Collection Consents - Authorisation Amendment #633
Comments
CDR-CX-Stream
added
the
Consumer experience
elizabetharnold
added
the
Non-breaking change
|
How is this any different to the existing CX Standard?
This proposal just seems to rewrite what's already there in reverse. Coming from a Standards writing background, writing the same thing in two different ways, while fun, isn't a great idea, less is more. |
|
Hi @perlboy, Thanks for this feedback. The existing authorisation amendment standard specifies what data holders must do when an ADR has supplied a cdr_arrangement_id. This is a mandatory requirement on data holders. The newly proposed standard clarifies what data recipients must do to trigger the simplified amending authorisation flow. A data recipient is not required to implement this standard, but if they do not they will only be able to receive a new collection consent, and the consumer will be required to complete the full authorisation flow. |
|
This addition is implied by the statement "and the ADR has supplied a cdr_arrangement_id". This proposal is essentially implementation guidance, not Standards. The RFC style recommendations state "concise language is the goal". As such, I suggest actually the reverse, the removal of statements within the CX Standards related to To provide context, the Recipient supplying
All of these sections describe it in different ways, some of which relate to the Rules in question. Given the CX Standards relate to the optimisation of the consent flow I instead suggest:
"Provided a Data Holder supports PAR, they MUST also support the cdr_arrangement_id claim provided in the Request Object sent to the [PAR End Point]https://consumerdatastandardsaustralia.github.io/standards/#pushed-authorisation-end-point). The Data Recipient Software Product MAY provide the cdr_arrangement_id claim in the Request Object sent to the PAR End Point." to "Provided a Data Holder supports PAR, they MUST also support the cdr_arrangement_id claim provided in the Request Object sent to the PAR End Point. The Data Recipient Software Product, if requesting to amend a current authorisation under Rule 4.22A, MUST provide the cdr_arrangement_id claim in the Request Object sent to the PAR End Point. A Data Holder MUST treat the request under the Amending Authorisation Standards If the cdr_arrangement_id claim is provided" Finally, on a point of applicability, the proposal expands the references from 4.22A to include 4.18C and 4.20S. Both 4.18C and 4.20S relate to notification by a recipient to both Data Holder and another Data Recipient. They are also presented as past tense (i.e. after the collection consent is updated) and in fact referenced directly in 4.22A introducing a possibility that the Standard is in fact rewriting the Rules. As such making it applicable to the Amending Authorisation Standards appears to not only be technically impossible but invalid. |
|
As an ADR, we had always intended on passing the arrangement id |
|
The ACCC supports making a standard to clarify that an accredited data recipient must provide a CDR_arrangement_ID when making a notification to a data holder that a collection consent has been amended (as required by rule 4.18C or 4.20S). Supplying the cdr_arrangement_id ensures that data holders can link notifications about amended consents to the existing authorisation. |
|
Based on the feedback provided and through internal discussions, we'd like to propose the following options for discussion: Option 1: Standards Clarification (current proposal)The intention of this proposal is to clarify what ADRs must do to initiate an authorisation amendment. The current proposal would not result in any new obligations for ADRs, and would not result in a change to standards relating to DHs. This option is considered to have low to no implementation impact. This proposal is as follows: Consumer Experience → Consent Standards →
Option 2: Adjusted ADR and DH standardsThis option would result in a change to the existing ADR and DH standards. As per @perlboy's suggestion, this change would remove an existing statement from the amending authorisation standards for DHs; would insert revised wording to the infosec profile to clarify that an ADR must provide a Consumer Experience → Amending Authorisation Standards →
and Security Profile → Request Object →
Option 3: Revision of Original ProposalSimilar to Option 1, Option 3 would limit changes to the ADR side to provide a clarification only, and would not result in a new ADR obligation or changes to standards impacting DHs. The rewording in this option would provide an alternative clarification relating to the notification of a DH of a collection consent being amended, as follows: Consumer Experience → Consent Standards →
--update 29/05/2024--- Option 4: Combination of Option 2 and Option 3This option combines approaches from both Option 2 and Option 3. This change would consolidate references to the Consumer Experience → Amending Authorisation Standards →
Consumer Experience → Consent Standards →
and Security Profile → Request Object →
Community feedback to these options and any other options that we should consider are welcome. |
|
Based on community feedback, internal discussions and advice from other CDR agencies, the DSB would like to propose Option 4 as the preferred option. As outlined above, Option 4:
|
nils-work
added
the
Proposal made
|
The proposed change has been staged for review. |
Description
Under rules 4.18C, 4.20S, and 4.22A, a data holder is required to invite the CDR consumer to amend the authorisation to disclose CDR data when an amendment notice is received. Data holder CX standards currently put these rules into effect for the authorisation flow and dashboard, by linking authorisation amendment processes with the relevant cdr_arrangement_id. However, it is unclear that ADRs must provide the relevant cdr_arrangement_id in order for the authorisation amendment to operate as intended.
The consequence of failing to provide the relevant cdr_arrangement_id is that data sharing arrangements will be disconnected on consumer dashboards. Further, the simplified amending authorisation flow is only triggered when the cdr_arrangement_id is provided by the ADR.
This change request seeks to clarify that if an ADR invites a consumer to amend a collection consent, then they must provide the relevant cdr_arrangement_id to the data holder for the corresponding authorisation to be amended as per the rules.
Area Affected
CX Standards > Consent Standards > Consent: Amendment of Collection Consents and Authorisations
Change Proposed
Add a new CX standard to clarify that ADRs must supply the relevant cdr_arrangement_id to the data holder for corresponding authorisations to be amended as per the rules. Proposed addition to the standards:
DSB Proposed Solution
The proposed solution can be found in this comment.
The text was updated successfully, but these errors were encountered: