Consent
Manages member consent records, consent audit trails, and right-to-erasure (deletion) requests.
Overview
The Consent service provides a centralised store for member consent. It records what each member has consented to (data processing, marketing communications, AI-assisted triage, third-party sharing), when, and via which channel. All changes to a consent record produce an immutable audit entry so regulators and members can see the full history of consent decisions.
The service also handles right-to-erasure requests under data protection regulations. A deletion request captures the member's intent; a background job (or manual process) then orchestrates the actual data removal across services and marks the request as completed.
Consent events are published to Kafka so that Notifications can send confirmation messages and other services can react to revocations.
Responsibilities
- Store and retrieve member consent records per party
- Record every consent change as an immutable audit entry
- Accept and track right-to-erasure deletion requests
- Publish consent events for Notifications and downstream consumers
- Enforce access control so members can only read/write their own consent
Database
Schema: consent
| Table | Purpose |
|---|---|
consent_records | Current consent state per party and consent type |
consent_audit | Immutable log of all consent changes with timestamp and channel |
deletion_requests | Right-to-erasure requests with status tracking |
API Routes
| Method | Path | Auth | Description |
|---|---|---|---|
GET | /consent/{partyLocator} | JWT | Get current consent state for a party |
PUT | /consent/{partyLocator} | JWT | Update consent preferences for a party |
GET | /consent/{partyLocator}/audit | JWT | Get full consent audit trail for a party |
POST | /consent/{partyLocator}/deletion | JWT | Submit a right-to-erasure request |
GET | /consent/{partyLocator}/deletion/{id} | JWT | Get status of a deletion request |
Events
Publishes
| Topic | When |
|---|---|
consent.granted | A member grants one or more consent types |
consent.revoked | A member revokes one or more consent types |
Consumes
The Consent service does not consume Kafka events.
Dependencies
The Consent service has no runtime dependencies on other services.
Key Design Decisions
Audit log is immutable: Consent audit records are insert-only. The service never updates or deletes audit entries, ensuring a tamper-evident record for regulatory compliance.
Deletion requests are tracked separately from consent records: A deletion request does not immediately remove data. It creates a tracked work item that allows the orchestration of deletion across multiple services (Claims, Eligibility, Notifications, etc.) before the request is marked complete. This is important for systems that require coordinated multi-service erasure.