When a consent expires are there any obligations on the Data Holder (DH) to notify the ADR, or the consumer? Is the DH required to make changes to a consent record?
In the CDR rules, the terms expire, or expiry, are used broadly. Consents and authorisations 'expire' when they are withdrawn, for example, or when the reach the end of their specified duration.
The rules only specify that DHs notify ADRs when a withdrawal occurs. Other aspects of the rules require CDR participants to notify other CDR participants when expiry occurs (e.g. AP disclosures).
The rules do not specify an obligation to notify the ADR when the authorisation expires by reaching the end of the sharing period.
In some cases DHs are required to notify consumers when an authorisation expires:
When an authorisation sharing data from a joint account expires. See CDR Rules, main section, part 4A Joint accounts, rule 4A.14.
When an authorisation given by a secondary user expires, the account holder must be notified. See CDR Rules, main section, part 4, division 4.4, rule 4.28(2).
As per privacy safeguard 10, the DH should notify the consumer via the dashboard, to update when the CDR data was last disclosed
The DH displays active consents on the consumer dashboard, which also effectively indicates when consents are no longer active.
The CX Guidelines recommend that DHs provide a 'CDR Receipt' to the consumer in writing, other than through the dashboard, when authorisations are:
- amended. Note that technically the authorisation is revoked, and a new one established. To the consumer it appears as if the consent is amended.