Archived 2023.09.04. Content moved to CDS Guide, Guidance on revocation or withdrawal of consent
Question
If an ADR (Accredited Data Recipient) revokes a consent arrangement at the CDR arrangement revocation endpoint, and a 204 response is returned at this endpoint, is there any tolerance between this event and data disclosure stopping?
Answer
If consent is revoked, the access token is not guaranteed to be revoked. The expectation is that an active access token must not be honoured because the consent has been withdrawn.
Question
If an ADR revokes an access token at the token endpoint, and a 200 response is returned at this endpoint, is there any tolerance between this event and data disclosure stopping?
Answer
If the ADR revokes an access token, then attempts to use the invalidated access token to make a data request, it must fail.
If, however, the ADR obtains a fresh access token by using their refresh token, that is a perfectly valid data request and should succeed.
Question
If there is a tolerance, how will a reasonable tolerance be determined?
Answer
The rules require consent withdrawals to be actioned as soon as is technically practical and in accordance with the data standards
Comments
0 comments
Please sign in to leave a comment.