Part 3
Protections
Authorisation
39Customer or secondary user must be able to control authorisation
If a data holder has confirmed an authorisation under section 38 given by a customer (or by a secondary user on their behalf), the data holder—
- must have systems in place to enable the customer or secondary user (as the case may be) to view or end the authorisation; and
- must ensure that those systems meet the requirements (if any) provided for by the regulations and the standards.
If a customer (or a secondary user on their behalf) has given an accredited requestor an authorisation, the accredited requestor—
- must have systems in place to enable the customer or secondary user (as the case may be) to view or end the authorisation; and
- must ensure that those systems meet the requirements (if any) provided for by the regulations and the standards.
The data holder or accredited requestor must ensure that the systems are able to give immediate effect to a withdrawal of an authorisation.