Minutes - 15 Mar 2023

Data Standards Advisory Committee, Meeting Minutes

Date: Wednesday 15 March 2023
Location: Held remotely via MS Teams
Time: 10:00 to 12:00
Meeting: Committee Meeting No: 51

Download meeting minutes (PDF 187KB)

Attendees

  • Andrew Stevens, Data Standards Chair
  • Alysia Abeyratne, NAB
  • Prabash Galagedara, Telstra
  • Melinda Green, Energy Australia
  • Chandni Gupta, CPRC
  • Rob Hale, Biza
  • Peter Leonard, Data Synergies Pty Ltd
  • Drew MacRae, Financial Rights Legal Centre
  • Greg Magill, Westpac
  • Colin Mapp, Toyota Finance Australia
  • Aakash Sembey, Origin Energy
  • Stuart Stoyan, Fintech Advisor & Investor
  • Zipporah Szalay, ANZ
  • Tony Thrassis, Frollo
  • Barry Thomas, DSB
  • James Bligh, DSB
  • Ruth Boughen, DSB
  • Rob Hanson, DSB
  • Terri McLachlan, DSB
  • Michael Palmyre, DSB
  • Mark Verstege, DSB
  • Vaughn Cotton, ACCC
  • Steph Homewood, ACCC
  • Daniel Ramos, ACCC
  • Chad Batshon, OAIC
  • Andre Castaldi, OAIC
  • Emily Martin, Treasury
  • Kate O’Rourke, Treasury
  • Aidan Storer, Treasury
  • Luke Barlow, AEMO
  • Jill Berry, Adatree
  • Damir Cuca, Basiq
  • Chris Ellis, Finder
  • Deen Sanders OAM, Deloitte
  • Lisa Schutz, Verifier

Chair Introduction

The Data Standards Chair (Chair) opened the meeting and thanked all committee members and observers for attending meeting # 51.

The Chair acknowledged the traditional owners of the lands upon which they met.  He acknowledged their custodianship of the lands and paid respect to their elders, past, present and those emerging.  He joined the meeting from Cammeraygal lands.

The Chair noted that the Hon Stephen Jones MP was due to attend the meeting but was unable to due to competing priorities. 

The Chair noted that the Data Standards Body (DSB) and the Treasury (TSY) held a successful Action Initiation Workshop on 7 March, and that a number of issues were identified in relation to Action initiation and those issues would need to assessed and developed with responses put in place for both the Rules and Standards. 

The Chair noted that Luke Barlow (AEMO), Jill Berry (Adatree), Damir Cuca (Basiq), Chris Ellis (Finder), Deen Sanders OAM (Deloitte) and Lisa Schutz (Verifier) and were apologies for this meeting. 

Minutes

Minutes

The Chair thanked the DSAC Members for their comments, and last-minute feedback on the Minutes from the 15 February 2023 Advisory Committee meeting. The Minutes were formally accepted.   

Action Items

The Chair noted that all Action Items would be covered off in this meeting or have been completed. 

The Chair noted that at this stage there was not a venue for the May meeting and therefore he may decide to proceed with this meeting virtually. 

Working Group Update

A summary of the Working Groups was provided and these DSAC Papers were taken as read.

Technical Working Group Update

The further update was provided on the Technical Working Group by James Bligh as follows:

The DSB noted that they are coming to the end of the first quarter for their Future Plan. They would welcome feedback from the DSAC on items listed in the next quarter in terms of advice and prioritisation. The next quarter will focus on telco, NBL and continuing with current consultations. 

The DSB noted in terms of the recent Action Initiation Workshop, they thanked all participants for attending and noted that a number of organisations were represented by the DSAC members. There was strong representation from the Fintech and ADR communities and telco, energy and banking data holders (DHs).  The workshop focussed on simple payments as they wanted to understand what the existing current state practices are for initiating payments and then action and payments. They would like to follow this up with a general Action Initiation Workshop to look at a broader range of actions that they can consider and then sense check some of the findings. 

