Information Security Consultative Group – Code of conduct

InfoSec minutes

Author: Mark Verstege

Publish date: 13 May 2024


Context

This code of conduct is intended to govern the behaviour and engagement of members of the Information Security Consultative Group (the Consultative Group) that has been established under the powers of the Data Standards Chair as an advisory committee for the Consumer Data Right (CDR).

Abiding by this code of conduct is an expected, but voluntary, undertaking of appointed members of the Consultative Group, as well as other attendees representing government bodies.

While this code of conduct is not legally binding, it does represent a common understanding of appropriate behaviour. Breaches may be considered by the Chair when decisions regarding existing or future appointments are made.

Behaviour

Members agree to:

  • Engage in meetings with professionalism and with respect for other attendees.
  • Faithfully represent the interests of other CDR participants that do not have representation in the Consultative Group, within the bounds of their obligations to the organisation they represent.
  • Act in accordance with the best interests of the CDR with the intent of improving the operation, security, and performance of the CDR ecosystem.
  • Engage in meetings in accordance with their obligations to their organisations and the regulatory requirements of their organisations. For instance, this will include refraining from engaging in behaviour that could be classified as anti-competitive or that breaches privacy obligations.

Meeting Attendance

Members agree to:

  • Attend, either physically or virtually, the scheduled meetings to the best of their ability.
  • Be prepared to contribute at meetings having discussed the items on the agenda with members of their own organisation such that they are able to give meaningful and relevant feedback.
  • Refrain from delegating their appointed role without prior discussion with the convenor of the Consultative Group.

Confidentiality

Members agree to:

  • Keep the discussion of the Consultative Group confidential, noting that the minutes of meetings of the Consultative Group are made public. This will, for instance, include keeping the attribution of the contribution of specific members confidential.
  • Share the confidential discussions of the Consultative Group within their own organisation on a need-to-know basis. It is expected that members will collaborate with colleagues inside their own organisations to provide feedback that is endorsed by their organisation, but it is expected that members will show judgement in how this collaboration is managed.

Management of Data

Members agree to:

  • Keep all data confidential that is shared by, or with, them in the course of their involvement with the Consultative Group, including not sharing or distributing the data outside of their organisation.
  • Actively seek to ensure that the Consultative Group can be trusted by other CDR participants to receive any data that will be useful in assessing non-functional requirements. It is expected that this will include limiting the degree to which this data is disseminated within their own organisation. An analogue of the CDR principle of data minimisation should be applied when sharing data with their colleagues.

Competition Law Protocols

Members agree to:

  • Comply in all respects with the Competition and Consumer Act 2010 (Cth) and any other applicable competition laws.
  • Not engage in cartel conduct (price fixing, market, customer or supplier allocation, supply or output restriction, boycotts or bid rigging/coordination).
  • Not enter into any anticompetitive agreement or engage in anticompetitive conduct.
  • Not share or discuss any confidential or competitively sensitive information, including information about current or future commercial strategies, internal processes or systems, costs and margins, prices, customers, suppliers, output, sales, marketing plans, market shares, and public information which is compiled and shared in a way that a third party would not ordinarily be able to access / compile.
  • Not share any information or data which goes beyond that which is necessary to achieve the legitimate purpose and scope of the initial consultative group outlined in the Terms of Reference, which is not an anti-competitive purpose and is unlikely to have any anticompetitive effect.
  • If any member is unsure whether information or data proposed to be disclosed is competitively sensitive or goes beyond that which is necessary to achieve the purpose specified in the Terms of Reference, the participants will not share the information or data until they receive competition law advice that the proposed information or data to be shared or discussed is appropriate in the circumstances.
  • If, during the course of any meeting, a participant has concerns that the content of any communications may raise competition compliance issues, the participant will make their concerns known to the DSB, and the DSB will immediately cease the discussion. If the discussion does not cease, the participant(s) who raised the concern should leave the meeting and ask for their departure to be minuted. Participants also undertake to report any communication between participants that may raise competition concerns to their respective legal teams.

Version control

Version Date Author Ratonale
1.0 15/5/24 Mark Verstege Code of Conduct adopted