Introduction

The following notes are drawn from Subject Matter Expert responses to participant questions.  

Revoking consent and stopping of data disclosure

If consent is revoked, the access token is not guaranteed to be revoked. The expectation is that an active access token must not be honoured because the consent has been withdrawn.

If the ADR revokes an access token, then attempts to use the invalidated access token to make a data request, it must fail.

If, however, the ADR obtains a fresh access token by using their refresh token, that is a perfectly valid data request and should succeed.

Notifying ADRs of withdrawn authorisation

When revocation occurs on a DH dashboard, the DH communicates consent withdrawal to an ADR by calling the CDR Arrangement Revocation End Point hosted by the ADR.  This is documented in the standards in CDS Security Profile, Security Endpoints.

Data Recipient hosted arrangement revocation endpoint

In the Standards, the aud (audience) claim the data holder populates is specified to be the "base URI" of the endpoint being accessed. Depending on the endpoint being called, the base URI may be different.

For the CDR Arrangement Revocation Endpoint, the base URI is specified as the RecipientBaseUri that the ADR provides to the Data Holder in their Software Statement Assertion (SSA) during dynamic client registration. It is not the full path of the endpoint. ADRs validating the aud claim must verify that the value is the correct Recipient Base URI.

Where an explicit base URI is not provided in the SSA, then the URI of the endpoint itself should be used. A good example of this is the legacy ADR token revocation endpoint which is specified as the RevocationUri in the SSA. The base URI is also the same as the fully qualified end point.

CDR Arrangement Management endpoint supersedes Revocation endpoint

The Revocation endpoint is not required for participants who have delivered the CDR Arrangement Management endpoint. The Revocation endpoint is considered deprecated once the CDR Arrangement Endpoint scope for revoking Consent is published for consumer consumption.

Amending consents

Technically consents cannot be amended. Consents can be revoked and a new consent can be created, linked to a previous revoked consent via a common cdr_arrangement_id.

ADR status and consent invalidation

When an ADR has 'Suspended' status, the Rules require data sharing to cease BUT all consents for the ADR to remain valid during the period of suspension. Participants must continue to facilitate consent withdrawal at the consumer's request during the period of suspension. If and when the suspension is lifted, data sharing can resume using consents for consumers that have not expired during the period of suspension. The ADR software product status is 'Inactive' in this case.

Conversely, where an ADR status is 'Revoked' or 'Surrendered', data sharing must cease and all consents must expire, or be 'Invalidated'. Notes following the table in the Data Holder Responsibilities section indicate invalidation may be addressed in batch operations overnight. The process of 'Invaliding consents' also applies where the ADR status is 'Suspended' and the software product status is 'Removed'.

In the context of the Rules, 'Consent expiry' ordinarily occurs on the date nominated by the consumer when the consent was established. Invalidation occurs when all consents for an ADR are ‘expired’ at the same time due to an ADR's status changing from Active to either Revoked or Surrendered.

See:

• CDS Register, Security Profile, Data Holder Responsibilities