The DSB noted that some of the common themes were around liability (from both a provider and a consumer) and fraud.  It was also good to validate that with payments there is a strong need for data sharing.  At the workshop they had ten different groups coming up with different use cases and throughout those data access and data sharing were a key component. 

The DSB noted that in the Future Plan, there are a number of items around information security that they’re aiming to address in the next quarter. In particular, they were looking at FAPI 2.0 and what foundational components they need to put in place prior to Action Initiation (AI) being designated so they have a strong and secure foundation in place well ahead of time.  They would be putting together a Noting Paper to consult on the landscape and to understand the key considerations and concerns with the intent to have a general awareness and roadmap to consult and build the standards around.

Consumer Experience (CX) Working Group Update

A further update was provided on the CX Working Group by Michael Palmyre as follows:

The DSB noted that the authentication work on Noting Paper 280 is progressing.  This would include working hypotheses for authentication uplift, prototypes and process flows, and a problem space description on support for the redirect with OTP approach in relation to offline customers in the energy sector.

The DSB noted in terms of AI and in conjunction with the workshops being conducted, there is internal CX research and analysis for a range or scenarios as they are trying to bring to life some tangible artefacts. 

Stakeholder Engagement

A summary of stakeholder engagement including upcoming workshops, weekly meetings and the maintenance iteration cycle was provided in the DSAC Papers, which were taken as read. 

The Chair wanted to note in particular that the recent AI Workshop was a big first step with engaging the community on AI and how it will evolve and development. 

Issues Raised by Members

Consent authorisation improvements

Tony Thrassis from Frollo presented on the issue with incomplete CDR consents, why they happen and suggestions on ways forward. 

Frollo noted that they have completed a lot of work to understand what’s occurring and how to track consents and noted that 1 in 5 don’t complete.  They’ve conducted a survey with members looking at the reasons for consent failure and there are broadly three categories of why they were unable to complete their bank account linking i). technical issues (52%) ii). Couldn’t log on (38%) and iii). couldn’t select bank account (10%).

Frollo noted that the technical issues that consumers experienced were mostly around OTPs and included i). error message – couldn’t continue (50%) ii). Other (32%) iii) never got sent the bank website (10%) and iv). Linked my accounts but was never sent back to Frollo (8%).

Frollo noted that the reasons why they couldn’t login to their bank accounts was very similar for example i). never received OTP or OTP didn’t work (44%) ii). Error when trying to login (32%) iii). Other (18%) and iv). Didn’t know bank login ID (6%).

Frollo noted that for not being able to select a bank account, the majority of these came down to transactions or savings accounts.

Frollo noted that resolving incomplete consents is difficult.  For a new consent they don’t get arrangement IDs if the consent does not complete. When they raise a JIRA ticket, data holders (DHs) ask for the customer ID or other identifying information but in most circumstances, they have none as the consent was not completed.

Frollo’s presentation was interrupted by Emergency Evacuation alarms and they were therefore unable to complete the final presentation slide on “Suggestions”. It was agreed that Frollo would share the presentation to the committee and finish the presentation at the next DSAC.

ACTION:  Frollo to complete the presentation at the next DSAC meeting

Financial hardship and data presentation

Drew MacCrae from Financial Rights Legal Centre (FRLC) presented on financial hardships, data and the CDR as follows: 

FRLC noted that the presentation focused on the concept and lived reality of financial hardship information (FHI) and how that interacts with data and the CDR.  This is a key issue for consumers and goes to the heart of whether the CDR will be to the benefit or to the detriment of consumers. 

FRLC noted that Financial Hardship is when you have difficulty paying your bills or loan repayments and not just a poverty issue; it can hit anyone at any time; 900,000 people experienced hardship during COVID with 429,000 home loans deferred; under credit law and other instruments, there are rights to hardship assistance. FRLC want people to access assistance before things get worse as a debt spiral can lead to bankruptcy, homeliness, mental illness, family abuse etc. 

