IT requirements for accredited data recipients

Overview 

Accredited data recipients are required to meet IT requirements under Australia’s Consumer Data Right. They also need to follow Consumer Data Standards which include information security controls, consent guidelines and API standards.

Website and app requirements

The consumer consent process must be part of any online or app-based authorisation process. 

Accredited data recipients must include an area on their website or app where consumers can clearly see and manage their Consumer Data Right data consents, including the ability to withdraw consent.

Consumers must be able to see:

• what data was collected
• when the data was collected
• the data holder of the data.

The Consumer Data Standards

Consumer Data Right includes data standards for both data holders and accredited data recipients. The Consumer Data Standards are developed by the Data Standards Body. 

Contribute to the discussion on standards development on GitHub.

The standards have five main components:

1. The CX Standards focus on the consumer experience (CX). These mandatory requirements ensure Consumer Data Right elements are consistent for consumers.
2. The CX Guidelines include examples of how to put the Consumer Data Right Rules and CX Standards into effect. These guidelines also include research-driven recommendations to help provide a positive consumer experience.
3. The information security profile covers low-level technical details such as encryption algorithms and how tokens are transferred. The tokens dictate how the data is transferred between two entities in a secure way. 
4. The API standards govern how application programming interfaces (APIs) are built and cover details such as errors, payload structures and URI taxonomies. These standards apply regardless of sector and enable accredited data recipients to work across multiple sectors without making any changes to APIs.
5. The non-functional requirements include minimum availability, maximum traffic expectations and data quality requirements. These requirements mainly apply to data holders.

Test approach for providers

Each new provider must complete the Conformance Test Suite before they can be made active on the CDR Register. See the ACCC’s Participant Conformance Approach (PCA) which covers providers that are looking to enter the Consumer Data Right system and providers that are already part of the system. The PCA helps all providers prepare for future releases while maintaining the ongoing integrity and operation of the Consumer Data Right system.

As part of the PCA, providers need to test their solution using the Conformance Test Suite. For new providers this is part of the on-boarding process. Find out more about conformance testing for data recipients and data holders in the For providers section.

Test scenarios and mock solutions are also available to assist with testing.

System production incidents

The CDR Service Management Portal is provided by the ACCC for CDR participants to communicate technical incidents between each other, or with the ACCC CDR Technical Operations team. Read the detailed user guide for the CDR Service Management Portal.

If you are a new provider entering the Consumer Data Right System you can apply for access to the CDR Service Management Portal by contacting the CDR Technical Operations team at CDRTechnicalOperations@accc.gov.au.