How should the profile scope be represented in Consent and Authorisation screens? The profile scope isn't addressed in any of the CX Standards or Guidelines. Should it be dependent on the
For example, if
bank:accounts.basic:read are requested, the ADR has access to Personally Identifiable Information (PII) for the user. If the profile scope is not displayed, the user may be unaware that PII is available to the ADR.
It is true that the consumer may be misled regarding PII if the profile scope is not displayed. The DSB is aware of a gap in CX and technical guidance with respect to the profile scope. The DSB will consult on this in 2021.
The current consequence is that the profile scope can only be accepted if it is in association with one of the CDR customer read scopes. That is, the profile scope should be included only where the consumer also consents to the basic customer data cluster (
common:customer.basic:read) or detail customer data cluster (
This is so ADRs and DHs do not unintentionally introduce situations where consumers do not realise they are sharing personal information. The Data Standards Body will consult on this gap and look to remediate in Maintenance Iteration 6.
Update 11/02/2021 - we have removed the word 'essential' from the following paragraph as it was misleading
Note also that the ADR has a responsibility to request the claims they wish to receive via
UserInfo, such as
given_name, otherwise they must not be returned.