FRLC noted that people are reluctant to ask for assistance and we need to understand what a lived FH experience is like.  For example, it impacts you emotionally; people deny and avoid the problem, which can cause stress and anxiety which impairs decision making and results in risker choices in pursuit of relief; it causes anger & depression which ca ruin relationships; causes shame which exacerbates avoidance; and guilt which motivates people to seek solutions. 

FRLC noted that other factors impacting decision making and behaviours include cognitive biases including optimism bias and imperfect self-control; and financial decisions are complex. 

FRLC noted that people reach out to them via the National Debt Helpline at the last minute; they are afraid to tell their bank etc because of discrimination; they don’t reach out to banks; seek solutions from the wrong places; and agree to anything and everything focussing on access to the solution.

FRLC noted that a consequence of reporting a FHI to a bank or utility is that your FHI is a data point i.e. a hardship indicator or flag on their systems. It is also a literal data point under the Comprehensive Credit Regime (CCR) and a data point which are inferred from bank transaction data.

FRLC noted that financial data can be used for the consumer’s benefit to provide assistance, prevent retelling and re-traumatising and leads to specialised services.

FRLC noted that it could also be used to a consumer’s detriment as it could lead them to being identified and being sold higher cost credit, sold inappropriate products, their information sold to data traders advertisers to sell these products and withdrawal or denial of a service.

FRLC noted that making sure people tell their bank they need financial assistance is the key as there are a series of protections under the Credit Act, Privacy Act and CCR have been built that restrict who can share and receive; how long FHI is kept; can’t be included in credit scores and limits the use of FHI when known.

FRLC noted that these rules prevent landlords not renting to somebody who has experienced temporary hardship; energy and telcos potentially denying access or charging higher amounts; and price discrimination.

FRLC noted that this is important in the context of the CDR as the CCR protections improve confidence that consumers will seek help and FHI won’t be used against them; similar protections do not exit under the CDR; FH information could be used for a consumer’s benefit … or not; and it is more likely that FHI will not be used in their best interests.

FRLC noted that it is more likely that FHI will be used to sell higher cost credit via a comparison website or switching service; sold inappropriately, for-profit, debt solutions; sold to budgeting apps that don’t prioritise the consumer’s best interest; makes things worse; and potential for service denial or change once it is in (or out of) the CDR ecosystem.

FRLC believe that FH should be treated under the CDR with the equivalent CCR protections embedded in the CDR; not to rely solely on consent and disclosure; protections that ensure that best interest of consumer are built into CDR - rules to limit uses, extra protections for consumers experiencing vulnerabilities and a best interest duty. 

FRLC noted that the key message is that consumers need to know FHI will only be used to their benefit not to their detriment.

The Chair asked are their ways of putting protections in place, that don’t undermine consent and disclosure in the regime as the central element of consumer control is consent and to provide other protections and limits of uses would seem to limit the ability of potentially all consumers to consent.

FRLC agreed that consent and disclosure are important but there needs to be a realistic understanding that consent doesn’t work all the time. They believe there are some use cases that need to be considered for example selling you inappropriate products.

One member noted that they have had a lot of experience around CCR regime around hardship and one of the challenges is that you shouldn’t be acting to the detriment of the consumer, but what you then define as detriment, particularly around the denial of service.  They have asked what protections would be in place for a company or a service provider to act in their own interests, not to enter into what would be a loss-making arrangement where a consumer couldn’t pay for that service? 

FRLC understands that there are a number of protections in place under the code and individual companies also have their processes around FHs.  Once it starts entering the CDR world, you may be able to identify hardship which could be a problem but there are rules in place that you can’t discriminate again people. They recommend that you stick with your provider as you have rights.

The member also noted that there is an ongoing debate between service providers and consumer advocates around what a demand service is and what re-pricing for services.  If someone presents a higher risk, then in fairness they should be re-priced at a higher price. If an existing customer claims hardship, then the service provider needs to deal with that.

