Data recipient user journey

The Competition and Consumer Act 2010, Consumer Data Right Rules and Standards impose a range of requirements that data holders, accredited data recipients and intermediaries need to comply with. Our compliance guidance is designed to assist participants to understand and comply with their obligations. The focus of these resources is on the obligations arising under the Rules and Standards.

CDR information map

Consumer Data Right participants have privacy obligations under the Consumer Data Right system, including in relation to collecting, using, disclosing and correcting Consumer Data Right data for which there are one or more consumers. The Office of the Australian Information Commissioner (OAIC) Privacy obligations page provides a high level summary of participant privacy obligations.

It is important that participants understand their privacy obligations at an early stage, so they can embed appropriate privacy practices into the design specifications of their solutions and business practices.

Privacy obligations | Privacy Safeguard Guidelines | Guidance and advice

The ACCC has been working on ways to help Consumer Data Right participants understand the Consumer Data Right ecosystem’s technical requirements, as well as develop and maintain solutions that can operate within the ecosystem. As the first step in the participant tooling journey, the ACCC has built a series of free, open source mock solutions

Participant tooling

Authentication and Authorisation APIs are one of the first aspects of a participants' solution design and build. This resource will provide a reference point for this feature in the Consumer Data Right build in order to accelerate a quality build.

CDR repositories Github | CDR register Github | Participant tooling

The free mock solutions can be used throughout a participant’s activation journey. Accessing these tools in the discovery phase of a participant’s project can assist with scoping of a compatible Consumer Data Right solution. Beyond this stage, the tools can provide further value as a reference point for code, to validate a solution through the build and to test a participant’s solution.

CDR repositories Github | Participant tooling

The existing mock solutions include automation and self-service capabilities that allow participants to download the reference code for use in their environment when developing and testing their own solutions. The Consumer Data Right hosted sandbox builds on this work to enhance the capability available to participants and their vendors to develop and test their own solutions in a sandbox environment by the Consumer Data Right.

The Consumer Data Right hosted sandbox is a free tool that provides the following features to new and existing participants:

- ability for participants to use their own seed data to test against the mock solutions, or interact directly with other participants to exchange test data

- revised version of the mock solutions compatible with the latest rules and standards, which have been updated to include the energy sector

- management portal to assist participants with the integration and management of their own solutions within the environment.

Consumer Data Right sandbox

To join the Consumer Data Right ecosystem, a participant will not only build their Consumer Data Right solution and follow the ACCC Consumer Data Right activation process but also consider the various internal readiness activities that can be performed to ensure a smooth go-live. These activities will differ from participant to participant but may include reporting considerations, updating of standard operating procedures, staff training plans and process updates.

Business readiness

The Consumer Data Right Participant Portal is where a legal entity/person can complete and submit an application to become an accredited data recipient. The Participant Portal is also the place for Consumer Data Right participants - data holders and accredited data recipients - to update and manage their information and view the Consumer Data Right Register of Accredited Persons.

Participant portal user guide

Accreditation is required for data recipients to join the Consumer Data Right ecosystem to ensure that they meet the criteria to become an accredited data recipient. Entities that wish to receive consumer data to provide products or services to consumers under the Consumer Data Right regime must be accredited by the Data Recipient Accreditor (the ACCC). The Consumer Data Right Rules set out the criteria that the Data Recipient Accreditor will apply when considering an application for accreditation. Once accredited, an accredited person must comply with ongoing obligations to maintain accreditation.

Become an accredited data recipient | Accreditation guidelines
 

The Consumer Data Right Rules require accredited persons to hold appropriate insurance, or a comparable guarantee, relevant to the nature and extent of their management of Consumer Data Right data. The objective of the insurance obligation is to ensure an accredited person has adequate insurance in light of the risk of Consumer Data Right consumers not being properly compensated for any loss that might reasonably be expected to arise from a breach of obligations under any law relevant to the management of Consumer Data Right data.

Supplementary accreditation guidelines - insurance

An accredited person must take the steps outlined at Schedule 2 of the Consumer Data Right Rules satisfy the information security obligation. These steps and controls are the minimum requirements that an entity must meet in order to satisfy the information security criterion to hold accreditation. An accredited person may choose to put in place protection that exceeds these minimum requirements, or may be required to do so to ensure their protection is appropriate and adapted to respond to risks to information security.

