Data Standards Advisory Committee – Terms of reference

Current as at November 2024

---

Background

The Hon Stephen Jones MP was appointed Assistant Treasurer and Minister for Financial Services, with effect 1 June 2022, and is the Treasury Portfolio Minister with responsibility for the Consumer Data Right (CDR).

Mr Andrew Stevens is the CDR’s inaugural Data Standards Chair (Chair), as authorised by the Competition and Consumer Act 2010.

The Chair performs an important role as an independent statutory appointment, responsible for the making and reviewing of Data Standards. For the purposes of finance law, however, the Chair is an official of the Department of the Treasury. As an official, the Chair has duties of care and diligence.

The Chair may make CDR Data Standards about the format and description; disclosure; collection, use, accuracy, storage, security and deletion; and de-identification of CDR data.

In making, and reviewing these Data Standards, the Chair must comply with the CDR’s Rules, which state, with regards to the Data Standards Advisory Committee (DSAC), that:

• The Chair must, by written instrument, establish and maintain a committee (DSAC) to advise the Chair about Data Standards;
• Before making or amending a Data Standard, the Chair must prepare a draft of the proposed standard or amendment (the consultation draft); and consult with the DSAC;
• When making or amending a Data Standard, the Chair must have regard to the advice or submissions (if any) received from DSAC; and
• The Chair must appoint one, or more, consumer representative(s), and one, or more, privacy representative(s) to the DSAC.

Terms of Reference

1. The DSAC shall:
   1. Conduct activities, as required, in order to advise the Chair in regard to his functions, powers, and duties.
   2. Adopt, and have regard for, the principles and philosophy that guides relevant DSB activities and CDR Data Standards implementation. (As set out in the Data Standards.)
   3. Provide relevant strategic, expert and/or industry advice on the design and implementation of relevant CDR Data Standards; especially with regard for:
      1. Industry expectations and practice;
      2. Legal and regulatory requirements;
      3. Technical specifications;
      4. CDR rule-making; and
      5. Policy expectations.
   4. Support engagement and outreach to the eco-system, including providing assistance for the resolution of conflict and disagreement with the implementation of Data Standards.
2. Members shall meet at least six times each calendar year.
   1. At the discretion of the Chair, the DSAC shall be comprised of a mixture of members with experience at, or are in:
      1. Data Holders (designated and potential);
      2. Intermediaries, and Data Recipients;
      3. Relevant Research, Service, Technology or Industry Organisations;
      4. Consumer Representatives; and
      5. Digital identity expertise.
   2. When appointing members to the DSAC, the Chair shall have regard for their individual and collective:
      1. appreciation and awareness of consumer-facing innovation;
      2. understanding the underlying data;
      3. understanding of privacy and security issues for consumers and business;
      4. understanding of standards setting, and development, processes; and
      5. understanding of the technical requirements of systems development and applications.
   3. At the discretion of the Chair, the DSAC shall invite relevant Observers from:
      1. CDR agencies;
      2. State or Commonwealth agencies, regulators and arbitrators; and
      3. Other relevant organisations as the Chair sees relevant.
   4. Members, minutes and proposals made by the Chair, and the DSAC, shall be made publicly available, in order to support trust, transparency and engagement with the eco-system.
3. The DSAC operates on an annual cycle. The membership and operation shall be reconsidered by the Chair before each new cycle. Vacancies, membership and the operation of the DSAC may be considered at any time.

For further information

Andrew Stevens
Data Standards Chair
e andrew.stevens@iisa.gov.au
w www.cds.gov.au

Naomi Gilbert
General Manager, Data Standards Body
e naomi.gilbert@treasury.gov.au
w www.cds.gov.au

Principles

The original 2017 Review adopted the approach that the CDR must adopt the following principles:

• be customer focussed
• promote competition
• encourage innovation, and

In addition to these principles, the Review considered the CDR should allow for alternative approaches.