One member noted energy customers can access a safety net pricing, and they can go to a retailer to get supply from them, but there is not necessarily obligations for all providers to take them on as customers. They noted the protections are not perfect, but it is certainly something they are looking at.  They noted that there are a lot of proxies for having a hardship flag and in energy concession flags are part of it.  There is a lot of data that can be used in other ways, for example a half hour meter data shows a lot about someone’s lifestyle - there are no protections around that.  CDR opens that up in a far bigger way than ever before, and do we need new protections around that? 

The member noted that there are some other customer protections that are very specific to Energy.  There are broad consumer protections under Community Choice Aggregation (CCAs) which allows a lot of space for whether it’s hardship customers or general customers. ACCC looked into this but CDR is another avenue where this can be potentially exploited and something to think about.   

FRLC noted that some of these issues can and should be dealt with in each sector, but he thinks with the CDR opening the space up for new players, it’s incumbent upon the CDR to do this. 

The DSB noted the negative use cases and the harm that can be caused, and they’re cognizant of it when defining the standards. Is there a role for the CDR in helping people in financial hardship to get out of it? Are there positive use cases that could help facilitate and accelerate?

FRLC noted if there was for example a FHI indicator or it’s inferred in some way, and an ADR becomes aware of it, if there was a CDR app that worked with you and say a financial councillor to work through the issues, that would be a positive way forward.  The problem is that the financial councillor and the community legal centre (CLC) are not-for-profit and they don’t have the funding.   

The Chair noted that FRLC could potentially be an ADR which vulnerable customers could access. With the cross-sector nature of the CDR this could enable the councillor to see the solution and nature of the issue quickly and help someone. 

One member noted from a privacy perspective, consent is not a cure for all and consumer behaviour shows that often these sorts of long consents are not always read. They’re interpretation of the CDR, around permitted uses is that it’s quite a restrictive regime but it’s a “gold standard” when it comes to privacy protection as we have embedded in the rules the data minimisation standards. You can only use the minimum amount of data and collect the minimum of data for the purpose of providing the consumer the relevant good or service.  7.5 of the Rules provides for those very specific purposes for which data can be used and including inferred and derived data because of the breadth of the definition of CDR data. 

The member wonders if this also provides a level of protection because there are in built into the rules these specified use case that consumers need to consent to and you can’t stray outside of those along with the high watermark for de-identification that’s built within the CSIROs Data61 Standards. 

One member noted that they agree with the comments around CDR being a “gold standard” in relation to privacy protection for CDR data because it is the gold standard in respect to ensuring that information flows through a system to a recipient, after the consumer giving his fully informed consent.  A lot of the emphasise in the CDR regime is around assurance that a consent is executed in the terms of that consent and then the CDR system stands back from whether the ultimate recipient of that information is handling it in accordance with the terms of that consent. 

The member noted that this is where the proposed reforms in the Privacy Act, now under discussion, have parted from the traditional consent model because an organisation should be accountable in relation to its uses of information and often consents are not off sufficient quality to ensure that consumers interests are adequately protected so the emphasis has moved away from consent, it’s now supplemented by concepts of what is fair and reasonable and whether an organisation has been accountable for the uses that it has enabled others to make of information that it has enabled to be delivered.

The member asked should the CDR regime become part of the enforcement mechanism around what sectors are doing, or do we stand back and look to rules and other sectors?  Is the CDR regime potentially lagging behind where best practice will be in Privacy Law as recognised in the Attorney General’s recommendations for the 116 changes to the Privacy Act and do we need to look again as to whether the CDR regime is reflecting current good practice in the use of rules to ensure that information is used to the benefit of people and not actively used to their detriment.

TSY noted that in relation to hardship data being in or out as a data set. This has been something that’s been grappled with through the different designation processes and note the point that you may infer hardship from other information. The particular data set, namely flags like hardship data, have been considered as to whether or not is should or should not be included as data sets in each of the designations. Consultation around the circumstances where we’ve got the consent framework and other protections, and whether this very sensitive information be included or not.  The overwhelming balance of trade offs there was that because of the sensitivity of the information, it need not be included and valuable products and services can be developed without it.

