Status of consents when an ADR Software Product is "Removed"

[CDR-API-Stream]

Request For Clarification

A question was raised in the Data Holder Working Group call on 11/06/2020. This question and the answer have been posted for the benefit of the community.

We are seeking clarification from both CX and technical standards streams on the expected behaviour for "Consent Expire", as per the Data Holder Responsibilities table, when a Software Product is removed. What is the expected behavior in such a case? Are Data Holders expected to cancel the consent? Is it expected to go to sharing history on the dashboard, per standard consent withdrawal process, or is it sufficient to cease disclosure of data and cease enabling authorization? Are issued tokens to be no longer accepted?

Answer

The responsibilities table expressly states that when an ADR Software Product is marked as “Removed”,

• the consents held by the Data Holder must expire and
• clean up of the ADR Software Product must occur (in other words the client id is de-activated and cannot be reactivated).

There is no time requirement imposed for consent expiry and registration clean up, however, it is expected that it is as soon as is practical for the Data Holder (for example, this may be real-time, a nightly batch process, or a process run every time the CDR Register cache is refreshed).

Affect on data sharing and consent establishment
That said, data sharing must cease immediately upon state change of the ADR Software Product to a “Removed” status. Equally, tokens issued for any consent where the Software Product is “Removed” must not be honoured and there should no longer be any successful data sharing or consent establishment requests.

What happens to other Software Products published by an ADR
Note also, that a given Software Product’s status may be set to “Removed” but this does not imply that all of the ADR’s Software Products have been removed. Any active consents for the ADR's other “Active” Software Products must still be considered active. A Data Holder must also observe the requirements for “Inactive” Software Products accordingly.

CDR Register issuance of softwareProductIds
The CDR Register will never re-issue a "Removed" softwareProductId. In other words, the "Removed" status is final. If, an ADR’s software product were to be re-instated, it would be done under a new softwareProductId (it is a new software product in the ecosystem). Likewise, the client_id a Data Holder issues under dynamic client registration should never be re-issued or re-enabled.

CX considerations
The CX Guidelines provide examples for expired/withdrawn consents (see p.114 for a DH example). This outlines the expected behaviour where a consent is no longer current, and would apply similarly where a software product is removed.

[CDR-API-Stream]

This issue has been answered and it is being closed accordingly.