When a DH (Data Holder) receives a consent authorisation withdrawal request from a CDR consumer, they must notify the ADR (Accredited Data Recipient). What is the maximum time allowed for ADR notification, if the withdrawal request is received through a method other than the DH dashboard, such as by phone or in writing?
CDR Rules, section 4.25 Withdrawal of authorisation to disclose CDR data and notification, (2)(a), allows for a maximum of two business days for the DH to give effect to the withdrawal. Does this time limit apply to notification of the ADR?
The CDR Rules do not specify a limit for notification of the ADR. Rule 4.25 (2)(b) states that it has to happen 'in accordance with the data standards' . The Consumer Data Standards (CDS) do not specify timelines for revocation. It is implied that a revocation from a dashboard should be communicated immediately.
Is there any timeframe by which the DH should revoke an active consent authorisation, when the consumer ceases to be an eligible customer of the DH. For example, if a customer closes all their accounts, must the DH revoke consent within two days?
The rules are silent about this. Given that the above rule gives two days for withdrawal of authorisation, two days seems an appropriate timeframe in which to revoke consents of an ineligible customer. However the Data Standards do not give timings, or even comment, on revocations arising from changes in eligibility.
The intent of the regime as a whole is to move to real time, or near real time, data sharing to give the best value services to consumers. This means that future rule changes or standards changes are more likely to require real time notification than batch notification. It would be wise for data holders and data recipients to make architectural and design decisions to accommodate this direction in case of future changes to the regime.
- CDR Rules, division 4.4, section 4.25 Withdrawal of authorisation to disclose CDR data and notification, (2)