TSY noted in terms of the observation that we are lagging behind the Privacy Act; they disagree with this characterisation.  The CDR has been ahead of the Privacy Act in terms of safeguards, because of the importance of addressing these issues. They have the Privacy Principles which are embedded in the Framework and some of the proposals in the 116 recommendations in the Privacy Act are to catch up. Once information is included in the CDR system, it isn’t set and forget, it’s around building protections to ensure that it is a safe system and that the data is transferred and is used in order to build product and services that will benefit consumers.

One member asked do we treat all the customers equal through the CDR system or do we treat vulnerable customers differently and if so, how do we include these data points through various mechanisms?

FRLC noted that you can become vulnerable tomorrow – your only two pay checks away from vulnerability and it can happen to anyone at any time.  If you build a system that is safe and fair and identify those qualities which aren’t used against you – you could apply across the board.

One member asked what actual data do we have that supports CDR and that it would benefit and solve this problem?  They fundamentally believe that with hardship, that is between the consumer and the provider. 

One member noted the Privacy Protections that the CDR has, are a lot stronger than the current Privacy Act.  However, there is an issue around Trusted Advisers that sits outside of that around how they’re interacting with the data they access which they need to consider.  The other side is de-identified data being easily re-identified and also used for creating insights and database decisions that may impact specific communities or groups of consumers.  There needs to be an element of how we deal with data that particular agencies have and the “best interest” in the data space.

The member noted that this is not new, in other jurisdictions they have it in mind where data is being used for the interest of consumers and that it’s been legislated, for example in the New York Privacy Act, where your data usage can’t overtake the interest of the good outcome that there is for the consumer. 

The member also noted in terms of enforcement, the Government needs to start considering how to be proactive and what does proactive enforcement look like.  They don’t think in the database world, we can wait for consumers and consumer groups to identify harm and only then action being taken.  The regulator needs to be supported to actually go out to look for harm and potential issues and we need to consider strengthening the broader Privacy Act and looking at traditional enforcement as it just won’t cut it anymore as we move more into the data space.

Treasury Update

Kate O’Rourke, the First Assistant Secretary of the Consumer Data and Digital Division (CDDD) at TSY provided an update as follows: 

TSY noted that in reference to the earlier discussion on the idea of an Operational Working Group, TSY chairs a CDR Implementation Advisory Committee which is held monthly which focusses on implementation issues. TSY has been considering whether this forum should be broader and actively lean into operational issues and policy discussions etc.  This is still under consideration. 

TSY noted in relation to the CDR Action Initiation Bill, that the Bill has been referred to the Senate Committee, and the Committee have deferred the report date from their consideration of the Bill (the date has moved from 23 March to 3 May).  TSY noted a number of Bills and reports were deferred, and they believe the deferral was generated because of the overall workload of the committee. 

TSY agreed with the positive report provided earlier in the meeting on the Action Initiation Workshop, they were really pleased with the number of participants and great contributions and look forward to working with everyone on that as it proceeds.

One member asked if there was an update on timing for the next Rules version. TSY responded that they were not able to provide any additional information in regard to this.

ACCC Update

Daniel Ramos, the General Manager, Solution Delivery and Operations for the CDR at the Australian Competition and Consumer Commission (ACCC) provided an update as follows:

The ACCC noted that the main activity since the last meeting is the accreditation on Mastercard which is a significant step in the CDR.  They have had a number of other activations of smaller entities and they continue to have a number of energy participants run through the onboarding process. 

The ACCC noted that Energy Australia are planning a phased rollout with the first phase being completed since the last DSAC. 

The ACCC sought feedback from the committee as to whether there were any particular areas of interest or priorities that they should focus on at future meetings.  No feedback was received from members.

One member asked whether Mastercard were coming on as an Accredited Data Recipient (ADR). 