Outcome Principles*

Outcome principles articulate qualitative outcomes that the Data Standard’s Application Program Interface (API) definitions seek to deliver:

1. APIs are secure
   The API definitions will consider and incorporate the need for a high degree of security to protect customer data. This includes the risk of technical breach but also additional concerns of inadvertent data leakage through overly broad data payloads and scopes. The security of customer data is a first order outcome that the API standards must seek to deliver.
2. APIs use open standards
   In order to promote widespread adoption, open standards that are robust and widely used in the industry will be used wherever possible.
3. Data sharing provides a positive consumer experience
   The standards will ensure that CDR consumers have simple, informed, and trustworthy data sharing experiences that provide them with positive outcomes over the short and long term.
4. APIs provide a good developer experience
   To ensure that the entry hurdle for new developers is low the experience of the developers that are building clients using the APIs will be considered. The ability for a developer to easily understand and write code using the APIs in modern development environments should be facilitated by the API standards.
5. Standards are consistent across sectors
   The standards will strive for consistency in patterns, structure, security mechanisms and user experience across sectors to facilitate the development of customer experiences and services that are able to integrate data from multiple sectors seamlessly and to reduce the cost of customer education and new sectors.

Technical Principles*

Technical principles articulate specific technical outcomes that the CDR Data Standard’s API definitions seek to deliver:

1. APIs are RESTful
   The API standards will adhere to RESTful API concepts where possible and sensible to do so. In particular the concepts of statelessness and resource orientation will be followed.
2. APIs are implementation agnostic
   The underlying implementation of the APIs should not be constrained or driven by the API definitions and standards. Conversely, the underlying implementation choices should not be visible or derivable to the client applications using the APIs.
3. APIs are simple
   As complexity will increase implementation costs for both holders and clients as well as reduce the utility of the APIs, API definitions should seek to be as simple as possible but no simpler.
4. APIs are rich in capability
   As the APIs are defined care should be taken to ensure that the data payloads defined represent rich data sets that can be used in many scenarios, including scenarios not necessarily front of mind during the design process.
5. APIs are performant
   The API definitions should consider and incorporate performance implications during design ensuring that repeated calls are not necessary for simple use cases and that payload sizes do not introduce performance issues.
6. APIs are consistent
   The API definitions across the full suite of APIs should be consistent with each other as much as possible. Where possible common data structures and patterns should be defined and reused.
7. APIs are version controlled and backwards compatible
   As the API definitions evolve care will be taken to ensure the operation of existing clients are protected when breaking changes occur. Breaking changes will be protected by a well- defined version control model and by a policy of maintaining previous versions for a period of time to allow for backwards compatibility.
8. APIs are extensible
   The API definitions and standards should be built for extensibility. This extensibility should accommodate future API categories and industry sectors but it should also allow for extension by data holders to create unique, value add offerings to the ecosystem.

Consumer Experience Principles*

Consumer Experience principles articulate qualitative outcomes for consumer experience that the standards should seek to deliver.

1. The CDR is Consumer-centric
   The CDR consumer experience is intuitive and is centred on consumer attitudes, needs, behaviours, and expectations – noting that these may change over time.
2. The CDR is Accessible and Inclusive
   A diverse range of people are able to access, use, and comprehend the CDR ecosystem regardless of their background, situation, experience, or personal characteristics.
3. The CDR is Comprehensible
   When interacting with the CDR, consumers are able to understand the following:
   • who their data is shared with;
   • what information is shared;
   • when sharing begins and ceases;
   • where data is shared to and from;
   • why their data is being requested; and
   • how they can manage and control the sharing and use of their data.
4. The CDR is Simple and Empowering
   • Consumer interactions with the CDR are as simple as possible, but not at the expense of informed consent, consumer control, transparency, privacy, or comprehension.
   • Consumers should be encouraged to be privacy conscious without experiencing cognitive loads that lead to disengagement.
   • Consumers should also be empowered by the CDR without interactive burdens being placed on them.
5. Consent is Current
   • Consent is granted at a point in time and is only as current as the consumer’s original intent.
   • Consumer attitudes and behaviours may change over time and be impacted by external events such as the expansion of the CDR or consumer awareness.
   • Consent terms should always align to current consumer preferences.

---

* https://consumerdatastandardsaustralia.github.io/standards/#principles