The Government has restated its commitment to delivering pensions dashboards in a written statement.

Skip to content
Pensions dashboards programme logo
  1. Home
  2. How to connect

User account deletion in the central digital architecture (CDA)

Contents
Introduction
Action to take
Risks of non-action
Interim solution

Introduction

This solution described in this guidance is expected to go live in early July 2026.

This document provides an overview of the central digital architecture (CDA) user account deletion process and actions for pension providers, schemes and their directly connected organisations (if connected via a third party). For the purposes of this guidance, these parties are collectively referred to as “pension providers and schemes”.

It explains why account deletion is required within the CDA and how pension providers and schemes may be informed of, and impacted by, changes to CDA-held records that relate to returning users.

This guidance helps reduce the risk of inconsistent system states and degraded user experiences where users re-engage with the service following account deletion.

This guidance does not cover:

  • internal data management policies
  • technical implementation details within the CDA or within pension providers’ environments

Each pension provider or scheme remains responsible for ensuring that its own internal processes and decision-making comply with applicable data protection and regulatory obligations.

Background

When a user deletes their CDA account, all associated pension Identifiers (PeIs) and associated tokens and identifiers are removed from the CDA. If the user returns and submits a new find request, the CDA treats this as a new user, however, pension providers and schemes may still retain records for the user from earlier find requests.

Without notification that a CDA account and its associated PeIs have been deleted, providers may associate new find requests with previously held records that no longer exist in the CDA. This could lead to inconsistent states between systems and may result in incomplete or missing pension information being displayed to users on dashboards.

Back to top

Action to take

Pension providers and schemes are expected to act on notifications that a CDA account and its associated PeIs have been deleted.

When notified via the support portal (Jira), providers and schemes should ensure that any records or state held from previous find requests for the affected user are no longer treated as active or valid.

This ensures that a subsequent find request submitted by the user is processed as a new user and is not associated with previously held matching data that no longer exists within the CDA, supporting consistent data states across the ecosystem and helps ensure that returning users are presented with complete and accurate pension information on dashboards.

Account deletion process

The CDA account deletion process operates as follows:

  1. A user accesses the account deletion feature through the finder journey, authenticates their identity via the identity service (GOV.UK One Login), and submits a request to delete their CDA account.
  2. The CDA deletes the user’s account along with all the user’s associated data, including the user’s PeIs.
  3. The CDA raises a support ticket to notify the primary business contacts and primary technical contacts from the relevant pension scheme/provider’s directly connected organisation. This ticket notifies them that a user has deleted their account, and that an associated PeI no longer exists within the CDA. Each ticket includes the relevant PeI, find_correlation_id, and resource_id (definitions can be found in the technical standards)
  4. The pension provider or scheme reviews the information provided in the ticket and undertakes appropriate action to ensure that subsequent find requests for the affected user are treated as new journeys.

Data will be retained in support portal (Jira) for 60 days to allow sufficient time for pension providers, schemes and ISPs to review the ticket and obtain the information required to take appropriate action.

Back to top

Risks of non-action

If a pension provider or scheme does not take action in response to a CDA account deletion notification:

  • inconsistent data states may persist between the CDA and ecosystem participants’ systems
  • dashboard users may experience a degraded user experience, including incomplete pension information being displayed on dashboards
  • trust in the service may be undermined
  • the pension provider or scheme may persist personal data (the pseudonymised identifiers that enable individuals to use pensions dashboards) indefinitely without purpose (since the data subject has deleted the CDA account to which the data relates), in contravention of the storage limitation principle under UK GDPR

For these reasons, pension providers and schemes are asked to update their records to reflect the deletion of the PeI following a user account deletion in a timely manner.

Back to top

Interim solution

The CDA account deletion process described in this guidance is an interim solution.

A longer-term solution that supports account deletion at scale will be explored.

Back to top