Subject Access Requests – What are the requirements to verify someone’s identity?
This week’s top tip looks at the requirement within both the DPA 2018 and the GDPR to verify the identity
an individual making a request before acting or releasing information. Our clients are regularly raising
questions and concerns with our consultants along the lines of ‘what do I need to do?’
Let’s start by giving you a bit of context. One of the news stories this week featured a presentation given at
the Black Hat security conference in Las Vegas by a PhD student from Oxford University. The student
decided to contact about 150 organisations to see how much information he could obtain on his fiancée
(with her permission of course… and naturally all in the interest of academic research!).
Anyway, he managed to obtain a mine of ‘useful’ information including credit card and social security numbers,
passwords, and even her mother’s maiden name. Of the organisations who responded, 24 per cent simply
accepted an email address and phone number as proof of identity and sent over all the files they had on his fiancée.
A further 16 per cent requested easily forgeable ID information.
So why was it so easy to obtain all this information?
One suggestion is that organisations are concerned by the time restriction imposed by the GDPR to respond to requests – this has
reduced from 40 days to a month – and are looking to ‘process’ the request as quickly and efficiently as possible. Another possible
explanation is that front line staff receiving these subject access requests simply don’t know what they should and shouldn’t do as
they haven’t been adequately trained.
So, what are the rules around verifying somebody’s identity? The data controller MUST take steps to verify
the individual if they are not known to them.
Here’s the guidance from the Information Commissioner’s Office:
You [controller] must comply with a request without undue delay and at the latest within one month of receipt of the request or
(if later) within one month of receipt of: any requested information to clarify the request or any information requested to confirm
the requester’s identity.
The GDPR says in Recital 64: (remember it is the ‘Recitals’ that courts will use to inform judgement decisions, so must be given
serious consideration by any controllers)
“The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the
context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to
react to potential requests.”
This really couldn’t be much explicit. Verification of identity prior to disclosure is a clear obligation of any controller and is usually
solidly practiced, especially within verbal interactions such as customer services, call centres etc where individuals are required to
identify themselves by providing information known only to them. This includes requests made by a data subject’s representative
(e.g. family member or spouse under power of attorney, court order, completion of a disclosure approval form etc). If verification
cannot be achieved, the request should be denied, writing, to the individual themselves.
URM holds free seminars for end-user organisations focusing on information security and business continuity.
The half-day seminars are intended to provide practical and ‘real life’ insights into how best to comply and certify
with Standards such as ISO 27001 (International Information Security Management Standard) and ISO 22301
(International Business Continuity Management Standard).