This guide explains what partners need to integrate and present in a Consent Knowledge base to ensure compliance with the Consumer Data Right (CDR) requirements.
It is also useful to verify you have properly met all requirements related to Consent management, data handling processes, security requirements and more.
Keep in mind this page should be publicly accessible on the web, so make sure to host it on a static URL that doesn’t change. It can be in any adequately accessible format such as HTML, PDF or DOC.
We encourage you to tailor the content to your specific needs and feel confident knowing that any changes you propose will be carefully evaluated by our experts.
Key sections
Introduction to the Consumer Data Right (CDR)
Purpose: Explains key Open Banking concepts to the user such as CDR, ADR, the benefits etc.
Requirement: This should always be included, you may use this section as guidance
Consent Management
Purpose: Explains how a user can manage their existing consent. This should include clear details specific to your implementation (e.g. screenshots of your application or links to the webpage where you’re hosting the Management portal, contact email and phone number). Remember to always allow at least two methods of consent management to your users.
Requirement: This should always be included, you may use this section as guidance
Data Retention and De-identification
Purpose: Explains to the user how their data will be handled for the duration of the consent as well as after it expires. This should include details specific to your data handling policies, especially if they differ from Basiq policies. If you are creating copies of data, this should be made transparent to the user. If you are practicing data de-identification, this process should be detailed and made transparent to the user.
Requirement: This should be included if your data handling policies are uniquely different to Basiq, you may use this section as guidance
Consent Management Policy Template
Introduction to the Consumer Data Right (CDR)
The Consumer Data Right (CDR) regulates the collection and handling of CDR data in line with privacy safeguards and rules that:
Ensure your users data is managed securely.
Provide your users with control over how your data is shared and used.
Accredited Data Recipients (ADRs)
An Accredited Data Recipient (ADR) is an organization approved under the CDR framework to receive and manage consumer data securely. ADRs are required to adhere to strict privacy and security rules, ensuring that the consumer's data is used only with their consent. ADR and ADR rep/ (Partners) are expected to;
Transparently disclose how data is used.
Ensure secure storage and transfer of consumer data.
Implement privacy safeguards to protect user consent.
Key Benefits for Users
Choice and Control: Users decide what data to share, how it’s used, and who can access it.
Manage Consent: Users can view, modify, or revoke consents at any time.
Data Deletion Requests: Users can request data deletion or de-identification.
Data Usage under CDR
Data collected under the CDR framework can be used for:
Personalised Services: Tailoring recommendations to user activities.
Operational Purposes: Preventing fraud, detecting abuse, and generating analytical insights using de-identified data.
Communication: Sending updates and notifications aligned with user preferences.
Reps/Partners should transparently disclose the specific purposes for which you will use the data you collect from users and only request the minimum data necessary to fulfill those purposes.
Data Security Requirements
Data security is a core element of CDR compliance. All data must be managed securely through strict protocols, including:
Storage: Data must be securely stored in Australia only.
Encryption: Ensure encryption of data in transit and at rest.
Access Control: Restrict access to authorized personnel only.
Audits: Conduct regular audits to verify adherence to security practices.
Consent Management
To comply with CDR regulations, partners must provide users with flexible methods to manage their consents. These options ensure users have control over their data at all times.
Methods of Managing Consent
1. Using the Basiq Dashboard
Partners can revoke user consents on their behalf via the dashboard:
Log into the Basiq dashboard.
Navigate to the "Users" section.
Select the user whose consent needs to be revoked.
Add 'Confirm users identity before revoking consent'.
Click to revoke consent.
Alternatively, partners can generate a unique URL from the dashboard and share it with users, enabling them to revoke consent directly:
Generate a URL link.
Share the link with the user.
Users can review and manage their consents independently.
2. Using the action=manage Parameter (Preferred)
The action=manage parameter directs users to the Consent Management Portal (CMP), where they can manage and revoke their consents directly. Partners can:
Integrate the CMP view within their app or website.
Provide users with a link to the CMP for direct access.
3. Alternative Methods
Partners are encouraged to provide additional methods to users for managing their consents, such as:
Offering support via email for consent-related queries.
Providing a support phone line.
Creating a publicly accessible resource (e.g., webpage or PDF) explaining consent management policies.
Ensure your company policies align with the Consent Policy configured in the Basiq customizer. Refer to the official ACCC/CDR rules for further guidance.
Data Retention and De-identification
Data Deletion Process
The user has the right have the right to request data deletion at any time. Upon withdrawal of consent:
Data will be securely deleted or de-identified by the Partner.
Redundant data will be destroyed (except for specific use cases when you are required by law to retain data for a longer period).
Partners will ensure that the Third-party processors will securely erase any shared data.
De-identification Process
De-identification involves removing identifiable information while retaining anonymised data for operational purposes, such as analytics and fraud prevention. Steps include:
Removing user IDs from transactions.
Stripping timestamps and descriptions that reveal specific details.
Aggregating data to ensure anonymity.
De-identified data can be used for improving services, creating insights, and operational analysis. Users may also request deletion of de-identified data if it is no longer necessary.
Retention Policy
Partners must adhere to the following guidelines for managing user data:
Ensure user data is deleted promptly when it is no longer required, upon data sharing consent expiry or within 24 hours of receiving a consent revocation request.
Comply with retention toggle settings for automatic deletion, ensuring configurations align with privacy and security requirements.
Conclusion
This guide provides a foundation for integrating and managing a Consent Management Portal compliant with CDR regulations. By implementing the outlined methods, partners can ensure user data is handled securely, transparently, and in line with privacy laws. For additional guidance or assistance, contact our team.