Groups was provided in the DSAC Papers and taken as read.

Technical Working Group Update

A further update was provided on the Technical Working Group by Mark Verstege: 

The DSB noted that the InfoSec and NFR Consultative Groups are nearing the end of their trial period, and they are conducting retrospectives to gather feedback and propose next steps.  The trial period will be extended for a further 6 months. 

The InfoSec Consultative Group has been reviewing the draft standards for authentication uplift, the CDR ecosystem-wide threat model, the waterfall authentication approach, and app2app support for the CDR. When considering the threat-model they will also consider dark patterns.

The NFR Consultative Group has been looking at the issues and solutions for reducing the number of calls and data transfers between data holders (DHs) and data recipients (DRs), especially for low velocity data in the energy sector. They are also reviewing the NFR requirements for the CDR ecosystem, the performance testing framework, and the service level objectives for the CDR, and will provide feedback to the DSB.

They will provide an update on the retrospective and key outcomes from the groups at a future meeting. 

One member suggested that dark patterns should be incorporated into the existing ways of working, such as the assessment standards framework and the CX guidelines. They also expressed interest in seeing the CDR threat model that the InfoSec group is working on, and how it covers different aspects of security, privacy, and dark patterns. Additionally, they asked for versioning control of the changes to the standards and guidelines, especially for dark patterns and operational enhancements, and suggested that the waterfall authentication approach should be aligned with the CDR ecosystem-wide threat model.

The DSB noted that dark patterns cross both the CX and Technical Working Groups (including InfoSec) and they will need to work through and consider factoring that into the authentication uplift. 

The Chair noted that there needs to be a clear delineation between the Technical & CX Working groups and they will need to work out who will lead the work and the involvement required.

One member asked in terms of the NFR Group with enduring consents, is the group looking at how they capture data? 

The DSB noted the group has been talking about that in the context of low velocity data and looking at tactical changes that they can support DHs; ensuring DRs get the data that is current; and other strategic changes.

The DSB suggested reaching out to the member for a follow up conversation around enduring consents. 

ACTION:  DSB to reach out to member re: enduring consents

The Chair asked the DSB if the CeDRIC initiative is ready to present to the DSAC?  The DSB agreed to present at a future meeting. 

ACTION:  DSB to present CeDRIC to the DSAC at a future meeting

One member raised two issues related to the NFR Consultative Group. They suggested reducing the number of calls by ADRs to certain energy data and implementing a push notification mechanism. They also raised concerns about the cost and complexity of implementing the last customer change date (LCCD) requirement.

The DSB acknowledged the members concerns and offered to follow up with them to discuss the issue further. They did note however that they haven’t got to the point of publishing a Decision Proposal and there are no draft standards, but they would welcome a discussion around this.

ACTION:  DSB to reach out to member to discuss their concerns around LCCD

Consumer Experience (CX) Working Group Update

A further update was provided on the CX Working Group by Michael Palmyre: 

The DSB has been working on the consent review for draft rules and draft standards which are currently with the CDR agencies for review along with operational enhancements.  They have also previously published a Design Paper on the consent review looking at standards being considered in relation to dark patterns.  This paper did not outline proposed standards in relation to dark patterns due to broader considerations like unfair trading prohibitions and the Privacy Act etc.

The DSB published the Account Origination Report which explored how the CDR might enable mortgage refinancing, which involved participation from accredited data recipients (ADRs), DH’s and LIXI.  They are also in discussion with LIXI about leveraging a subset of the existing LIXI standards which will be made freely available to CDR participants.

The DSB have been working on Maintenance Iteration # 19 and updates on the CX Guidelines including from a consortium of accountants that have shown interest in trusted advisory disclosure consents and collection of consents and authorisation amendments to clarify how they operate for ADRs.

In terms of the InfoSec Group, the CX have been working on the waterfall authentication approach with a focus on how app2app could be supported in the CDR.

With Digital ID on the agenda, the CX team have also been looking closely at how that and CDR might interact together, doing journey mapping for Digital ID and understanding what a use case might look like if those two initiatives were brought together.

One member asked when will the consent review proposal be released? 

The DSB noted that they cannot publish the consultation ahead of the rules but it’s currently with TSY for the Ministers consideration.

TSY confirmed that they are expecting the rules to be released for consultation in the coming weeks.

One member asked if any rules have been made for enforcement as one of the big problems with DRs is with non-compliant CX flows that get reported to the ACCC. 

The DSB noted that the question of enforcement and how this is undertaken is one for the ACCC.  

One member noted that versioning control of the changes to the standards and guidelines would be useful. 

TSY noted that there will be a short paper that steps through what was consulted on previously and where the final rules have landed to help stakeholders understand exactly what has changed and the rationale for evolving the positions where they have changed.

Stakeholder Engagement

A summary of stakeholder engagement including upcoming workshops, weekly meetings and the maintenance iteration cycle was provided in the DSAC Papers, which were taken as read. 

Items raised by Members for discussion

No items were raised by Members for discussion. 

ACCC Update

General Update

Verushka Harvey, the General Manager of the Solutions Delivery & Operations Branch of the CDR Division at the ACCC provided an update as follows: 

The ACCC published a fact sheet for participants on CDR outsourcing arrangements and a knowledge article on their expectations of participants when recording and reporting on CDR consumer complaints. They have also published the June edition of The CURB which is their compliance update and regulatory bulletin.

