The permissions, requests, and receipts for access can be handled like other transactions in the system - each is a transaction stored in the participants' Personal Data Stores, and subject to agreement regarding discarding.