Subject Access Requests – What is ‘proportionate’ to ask for?
When responding to a Right of Access request (commonly known as a Data Subject Access Request), we might be required to ask a person to prove their identity.
With that in mind, what constitutes a reasonable request for further information for verifying identity? And do you need to ask for additional information in all circumstances? We take a look at how organisations are tackling this.
Organisations need to take a balanced approach to this, considering factors such as;
- The context of your relationship with the requester
- The nature of personal data you will be providing
- The risks to the organisation and to individuals of personal data being given to the wrong person
- Ensuring identity verification is not too onerous for the individual
- Securely protecting any additional information requested and not retaining it longer than necessary
Many organisations will have already taken a measured decision on this, others may still be considering what approach to take and some may be getting push-back on what they’re currently asking for – “I shouldn’t have to provide you with a copy of my passport!”
Being over-zealous can result in objections and could, in the worst-case scenario, result in penalties for putting unnecessary hurdles in the way of individuals exercising their rights. But not being careful enough carries its own risks too!
To provide an overview of how businesses are balancing these demands, I spoke with ten different organisations about what checks they’ve put in place.
What are the first steps to take?
- Is it a SAR? If someone is asking where you got their details from or why you are sending them marketing, this is not a SAR and can be handled in a routine manner. A SAR is where an individual is specifically requesting the personal data you hold about them.
- Acknowledge receipt, and
- Ask for identification, if unsure of their identity
- Ask for more information to clarify the request, if necessary
- Log and report internally
- Diarise the deadline for responding
So, how can you approach the issue of ensuring someone is who they say they are?
What does GDPR & the ICO say about identity verification?
Recital 64 of GDPR states;
“The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.”
[Update] In the ICO’s detailed Right of Access Guidance (published October 2020) it states;
“You can ask for enough information to judge whether the requester (or the person the request is made on behalf of) is the person that the data is about. The key point is that you must be reasonable and proportionate about what you ask for. You should not request more information if the requester’s identity is obvious to you. This is particularly the case when you have an ongoing relationship with the individual.”
It continues to say:
“You should also not request formal identification documents unless necessary. First you should think about other reasonable and proportionate ways you can verify an individual’s identity. You may already have verification measures in place which you can use, for example a username and password.
However, you should not assume that on every occasion the requester is who they say they are. In some cases, it is reasonable to ask the requester to verify their identity before sending them information.
How you receive the SAR might affect your decision about whether you need to confirm the requester’s identity.”
Neither GDPR, nor the ICO provide specific details on what would be considered reasonable and proportionate. This is left for organisations to judge.
What are the risks?
On the one hand you might consider the potential fine and/or reputational damage of getting it wrong, but most importantly what risk is there to the individual if you provide their personal data in error to someone else? Are you, for example, putting them at risk of fraud?
If you’re providing bank account details or medical records, the risk of getting it wrong is clearly higher than providing contact details with marketing preferences. The context here is important, based on the nature of your relationship with the requestor and the type of personal data you will be providing.
There’s evidence SARs are being used as phishing attempts. There also seems to have been a proliferation of companies (many based overseas) which submit requests on ‘behalf’ of individuals. You need to be sure they really are acting for the individual in question, and not trying to harvest data unscrupulously.
However, if you make it mandatory to provide specific proof of ID you could run the risk of alienating people who feel this is unreasonable. Should a complaint be escalated you could be found to have made it too burdensome for people to exercise their right.
If you feel it is justified to ask for a copy of a photographic ID (such as a driving licence or passport) you also need to consider how long you retain it for, how it’s protected and how it’s securely destroyed when you no longer require it. This additional information could pose a further risk.
What approach to take?
Some organisations take a case-by-case approach or adopt a fairly standardised method dependent on the context (e.g. an employee, a customer or request made by a third party).
If you’ll be providing individuals with sensitive personal information that might pose a risk to that person should it fall into the wrong hands, you’ll be able to justify robust processes for ID verification. One that is hopefully easy to explain to the requester in the context.
The following shows how the organisations I spoke to are approaching this problem across diverse sectors such as publishing, information technology and not-for-profit. Some receive approximately one SAR a month; others receive around a hundred. All have developed processes for handling SARs and balanced what ID checks they believe reasonable.