Supplementary accreditation guidelines - information security | CDR Privacy Safeguard Guidelines - Chapter 12

The Consumer Data Right Service Management Portal is for Consumer Data Right participants to communicate technical incidents between each other, or with the ACCC Consumer Data Right Technical Operations team. The Consumer Data Right Technical Operations team undertake a monitoring approach to facilitate effective resolution of issues and promote a healthy and effective Consumer Data Right ecosystem.

CDR service management guide for participants

At the start of the Consumer Data Right on-boarding process, each participant will identify a responsible person, or group, in their organisation to be granted access to the Consumer Data Right Service Management Tool. Other users who wish to have access, can request access by consulting their organisations Consumer Data Right representative or by emailing the Consumer Data Right Technical Operations team.

CDR service management guide for participants

After successfully completing accreditation, each new Consumer Data Right provider must complete the on-boarding process before they can be activated in the Consumer Data Right ecosystem and commence consumer data sharing.

On-boarding is the process of a participant, new to the Consumer Data Right, preparing to participate in the ecosystem.

On-boarding, which includes successful completion of the Consumer Data Right Conformance Test Suite, is the last step participants must go through before the Registrar makes a participant ‘active’ on the Consumer Data Right Register. Once participants complete on-boarding, they are able to start sharing consumer data in the ecosystem. There are two key aspects of On-boarding – Public Key Infrastructure and Consumer Data Right Trademark Licence Agreement

On-boarding for data recipients | CDR participant on-boarding guide

Public Key Infrastructure (PKI) certificates are a key component used in the Consumer Data Right ecosystem to provide secure and private communications between participants. The ACCC, as the Consumer Data Right Registrar, is responsible for issuing certificates to participants. The procedural and operational requirements relating to the use of the digital certificates issued to participants are governed by two agreements: the Subscriber and Relying Party Agreements. These agreements are legally binding and generally require consultation with legal teams. Participants cannot progress through the on-boarding process until these are signed.

What agreements are part of on-boarding to the Consumer Data Right

The Consumer Data Right Trade Mark is intended to be a symbol of trust in the Consumer Data Right ecosystem. The ACCC encourages all Consumer Data Right Participants to use the Consumer Data Right Trade Mark in the consent and authorisation processes offered to consumers. This agreement is legally binding and generally requires consultation with legal teams. Participants cannot progress through the on-boarding process until this is signed.

CDR Trade Mark Licence Agreement

The Conformance Test Suite is a final checkpoint for participants of key elements of a participant’s solution before activation in the ecosystem. The primary focus of the Conformance Test Suite is to provide the ACCC as the Consumer Data Right Registrar, performing its function to maintain the security, integrity, and stability of the register, with a level of confidence in their activation decisions.

The Conformance Test Suite is designed to verify a limited subset of standards alignment against security profile and consent components as well as other high-risk areas.
A participant should not use the Conformance Test Suite as validation that their solution complies with the Consumer Data Standards (CDS) and Consumer Data Right Register Design.

Conformance Test Suite version history and technical guidance

Participants are expected to have completed internal testing, including security testing, prior to commencing Conformance Test Suite. After the completion of Conformance Test Suite, the Registrar can request evidence of a participants’ internal test results as part of the activation process. Participants are expected to ensure their implementation aligns to the Consumer Data Standards and Consumer Data Right Register Design. While Conformance Test Suite conforms to the Consumer Data Right Standards, its role is not to validate a participant’s solution is compliant with those standards.

Participants are accountable for compliance with the standards and must address any alignment issues prior to commencing Conformance Test Suite testing.

Conformance Test Suite version history and technical guidance | Participant Conformance Approach

In preparation for Conformance Test Suite, a participant will be able to use participant tooling to test their solution to inform any additional development or adjustments required before proceeding through Conformance Test Suite. Mock solutions are able to be used in the sandbox with the participant’s solution to test different test plans and scenarios, simulating the Conformance Test Suite experience.

Participant tooling

As a data recipient, the tests provide a simulated data holder and a mock Register to support the test scenarios.

There are currently four key tests included in the Conformance Test Suite for accredited data recipients - dynamic client registration, consent test, consent withdrawal test and API test.

Consumer Data Standards

Once a participant is active in the Consumer Data Right ecosystem they can request and share consumer data, with consumer consent. If a participant would like to validate successful consumer data sharing, they can use the sandbox to simulate interactions with an opposing participant. The ability to perform this business verification testing on the endpoints/APIs is important as it is the participant’s responsibility to ensure they can request consumer data once activated in the ecosystem.

Participant tooling