Privacy working group meeting 5 – October 20, 2022

This discussion guide is provided to assist working group members in preparing for the meeting.

For questions or comments, please contact obbo@fin.gc.ca.

On this page:

• Discussion guide
• Outcomes

Discussion guide

Consent management process

Dashboards play an important role in clearly and transparently displaying consent. They inform consumers on the type of data that is being shared, the accounts from which it is being collected, the length of the consents as well as the ability to revoke it.

Recognizing this, the Advisory Committee on Open Banking recommended that any Canadian framework must include a robust consent management structure, including a consent management dashboard.

Building on the previous working group discussion of consent standardization, a dashboard will need to have a common and consistent approach across ecosystem participants. Functionality must be simple and straightforward and should also consider key elements of the revocation process described in the second meeting of this working group, namely that it should:

• Be clear, simple and transparent;
• Permit the consumer to initiate revocation with either the data recipient or provider;
• Be as simple and clear as the process for collecting consent and consumers should be able to revoke consent with the same (or fewer) number of clicks as providing consent; and,
• Notify consumers clearly over the course of the revocation process, including in regards to what happens to their data.

The annexes to this discussion guide display wireframes of what could be displayed on a dashboard as well as the steps required for a consumer to revoke access. The goal of this working group meeting will be to discuss the steps involved in the journey as well as the information to be provided along each step. As was the case in the previous working group meeting, the content in this discussion guide takes reference from the work of the United Kingdom's Open Banking Implementation Entity (OBIE). It is also noted that the OBIE guidelines were supported by working groups, market research, consumer testing and deep-dives into the customer journey. As such, the wireframes propose a first step and future journeys may form part of the open banking system as it grows and matures. 

Discussion

1. Other than a view of consents and revocation, is there another journey that merits standardization in the context of a dashboard? 
2. Are the consent dashboard wireframes proposed in Annex A and Annex B appropriate and complete? Are any steps missing or unnecessary?
3. Are the revocation wireframes proposed in Annex C and Annex D appropriate and complete? Are any steps missing or unnecessary?
4. Would any steps be materially different if an SME was completing the journey?
5. Would any steps be materially different if the process was conducted on a digital channel other than mobile (for example, a web browser)?

Annex A – Consumer dashboard overview – Inbound data

Given that reciprocity will be a key feature of the open banking system, the scenarios below have been prepared from the perspective of the participant acting both as a data provider and a data recipient. For example, this is captured under point 2 below where the participant provides information for both data that is received and data that is provided.

Below are the visual elements of a consent dashboard for a scenario in which a system participant is providing an overview of the information they are receiving.

Consumer dashboard overview – Inbound data

1. Information provided to the consumer must be divided into two screens. First, a landing page screen providing a high level overview. Second, a detailed screen providing for the management of connections.
2. The participant must offer the option to view information related to data that is being received, data that is being provided, and a history of consents that have expired.
3. The participant must provide the following information about connected accounts:
   • Data provider name
   • Account type(s) (for example, chequing account, credit card, etc.)
   • The date by which the consent must be refreshed
   • The date and time of the last occasion where data was collected from the connected account
   • Warnings or alerts if access is close to expiry in a manner that is a visually prominent, i.e. in a different color or font.
4. The participant must describe the status of the data collection consent as either "Active" if current or "Reconfirm" if consent is nearing expiry. These buttons are not actionable and are for information purposes.
5. The participant must provide a "manage" button that redirects to a separate screen allowing the customer to, among other things, revoke or reconfirm consent. This should appear under the "Active" or "Reconfirm" buttons and must lead to a separate screen with further details.
6. The participant should include a button at the bottom of the screen allowing for further connections to be made. This should forward the consumer back to the consent, authentication and authorization journey discussed in the previous working group meeting.
7. The participant must provide a detailed screen which the consumer can access by pressing "manage" on the consent dashboard. The screen must outline the following information:
   • Data provider name
   • Account type(s) (for example, chequing account, credit card, etc.)
   • Account identifier, such as an account number
   • The data that is being shared – drop down menu to further describe the data that is being collected
   • How the data is being used
   • The date the consent was first provided and the expiration
8. The bottom of the screen must include a button allowing for the connection to be disconnected or reconfirmed.

Annex B – Consumer dashboard overview – Outbound data

This scenario describes the visual elements of the consent dashboard when a system participant is providing overview of the information they are providing.

Consumer dashboard overview – Outbound data

1. As under Annex A, information provided to the consumer must be divided between two screens. The first being a landing page screen providing a high level overview. The second a detailed screen providing for the management of connections.
2. As mentioned under Annex A, the participant must maintain the option of allowing the consumer to view information related to data that is being received, data that is being provided and a history of consents that have expired.
3. The participant must provide the following information with respect to account information that is being shared:
   • Data recipient name
   • Account type(s)
   • Account identifier, such as an account number
   • The date by which the consent expires
   • The date and time of the last time where data was collected from the connected account
   • An indication of the consent expiry date
4. The status of the data collection must indicate "Active". This button is not actionable and is for information purposes.
5. The participant must provide a "manage" button that redirects to a separate screen allowing the customer to revoke consent. This should appear under the "Active" button and must lead to a separate screen with further details.
6. The participant must provide a detailed screen outlining the following information:
   • Data recipient name
   • Account type(s) (for example, chequing account, credit card, etc.)
   • Account identifier, such as an account number
   • The data that is being shared – drop down menu to breakdown the information from that data
   • How the data is being used
   • The date the consent was first provided and the expiration
7. The bottom of the screen must include a button allowing for the connection to be disconnected. 

Annex C – Consent revocation dashboard – Inbound data

The journey below describes the revocation of consent for information a participant collects from a data provider. The consumer lands on this page after pressing the "manage" button and pressing the "disconnect" button that appears at the bottom of the screen that follows, both of which are described under Annex A. The revocation journey must directly follow the "disconnect" button and must not be interrupted by additional screens.

Consent revocation dashboard – Inbound data

1. The participant must detail the consequences of cancelling the consent.
2. The participant should indicate the information being provided from the data provider.
3. The participant must detail the consequences of disconnecting the account, namely the impact on the service being provided and the treatment of the data, among others.
4. The participant must inform the consumer that the connection to their account has been cancelled. The participant should remind the consumer of the implications of the revocation.  

Annex D – Consent revocation dashboard – Outbound data

The journey below describes the revocation of consent for information a participant provides to a data recipient. The consumer lands on this page after pressing the "manage" button and pressing the "disconnect" button that appears at the bottom of the screen that follows, both of which are described under Annex B. The revocation journey must directly follow the "disconnect" button and must not be interrupted by additional screens.

Consent revocation dashboard – Outbound data

1. The participant should inform the consumer to check with the data recipient about the implications of the revocation on their service. 
2. The data provider must inform the consumer that the connection to their account has been cancelled.

Outcomes

Consent management process

Discussion 1

Other than a view of consents and revocation, is there another journey that merits standardization?

• Participants recommended expanding standardization to notifications customers receive at different points in the customer journey, as well as a standardized notification between participants when a consumer conducts an action from the dashboard.
• Outside of dashboards, participants further proposed standardizing the complaints process as well as reversing transactions.
• Participants also raised concerns about over prescribing the elements of the dashboard and revocation process in addition to the steps involved in the consent process which were discussed in the previous meeting.

Discussion 2

Are the consent dashboard wireframes proposed in Annex A and Annex B appropriate and complete? Are any steps missing or unnecessary?

• Suggestions for Annex A included:
• moving the information listed under item 7 (“Data that is shared with us”) to the first slide on the left;
• re-authenticating a consumer once the consent “Reconfirm” icon at listed under item 8 is pressed;
• a single button for bulk disconnecting all accounts instead of having to perform the action for each individual source account; and,
• reconfirming consent for specific accounts from a data provider as opposed to all accounts.

• Suggestions for Annex B included:
• moving the information listed under item 7 (“Data that is shared with us”) to the first slide on the left;
• a single button for bulk disconnecting all accounts instead of having to perform the action for each individual source account; and,
• highlighting the involvement of intermediaries such as aggregators in the chain of data movement from the data provider to the data recipient.

Discussion 3

Are the revocation wireframes proposed in Annex C and Annex D appropriate and complete? Are any steps missing or unnecessary?

Suggestions for Annex C included:

• clearly outlining the impacts of revoking data access, namely data deletion based on existing privacy legislation;
• avoiding language that would discourage the consumer from proceeding with their request to disconnect an account.

Suggestions for Annex D included:

• participants having the obligation to notify one another when a consumer revokes consent.  

Discussion 4

Would any steps be materially different if a SME was completing the journey?

• Save for issues related to shared credentials and appropriate access rights, there was a general consensus that the steps would not be materially different.

Discussion 5

Would any steps be materially different if the process was conducted on a digital channel other than mobile (for example, a web browser)?

• There was a general consensus that the steps would not be materially different. 

Privacy working group attendees