Employee or ex-employee requests
If an email arrives via your corporate email system from a member of staff requesting a SAR, all organisations were in agreement it would be unnecessary and disproportionate to ask for additional proof, as you already know who they are.
One organisation takes the step of asking for some proof of identification with ex-employees, a couple of points of reference such as asking for their staff ID number and National Insurance number.
No additional information requested
Based on the context of their relationship with the requester and the nature of personal data to be provided, some organisations don’t feel it is necessary or proportionate to request further proof of ID. Here are some examples;
- Where someone has an online account and submits a SAR from an email address which is linked to their account, asking for it to be posted to an address currently held for them.
- A request is received from a business email address, which matches the record held and the response will be given to the same email address.
- Where the organisation is able to conduct sufficient internal checks to validate the request, based on information they already know about the individual.
Asking additional questions
Two organisations take the approach of asking the individual to answer a question (or two) to verify their identity. Essentially rather than ask for additional documents as proof they use the information they already know about the individual to do this. For example, can they confirm the nickname/username they used when setting up an account?
Where they may have doubts about the identity of the individual, some of the organisations will request photo identification (e.g. a passport or driving licence) along with proof of address (such as a utility bill). One organisation specifically mentioned how they’re reluctant to hold this information for any longer than required, so log its receipt and then immediately and securely destroy it.
Requests made by third parties
All of the organisations approached took a robust approach when a third party submits a request on another’s behalf, be this for example a law firm or a relative. This would include asking for information such as evidence of Power of Attorney or a letter of authority. This approach is supported by the ICO’s new draft guidance which states:
“An individual may prefer a third party (e.g. a relative, friend or solicitor) to make a SAR on their behalf. The GDPR does not prevent this, however you need to be satisfied that the third party making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide evidence of this. This might be a written authority to make the request or a more general power of attorney.”
Some organisations have received requests from companies who offer a service of submitting requests on behalf of individuals – or so they claim. Often these companies are based overseas and the request may already include a proof of ID. A cautious approach is taken to such requests – one organisation will not respond unless it can contact the individual directly and ask them to confirm their request and reiterate their wish that the third party act on their behalf. Of course, they document any decision in each case.
The ICO’s new draft guidance makes specific reference to requests made by via a third party portal, and says you need to consider if you are able to verify identity and are satisfied the third party portal is acting with the authority and on behalf of the individual. It specifically states:
“You are not obliged to take proactive steps to discover that a SAR has been made. Therefore, if you cannot view a SAR without paying a fee or signing up to a service, you have not ‘received’ the SAR and are not obliged to respond. You should note that it is the portal’s responsibility to provide evidence that it has appropriate authority to act on the individual’s behalf. Mere reference to the terms and conditions of its service are unlikely to be sufficient for this purpose (see ‘Can a request be made on behalf of someone?’ above). The portal should provide this evidence when it makes the request (ie in the same way as other third parties). When responding to a SAR, you are also not obliged to pay a fee or sign up to any third party service. If you are in this position you should instead provide the information directly to the individual.”
In summary, it may not always be necessary to ask for additional documentation as proof of identity where you’ve no doubt the individual is who they say they are, or can verify this in another way.
Matthew Kay, Data Protection Officer EMEA at Thomson Reuters says, “It is clear from the review and outlined guidance provided that a balanced approach should be taken for right of access requests. This essentially means affording people their right of access but putting in sufficient safeguards to ensure information is only provided to those who are entitled to have access to it. It is worth noting that these safeguards shouldn’t hold up the process necessarily and this will often be achieved through organisations having a standardised approach. That being said organisations shouldn’t overlook the importance of handling requests on a case by case basis to ensure requestors are treated as individuals and receive the correct response.”
As we know, many individuals submitting SARs often do so because they’re already dissatisfied with your organisation – often complaint-driven. Don’t anger them further by putting unreasonable hurdles in their way but do request proof of ID where you believe it’s necessary to protect people.
If you’re in any doubt, and the individual can’t or won’t prove who they are, you may take the decision not to fulfil a request. Just make sure you document your decision – you can’t be blamed for having justified concerns, but could be if you can’t defend your decision-making in each case.
As ever, this issue is one of balance and proportionality – ensuring you have a robust process in place for handling SARs and retaining evidence to support your decisions is vital.
Philippa Donn, December 2019
Need help with tricky Subject Access Requests? Our experience team can help – GET IN TOUCH.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.