Question
If all accounts are removed from a consent, would this close the consent or would this consent remain active? If consents have no accounts attached, is only customer data being shared?
Answer
A consent can remain active even if all of the accounts have been disassociated. Removing all of the associated accounts does not revoke the authorisation. See the article Consent with no attached accounts.
Question
What amendments can be made to an active consent?
Answer
Accredited Data Recipients
ADRs need to ask the consumer to re-authenticate or authorise with their DH to do the following:
- Amend the collection duration
- Amend the datasets being collected
- Amend the accounts associated with the consent/authorisation (the consumer could amend these in the authorisation flow)
This effectively replaces the existing consent with a new one.
ADRs do not need the consumer to re-authenticate or authorise with the DH to do the following, as these can all be done on the ADR-side:
- Amend a use consent
- Amend other consent types, such as a de-identification consent, or a direct marketing consent
- Elect to delete data or opt to have redundant data de-identified
Data Holders
DHs cannot do the following, as authorisations are immutable, unless it is in response to an ADR's amendment request as per rule 4.22A:
- Amend the datasets being disclosed
- Amend the disclosure duration
DHs must allow joint account sharing to be switched off, either by disabling joint account sharing entirely or by stopping Joint Account data being shared for a specific authorisation. That is, a DH can remove a disclosure option, set a disclosure option to off, or remove an approval.
DHs can allow other types of accounts to be added or removed. This is not required, and the DSB has not recommended this functionality as ADRs have suggested it will impact existing services.
DHs cannot amend use consents because this information exists only on the ADR side. DHs deal only with authorisations to disclose, which relates to the ADRs consent to collect. Other consent types are not associated with the authorisation to disclose. They can continue to exist even where an authorisation to disclose has expired.
See:
- CDR Rules, Main section, Part 4, Divsion 4.3 Giving and amending consents
- CDR Rules, Main section, Part 4, Division 4.4, 4.22A Inviting CDR consumer to amend a current authorisation
Comments
0 comments
Please sign in to leave a comment.