Data Subject Access Requests and Proof of ID

March 2024

Why a blanket approach doesn't always work

Anecdotally, I hear stories of people’s frustration at being asked for certain documents as proof of ID. For example, insisting on a copy of a passport or driving licence. When reviewing internal data protection procedures, I come across DSAR request forms which veer towards asking for excessive documentation as proof of identity.

When responding to a Right of Access request (commonly known as a Data Subject Access Request), we might need to ask a person to prove their identity. But what constitutes a reasonable request for further information for verifying someone’s identity? And do you need to ask for additional documentation in all circumstances?

Organisations should take a balanced approach to this, considering factors such as;

  • context of your relationship with the person making the request
  • nature of personal data you will be providing – is it, for example, highly sensitive health information?
  • risks to the organisation and to individuals of personal data being given to the wrong person
  • making sure identity verification is not too onerous for the individual
  • Securely protecting any additional ID documents requested and not retaining it longer than necessary

Many organisations will already be taking a measured approach to this, others may unsure, some may be getting push-back – “I shouldn’t have to provide you with a copy of my passport!”

We’ve gathered some examples of how this is being approached.

But first…

What does GDPR say about identity verification?

Recital 64 of GDPR states;

“The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.”

What does the ICO say about identify verification?

The ICO’s detailed Right of Access Guidance states;

“You can ask for enough information to judge whether the requester (or the person the request is made on behalf of) is the person that the data is about. The key point is that you must be reasonable and proportionate about what you ask for. You should not request more information if the requester’s identity is obvious to you. This is particularly the case when you have an ongoing relationship with the individual.”

It continues to say:

“You should also not request formal identification documents unless necessary. First you should think about other reasonable and proportionate ways you can verify an individual’s identity. You may already have verification measures in place which you can use, for example a username and password.

However, you should not assume that on every occasion the requester is who they say they are. In some cases, it is reasonable to ask the requester to verify their identity before sending them information.

How you receive the SAR might affect your decision about whether you need to confirm the requester’s identity.”

Neither GDPR, nor the ICO provide specific details on what would be considered reasonable and proportionate. This is left for organisations to decide.

What are the risks?

Clearly there would be a data breach if personal data is given to the wrong person. The more sensitive the data the bigger the impact and fall-out. There’s also some evidence DSARs are being used as phishing attempts, bogus requests aimed at harvesting data.

However, if you make it mandatory to provide specific proof of ID you run the risk of angering people – being accused of putting barriers in the way of them exercising their right.

What approach to take?

Some organisations take a case-by-case approach or adopt a fairly standardised method dependent on the context (e.g. an employee, a customer or request made by a third party).

1. Employee or ex-employee requests

If you receive a request via your business email system from a member of staff, you already know who they are and proof of id is not needed. However, you may feel it’s sometimes necessary to ask for some proof of ID with requests from ex-employees. This could be asking for their staff ID number and National Insurance number.

2. No additional information requested

Based on the context of the relationship with the requester and the nature of personal data to be provided, some organisations don’t feel it is necessary or proportionate to request specific documents as proof of ID. Here are some examples we’ve gathered;

  • Where someone has an online account and submits a DSAR from an email address which is linked to their account, asking for it to be posted to an address currently held for them.
  • A request is received from a business email address, which matches the record held and the response will be given to the same email address.
  • Where the organisation is able to conduct sufficient internal checks to validate the request, based on information they already know about the individual.

3. Asking additional questions, rather than demanding documents

Some organisations take the approach of asking the individual to answer a question (or two) to verify their identity. Essentially rather than ask for additional documents they use the information they already know about the individual to do this. For example, can they confirm the nickname/username they used when setting up an account?

4. Additional information

Where there are doubts about the identity of the individual, some organisations will request photo identification (e.g. a passport or driving licence) along with proof of address (such as a utility bill). You just need to be prepared for those who may object.

Also, you don’t want to retain these documents any longer than necessary. Best to log receipt, and then immediately and securely destroy copies of passports and driving licences.

As an aside, I once received a notification about a data breach from a company saying my data had been affected. I couldn’t for the life of me remember when I had last had any dealings with them, so thought I should try and find out what personal data they actually had, and what had been lost. But when I went to put in a request they insisted on a copy of my passport. Considering they had just had a breach, the last thing I felt like doing was handing it over!

5. Requests made by third parties

When someone makes a request on behalf of someone else, be this a law firm or a relative, clearly a robust approach needs to be taken. You absolutely want to check this is okay, for example asking for evidence of Power of Attorney or a letter of authority. This approach is supported by the ICO’s guidance which states:

“An individual may prefer a third party (e.g. a relative, friend or solicitor) to make a SAR on their behalf. The GDPR does not prevent this, however you need to be satisfied that the third party making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide evidence of this. This might be a written authority to make the request or a more general power of attorney.”

The ICO’s guidance also makes specific reference to requests made by via a third party portal, and says you need to consider if you are able to verify identity and are satisfied the third party portal is acting with the authority and on behalf of the individual. It specifically states:

“You are not obliged to take proactive steps to discover that a SAR has been made. Therefore, if you cannot view a SAR without paying a fee or signing up to a service, you have not ‘received’ the SAR and are not obliged to respond. You should note that it is the portal’s responsibility to provide evidence that it has appropriate authority to act on the individual’s behalf. Mere reference to the terms and conditions of its service are unlikely to be sufficient for this purpose (see ‘Can a request be made on behalf of someone?’ above). The portal should provide this evidence when it makes the request (ie in the same way as other third parties). When responding to a SAR, you are also not obliged to pay a fee or sign up to any third party service. If you are in this position you should instead provide the information directly to the individual.”

In summary, it may not always be necessary to ask for additional documentation as proof of identity, where you’ve no doubt the individual is who they say they are, or can verify this in another way.

As we know, many individuals submitting SARs often do so because they’re already unhappy with your organisation. Don’t fuel the flames by putting unreasonable hurdles in their way, but do request proof of ID where you believe it’s necessary to protect people.

If you’re in any doubt, and the individual can’t or won’t prove who they are, you may take the decision not to fulfil a request. Just make sure you have document your decision and can defend it.

It’s a question of balance and proportionality – making sure you have a robust process in place for handling SARs and retaining evidence to support your decisions is vital.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.