In Consumer Data Standard (CDS), Client Registration Management, the authorisation server support for a Delete API is marked as
optional. Does this mean that a Data Holder (DH) can choose to not implement the Delete API?
The CDS does not specify the exact behaviour of the DH when it receives a delete request. However, the DH should ensure that the other requirements in Client Registration are maintained as per the CDS.
What is the expected usage scenario for the Delete API? Why or when would an Accredited Data Recipient (ADR) want to delete their registration, given there is an Update API to modify registration details?
Currently there is no expected usage scenario for the Delete API. The ADR might choose to clean up their registrations, either at the beginning of a Software Product's lifecycle, where erroneous registrations may have occurred, or at the end of the lifecycle, when the Software Product is decommissioned.
However, currently, the design does not require all DHs to support this functionality. Future design iterations may look at changing this position if there is community demand for standardising this functionality.
What is the expected DH behaviour in response to a
delete request received, if there are active arrangements associated with the registered client? Should the DH reject the
delete request, or invalidate consents and clean up registrations.
When an ADR chooses to delete registration, the DH is required to
expire all consents at the time the ADR status is set to
surrendered. The status of the Software Product changes to
inactive. When the delete registration is requested there should be no
If the ADR is deleting a Software Product from the CDR ecosystem, independent of the above-mentioned changes in status either at the Legal Entity or Software Product Status level, then the DH must delete all associated consents.
When an ADR status is
surrendered and the status of the Software Product is
inactive, all consents must be
The DH can also undertake these security hygiene tasks when the software status changes to
remove, regardless of whether an ADR calls the delete function.
The duplicate check for registration requests is on the Software Product ID. If a registration associated with the software product ID has been deleted, should a subsequent registration request succeed, using the same software product ID?
Regardless of any previous registrations, when the CDR Register issues a Software Statement Assertion an active software product, that product must be able to register with all relevant DHs in the ecosystem.