A 'Consent knowledge base' is a publicly accessible resource that provides your users with detailed information about how their data is handled, managed, and protected in relation to your business use cases and practices. It serves to inform users about their rights.
This guide explains what partners need to integrate and present to ensure compliance with the Consumer Data Right (CDR) and Consumer Experience (CX) requirements.
It is also useful to validate you are meeting all necessary requirements related to Consent management, data handling processes, security requirements and more.
Keep in mind the page you produce should be accessible on the web, so make sure to host it on a static URL that doesn’t change. It can be in any adequately accessible format such as HTML, PDF or DOC.
Use the sections in this document to tailor the content to your specific needs. You are encouraged to expand in sections more relevant to your business use case, or exclude parts where your practices are already in alignment with the Basiq CDR policy (Consumer Data Right (CDR) Policy | Basiq Help Center ).
You can always reach out to the Basiq support team for further assistance.
Key sections
Your Consent knowledge base should have the following key sections:
Introduction to the Consumer Data Right (CDR)
🎯 Purpose
Explains key Open Banking concepts to the user such as CDR, ADR, their benefits etc.
Transparently disclose the specific purposes for which you will use the CDR data you collect from users. This disclosure should also explain how and why the CDR data you request from users is the minimum data necessary to fulfil those purposes.
🏛️ Requirement
Must always be included.
💡 Suggested Language
Note: The following wording is provided as an example only and should be customised to suit your specific application and use case.
The Consumer Data Right (CDR) regulates the collection and handling of CDR data in line with privacy safeguards and rules that:
Ensure users' data is managed securely.
Provide users with control over how their data is shared and used.
Accredited Data Recipients (ADRs)
An Accredited Data Recipient (ADR) is an organisation approved under the CDR framework to receive and manage consumer data securely. ADRs are required to adhere to strict privacy and security rules, ensuring that the consumer's data is used only with their consent. ADR and ADR rep/ (Partners) are expected to;
Transparently disclose how data is used.
Ensure secure storage and transfer of consumer data.
Implement privacy safeguards to protect user consent.
Key Benefits for Users
Choice and Control: Users decide what data to share, how it’s used, and who it can be disclosed to.
Manage Consent: Users can view, modify, or revoke consents at any time.
Data Deletion Requests: Users can request data deletion or de-identification.
Data Usage under CDR
We may use the data collected under the CDR framework for:
Personalised Services: Tailoring recommendations to user activities.
Operational Purposes: Preventing fraud, detecting abuse, and generating analytical insights using de-identified data.
Communication: Sending updates and notifications aligned with user preferences.
Consent Management
🎯 Purpose
Explains how a user can manage their existing consent. This should include clear details specific to your implementation (e.g. screenshots of your application or links to the webpage where you’re hosting the Management portal, contact email and phone number).
Remember to always allow at least two methods of consent management and make them all accessible to your users. More implementation details can be found in our Docs: https://api.basiq.io/docs/consent-actions
🏛️ Requirement
Must always be included. Refer to the official ACCC/CDR rules for further guidance.
💡 Suggested Language
Note: The following wording is provided as an example only and should be customised to suit your specific application and use case.
When you give consent, you remain in control. You can easily manage your consent at any time—whether that means reviewing, updating, or withdrawing it—using any of the following methods:
Directly through the app (this is the easiest and preferred method)
By contacting our support team via email
Data Retention and De-identification
🎯 Purpose
Explains to the user how their data will be handled for the duration of the consent as well as after it expires. This should include details specific to your data handling policies, especially if they differ from Basiq policies. If you are creating copies of data, this should be made transparent to the user. If you are practicing data de-identification, this process should be detailed and made transparent to the user.
🏛️ Requirement
This should be included if your data handling policies are uniquely different to Basiq.
💡 Suggested Language
Note: The following wording is provided as an example only and should be customised to suit your specific application and use case.
You have the right have the right to request data deletion at any time.
Upon withdrawal of consent:
Your data will be securely deleted or de-identified, depending on your consent
Redundant data will be destroyed (except for specific use cases when we are required by law to retain it for a longer period)
We will ensure that any third-party processors will securely erase any shared data
De-identification process
De-identification involves removing identifiable information while retaining anonymised data for operational purposes, such as analytics and fraud prevention. Steps include:
Removing your personal information from transactions
Stripping timestamps and descriptions that reveal specific details
Aggregating data to ensure anonymity
We may use de-identified data for improving services, creating insights, and operational analysis.
Retention Policy
We will always:
Ensure your data is deleted or de-identified promptly when it is no longer required, upon data sharing consent expiry or within 24 hours of receiving a consent revocation request
This guide provides a foundation for integrating and managing a Consent Management Portal compliant with CDR regulations. By implementing the outlined methods, partners can ensure user data is handled securely, transparently, and in line with privacy laws. For additional guidance or assistance, contact our team.