Verifying the Identity of Someone Requesting Information Under the GDPR

|
|
PUBLISHED on
22
July
2022

This blog looks at the requirement within both the DPA 2018 and the GDPR to verify the identity of an individual making a request before acting or releasing information.  Our clients are regularly raising questions and concerns with our consultants, along the lines of ‘what do I need to do?’

Let’s start by giving you a bit of context.  A 2019 news story featured a presentation given at the Black Hat security conference in Las Vegas by a PhD student from Oxford University. The student decided to contact about 150 organisations to see how much information he could obtain on his fiancée (with her permission of course… and naturally all in the interest of academic research!).

Anyway, he managed to obtain a mine of ‘useful’ information including credit card and social security numbers, passwords, and even her mother’s maiden name.  Of the organisations which responded, 24% simply accepted an email address and phone number as proof of identity and proceeded to send over all the files they had on his fiancée.  A further 16% requested easily forgeable ID information.

So why was it so easy to obtain all this information?

One suggestion is that organisations are concerned by the time restriction imposed by the GDPR to respond to requests, which reduced from 40 days to a month with the introduction of the GDPR.  As a result, they are looking to ‘process’ the request as quickly and efficiently as possible.  Another possible explanation is that front line staff receiving these subject access requests simply don’t know what they should and shouldn’t do as they haven’t been adequately trained.

So, what are the rules around verifying somebody’s identity?

The data controller MUST take reasonable steps to verify the individual if they are not known to them.

Here’s the guidance from the Information Commissioner’s Office:

You [controller] must comply with a request without undue delay and at the latest within one month of receipt of the request or (if later) within one month of receipt of: any requested information to clarify the request or any information requested to confirm the requester’s identity.

The GDPR states in Recital 64: (remember that courts will use the ‘Recitals’ to inform judgement decisions, so they must be given serious consideration by any controllers)

The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.  A controller should not retain personal data for the sole purpose of being able to react to potential requests.”

This really couldn’t be much more explicit.  Verification of identity prior to disclosure is a clear obligation of any controller and is usually solidly practised, particularly within verbal interactions such as customer services, call centres etc., where individuals are required to identify themselves by providing information known only to them.  This includes requests made by a data subject’s representative (e.g., family member or spouse under power of attorney, court order, completion of a disclosure approval form etc.).  If verification cannot be achieved, the request should be denied, in writing, to the individual themselves.

Do you need assistance managing your DSARs?

URM can offer a host of consultancy services to help you managing DSARs, DPIAs ROPAs, privacy notices, data retention schedules and training programmes.
Thumbnail of the Blog Illustration
Data Protection
Published on
30/8/2024
The ICO Issues its First Notice of Intention to Fine a Data Processor

URM’s blog explores the first provisional monetary penalty imposed by the ICO exclusively on a data processor & the lessons that can be learned from the case.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
25/7/2022
Data Subject Access Requests (DSARs) Services

One of the fundamental rights of an individual (data subject), under the UK GDPR is to be able to access and receive a copy of their personal information.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
12/2/2024
Deadline Approaches for Updating Contracts Containing Old EU Standard Contractual Clauses (SCCs)

URM’s blog discusses changes to the SCCs British organisations can use to legitimise restricted transfers of data under the UK GDPR

Read more
I know many Cyber Essentials providers are rigid to the point of not understanding the goal of CE, but we haven’t found that with URM. We are extremely happy with the service we’ve received – our Cyber Essentials recertifications are always painless and straightforward. The different assessors we’ve had have all been great and pitch to the right level, as well as having an extremely strong knowledge of the subject matter. The account management side is also excellent. Our Account Manager checks in with us on a regular basis, and is very approachable and credible, with a comprehensive understanding of Cyber Essentials.
CISO at University of Surrey
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.