Consumer Data Rights


Terminology Definitions

Data Standards Body (DSB) Usage Australian Competition and Consumer (ACCC) Proposed Rules Other Sources

ACCC (Australian Competition and Consumer

The ACCC is the lead regulator for the CDR regime.
Australian Competition and Consumer Commission

(No specific definition but is described as having the role to determine rules that will govern the application of the CDR, both in
particular sectors and across the economy more generally)
As defined in the Explanatory Materials, the ACCC has responsibility for advising the Minister on matters such as competition and making the consumer data rules.

accreditation The status provided to an organisation that has met the requirements to be considered an accredited data recipient.

ADI (Authorised Deposit-taking Institution))

Has the meaning given by the Banking Act 1959.

API (Application Programming Interface)

An API is a set of protocols, routines and tools that specify how software components should interact. In the case of the CDR components in question belong to the three elements of the eco-system: the Registry, the Data Recipient and the Data Holder.

authenticate The result of verifying a consumer's identity. When a consumer verifies themselves with a data holder ‘Authentication’ is the process by which the data holder verifies the identity of the
consumer directing the sharing of their data, and the identity of the accredited data
recipient seeking to collect the consumer’s data. Authentication occurs as part of the
authorisation process
From OBIE, the OAuth 2 framework requires user authentication prior to authorising the sharing of their information with third parties.

authorise The act of a consumer consenting to the disclosure of CDR data by a data holder. ‘Authorisation’ is used to refer the consumer permitting the data holder to share data
with the accredited data recipient. Authorisation’ also has a technical meaning that relates to a process by which the accredited data recipient’s application obtains access to the consumer’s data via the data holder’s API.

banking sector The sector of the Australian economy that is designated as the first to adopt the CDR by the Designation Iinstrument

CDR Consumer Data Right

CDR rules Rules defined by ACCC, currently the Competition and Consumer (Consumer Data Right) Rules 2019, outlining how the consumer data right works.

CDS Consumer Data Standards

consent Technically used to refer to when a consumer agrees to share their CDR data with an accredited data recipient for a specific purpose (i.e. collect and use); technically distinguished from the final affirmative action (i.e. ‘authorise’) in the Consent Flow. Consent is also used as a term in consumer-facing interactions to refer to sharing arrangements.

consumer An individual or business that uses CDR to establish a sharing arrangement.

CX (Consumer Experience)

The consumer experience (CX) that end users will have as they interact with the Consent Model and the CDR ecosystem.

data clusters The term used to refer to a grouping of data.

data holder An organisation that holds a consumer’s data.

data minimisation principle The data minimisation principle is a core tenant of the CDR and requires a Data Recipient to not collect or retain more of a CDR consumer's data than is reasonably needed.

data recipient An organisation that requests data (on behalf of a consumer) to provide a specific product or service.

data request The stage where a data recipient asks the consumer to consent to share their CDR data. This includes the terms of the sharing arrangement, such as the duration and

Data Standards Advisory Committee The committee(s) established by the Data Standards Chair to advise the Chair about the data standards.

DSB (Data Standards Body)

CSIRO’s Data61 has been appointed as the Data Standards Body to develop and support the data standards for the CDR.

Data Standards Chair Mr Andrew Stevens was appointed as the inaugural Data Standards Chair.

designated sector A designated sector means a sector of the Australian economy that is to adopt the CDR under subsection (2) of the CDR Amendment Bill.

notification A notice sent to a consumer related to a data sharing arrangement.

OAIC (Office of the Australian Information Commissioner)

OAIC has a number of roles in the CDR regime, including an advisory role, overview of the privacy protection elements, and consumer complaints handling once in operation.

OTP (One Time Password)

A single-use password that is generated by a data holder and used by a consumer to authenticate.

outsourced service provider A person (or coporation) to whom an accredited person discloses CDR data under a CDR outsourcing arrangement.

permission The specific data in an authorisation scope is referred to as a permission. These are grouped by data cluster. See the Data Language Standards

PRD (Product Reference Data)

PRD is the generic description of a product offering, often provided to consumers as part of a Product Data Specification, and wy8cy does not include any personal customer information.

purpose The reason(s) for the data request. The purpose specifies why the data recipient needs the requested data to provide a product or service.

reauthorise Permission given by a consumer for a sharing arrangement to continue (for an agreed period) beyond the expiry date of the current sharing arrangement.

Defined in Division 1.3 - Interpretation of the Rules Reference as the Register of Accredited Persons
established under subsection 56CE(1) of the Act.

Also, the Rules Framework defined it as a public address book of accredited parties that is live, robust, and ideally decentralised, as well as secure, transparent and include a method of tracing all changes made.
As defined in the Explnatory Materials,

(Register of Accredited Persons)

1.260 The Register must be made available in electronic format. Matters relating to the ongoing maintenance of the Register including accuracy of entries, correction of errors, publication of all or part of the
Register will be covered by consumer data rules. [Schedule 1, item 1, subsections 56CE(2) and 56CE(4)]
1.261 The Register is not a legislative instrument as the Register does not fall within in the definition of legislative instrument in subsection 8(1) of the Legislation Act 2003. [Schedule 1, item 1, subsection 56CE(3)]
1.262 The Register is admissible as prima facie evidence. That is, where a person has taken the matters contained in the Register as being correct and acted on this basis, the person cannot be taken to be at fault.
For example, where a data holder disclosed CDR data to an entity on the basis that the entity was listed in the Register as being an accredited person, the data holder cannot be at fault if the receiving entity was incorrectly listed as being accredited. [Schedule 1, item 1, section 56CF]

revoke Withdrawing consent or authorisation is also referred to as ‘revocation’. This occurs when a consumer stops sharing or cancels a sharing arrangement.

sharing arrangement An instance of data sharing that a consumer has consented to and the terms that apply to this instance.

sharing duration The duration that the consumer specifies and consents to share CDR data with a Data Receiver.

trustmark Official Consumer Data Right branding that may be used by an organisation to show that they are an accredited data recipient.

value proposition A consumer’s perception of the usefulness of a product or service offered by a data recipient.

wireframe A two-dimensional illustration of a page’s interface that specifically focuses on space allocation and prioritisation of content, functionalities available, and intended behaviors.

withdrawal When a consumer stops a data sharing arrangement (i.e. ‘consent/authorisation’). This can occur via a data recipient or a data holder. This was previously referred to as ‘revocation’.