The CDR Register standards specify that where the ACCC (as Data Recipient Accreditor) has made a decision to revoke the accreditation of an Accredited Data Recipient, and has notified the decision to the Registrar, the Registrar:
- revokes Accredited Data Recipient's certificates
- updates the CDR Register to change the Accredited Data Recipient's status to 'revoked' and status of all associated Software Products to 'inactive'
- Once the appeals timeframe has been exceeded, updates Software Products status to 'removed' .
When the ADR Accreditation is Revoked, and the associated Software Product is "Inactive", what is the Data Holder's responsibility? This scenario appears to be omitted in the "Data Holder Responsibilities" table. What is the implication of this scenario for the Accredited Data Recipient?
The CDR Register design includes cascade rules for when a software product's status is dictated by the status of the parent legal entity.
The cascade rules are incomplete and do not map to the actions of the Registrar. This is a gap in the documentation.
The DSB has raised Standards Maintenance Issue 431 to address this.