Archived 2023.09.04. Content moved to CDS Guide, Guidance on revocation or withdrawal of consent
If an ADR (Accredited Data Recipient) revokes a consent arrangement at the CDR arrangement revocation endpoint, and a 204 response is returned at this endpoint, is there any tolerance between this event and data disclosure stopping?
If consent is revoked, the access token is not guaranteed to be revoked. The expectation is that an active access token must not be honoured because the consent has been withdrawn.
If an ADR revokes an access token at the token endpoint, and a 200 response is returned at this endpoint, is there any tolerance between this event and data disclosure stopping?
If the ADR revokes an access token, then attempts to use the invalidated access token to make a data request, it must fail.
If, however, the ADR obtains a fresh access token by using their refresh token, that is a perfectly valid data request and should succeed.
If there is a tolerance, how will a reasonable tolerance be determined?
The rules require consent withdrawals to be actioned as soon as is technically practical and in accordance with the data standards