Question
Are there any provisions to allow a Data Holder (DH) to request Accredited Data Recipients (ADRs) to resubmit PAR requests for existing arrangements, to allow ID permanence IDs to be regenerated?
For example, suppose we have used a cypher technique to create our ID Permanence IDs, This cypher technique uses the cdr_arrangement_id
as a key when producing the ID permanence translation.
If we need to modify our cypher, we want to be able to request all ADRs submit PAR requests so that we can give them the new ID permanence IDs for their existing arrangements.
Without the ability to regenerate and redistrubute IDs, we would need to support multiple cyphers, to handle ID Permanence IDs held by ADRs using the old cypher.
Answer
Keying ID permanence on the cdr_arrangement_id
is not a compliant approach. The key statement in the standards is in the ID permanence section:
IDs MUST be immutable across sessions and consents but MUST NOT be transferable across data recipients. For example, data recipient A obtaining an account ID would get a different result from data recipient B obtaining the ID for the same account even if the same customer authorised the access. Under this constraint IDs cannot be usefully transferred between client organisations or data holders.
Note the bolded section of this statement. The standards require that, if the same account is shared under two different arrangements for the same subject, then the same ID must be provided.
Keying the ID cipher on the subject or a combination of subject and ADR client ID would be more appropriate. This would also obviate the need for a change to PAR as you describe in your question.
Comments
0 comments
Please sign in to leave a comment.