When the Delete Registration API is invoked by the Accredited Data Recipient (ADR), is a Data Holder (DH) required to delete all registration data for the client?
Yes. When the Delete Registration API is invoked, all client details are to be deleted by the DH. As well as being a requirement, this is also a good security hygiene practice.
The DH is required to
expire all consents at the time the ADR status is set to
surrendered and the status of the Software Product changes to
inactive. Therefore at the time delete is requested by the ADR, through the Delete Registration API, there should be no active consents.
If an ADR deletes a Software Product from the CDR ecosystem entirely, then the DH must delete all associated consents.
Note that when an ADR status is
surrendered and the status of the Software Product is
inactive, then all consents must be preserved.
DHs can also undertake these security hygiene tasks when the software status changes to
removed, regardless of whether an ADR calls the Delete Registration API.
In the event of deletion triggered by calling the Delete Registration API, should all the tokens be deleted as well?
Yes. When the Delete Registration API is invoked, then all access and refresh tokens must be deleted.
Yes. An ADR must be able to initiate a re-registration of a previous Software Product with the DH. However, it may not be possible to use existing SSAs, as they have a lifetime of 10 minutes.