The ACCC noted that their use case is unknown at this stage because the accreditation process is a legal process which happens via the ACCCs CDR Committee, which is a sub-committee of the commission.  The accreditation process largely revolves around their fitness and propriety as an entity rather than a particular use case or technology solution.  They confirmed that they have been granted accreditation in their own right, but they don’t know what sort of technology use cases they might use that accreditation for.

One member noted that at the last meeting, we had a discussion around DH obligations when you changed accredited data recipient (ADR) service products.  What wasn’t discussed was if an ADR wanted to change an outsource service provider, we’re then caught in this quagmire that it would be bound to a consent, maybe not via a software product or legal entity but by another category.  The member is seeking feedback on this scenario.

The ACCC noted that when certificates are reissued in those circumstances, that is the hook that requires interaction with their operations team.  If not, you’re left with the consent issue around portability. 

The DSB noted that their understanding from the guidance that the ACCC have provided, is that the OSP model for participants was considered and there is no issue with an OSP changing, but OSPs need to be advertised and communicated through metadata to the customers but it is not embedded in the consent. The key issues that would cause consent portability problems were legal entity changes and the identification of accredited recipients in the register and the technical aspects.

The DSB noted that the ACCC have published guidance in the last week around DHs should not be breaking consent when OSP or solutions change.

The Chair suggested that the member, ACCC and DSB meet to discuss this issue in further detail. 

ACTION:  Member, ACCC & DSB to meet to discuss the OSP model for participants and provide an update at the next DSAC meeting

Presentation on Production Verification Testing

Daniel Ramos from ACCC noted that they have done some work around Production Verification Testing (PVT) and spoken to a number of members.  They noted that this consultation has unearthed quite a number of different issues that don’t necessary fall under this title but they are important and related issues.

Vaughn Cotton from the ACCC presented as follows:

ACCC noted that they kicked off this consultation prior to Christmas meeting with interested stakeholders regarding the PVT with the focus on defining the problem statement. 

ACCC noted that there was a diverse range of perspectives with different use cases, roles in the ecosystem and levels of experience.  This provided them with a valuable insight into where the sentiment and points of most pain are coming out for the participants in the ecosystem.

ACCC noted that some general feedback was around whether their PVT option might be useful or not, and looking at other processes such as DH attestation at time of activation and other related activity that impacts the quality of interactions within the ecosystem.

ACCC noted that they wanted the ecosystem to focus on delivering value to consumers rather than diagnosing issues and activating new data holders and being distracted from giving value to consumers. 

ACCC noted that the main pain points identified were around the DH and DR activation and then being able to not only do DCR but also get through a successful consent process and authorisation and actual data sharing.  There are a variety of pain points from the consumer being asked to help advisors and DHs diagnose issues to ACCC’s limited visibility within the ecosystem and ongoing management for production changes. 

ACCC believe there was sufficient feedback of the ACCC playing a role with the ecosystem, however consideration is needed to ensure that they do not undermine existing commercial offerings.  They are considering exploration of options from the commercial market pending discussions regarding funding with TSY.

ACCC noted that some of the other issues were i). Production Test Accounts – ACCC referring to TSY for policy guidance and a consideration as a candidate for a future Rules consultation ii). Data Quality issues raised – ACCC compliance team is investigating issues raised by ADRs iii). Disclosure of ACCC compliance investigations – providing visibility will aid participants and iv). Increase testing and compliance assertions prior to activation – increase the threshold for activation by required data holders to provide more evidence of their readiness.

One member noted that if more testing is required, some of that cannot happen concurrently and more time needs to be allowed for that.

ACTION:  DSB to check to see if members are happy for the presentation, which includes names, to be shared publicly

Meeting Schedule

The Chair advised that the next meeting would be held remotely on Wednesday 19 April 2023 from 10am to 12pm. 

The Chair also noted that the May meeting may revert back to remote meeting as we do not have a host.  We would provide an update at the next meeting. 

Other Business

The Chair noted that he will follow-up with Hon Minister Stephen Jones MP invite him to another DSAC meeting.

Closing and Next Steps

The Chair thanked the DSAC Members and Observers for attending the meeting.  

Meeting closed at 11:50