They have had five new representative arrangements notified to ACCC in June (2 x Basiq and 1 x Yodlee, Fiskil and Adatree) with two ending (Adatree and Yodlee). Ovo Energy was activated as an energy DH and Biza was activated as a DR.

They have also made changes to the CDR website which includes the ability to browse, filter and search by brand on the public facing register to allow consumers and participants to carry out more relevant and meaningful searchers.

To improve data quality and ensure compliance with the latest version of the CDR rules, they have implemented field validation in the rack and made compliance updates to the Rule 9.4 reporting forms for ADRs and CDR representative principal.

March 2024 Interim Report Update

Bella Di Mattina-Beven & Maddy Ransley from the Digital Platform Inquiry Team at ACCC provided an update on the March 2024 Interim Report. This is the 8^th Interim report of the Digital Platform Services Inquiry, focusing on data products and services and the evolving nature of the data broking industry.

The presentation included insights into how data is generated, collected, and shared, shedding light on the complexities and practices within the industry.  Concerns were raised about consumers' lack of awareness regarding data collection and usage, emphasizing the need for greater transparency and control.  

The report touched on the competitive dynamics between data firms, noting the potential for restrictive data access to hinder competition.

The report underscored issues related to consumers' inability to exercise meaningful control over their data, leading to potential discrimination in service offerings.

It was noted that the complexity of privacy policies often prevents consumers from fully understanding how their data is utilised, limiting their ability to make informed choices.

The Chair noted the report looks useful for market scan and background information but wondered if there were risks, threats and follow up actions were included in the report.

ACCC noted that the Government directed them to undertake a 5-year enquiry and produce 6 monthly reports which they have done on a variety of topics. 6 months is not sufficient time to issue a draft report and consult properly on the changes, but the point of the report is to shine a light for people who aren’t familiar with these products and services and how they work.

One member noted that the interim report was solid work and great analysis. He also expressed concern that it might be misleading if presented without the counter arguments around the benefits of data products and services for consumers. They reiterated the need to communicate and educate consumers about CDR and what good use of data looks like.

One member observed from the report that many government data sets are related to individuals, and this raises the question of whether those data assets should be held to a higher standard or be included in the CDR. 

One member asked if the ACCC have a focus on what they’re going to do with the data.

The ACCC noted that they don’t have a direct plan, but they have passed it to TSY and been involved in various discussions.

Treasury Update

Anna Nitschke, Director of the Markets Conduct and Digital Division at Treasury to provide an update as follows: 

TSY noted that the Government has committed to passing the Action Initiation Bill in August. In terms of next steps, a big focus is how they can use experimentation to progress actions a little faster than possible under the framework. They are thinking about voluntary approaches and one of their immediate priorities is energy switching. 

The Assistant Treasurer Stephen Jones MP will also be making a speech on the CDR on the 9 August at the CEDA Conference.  The speech will map out the future direction and plans of the CDR and will touch on the strategic assessment work, Digital ID and privacy etc.   

The Chair noted that he understands that the Minister is keen for input on the speech around use cases and practical application of CDR and encourages members to provide relevant use cases to TSY.

One member asked about the energy switching use case for action initiation and whether that experiment is going to be a desktop walkthrough.  They are interested in engaging with TSY and DSB on the scoping and potential risks of the energy switching experiment for action initiation.

TSY noted that the scoping is still to be determined but the objective is finding a way to enable that under the existing framework noting there’s a lot of work still to be done.  However, the Assistant Treasurer is keen to move faster on use cases that have significant benefits to consumers. They will be looking to engage with industry participants with this piece of work.

One member noted staff movements in the Assistant Treasurer’s office asked who the new CDR Advisor was?

TSY noted that the relevant adviser was still in the office and that they will advise the DSB of his replacement when known. 

The member was concerned about the recent authorised deposit-taking institution (ADI) report which included a lot of incorrect, out of context, and misleading information.  Whilst the Government has committed that the Action Initiation Bill will be passed in August, what in a practical sense does that mean? 

TSY noted that following the last budget, it won’t be implemented within the two-year funding period, but they would continue to do policy work.  They agreed to come back with a broader update at the next meeting on how this all-fits in.

ACTION: TSY to provide an update on Action Initiation at the next meeting

One member asked about the processes TSY have in place to ensure that there is a scams, fraud and financial abuse lens placed on all the different actions that will be considered moving forward.

TSY responded saying that they have not scoped the experiments yet, and still to determine the parameters and which stakeholders are involved. They have to go through a range of processes before they can declare an action or turn actions on, and they are focused on thinking about privacy impacts, consumer impacts and risks like scams and fraud. 

One member attended the CDR Summit last week and Lisa Ibarra, the Head of Innovation & Open Banking Lead Payments NZ mentioned that they originally considered eight consumer access models and cut it down to three. They noted if we followed that approach we could cut 60 to 70% of the rules out as it would be far simpler and asked if TSY are looking at what New Zealand is doing to simplify our ways of working? 

TSY noted that they are engaging with their New Zealand counterparts, who are still in the early stages of developing their framework. NZ are looking at the Australian model and other international models and are keen to align with Australia where possible. They are also considering some of the advantages New Zealand has, such as relying on their Privacy Act instead of separate privacy protections. A consultation paper is planned for later this year, and they will keep the DSB, and the CDR community informed of any developments.

Meeting Schedule

The Chair advised that the next meeting would be held remotely on Wednesday 7 August 2024 from 10am to 12pm. 

Other Business

No other business was raised.

Closing and Next Steps

The Chair thanked the DSAC Members and Observers for attending the meeting. 

Meeting closed at 12:04