1

When one makes a GDPR Subject Access Request (SAR) the data controller should confirm that the request is really coming from the data subject. From here Recital 64 of GDPR states;

“The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.”

In the ICO’s detailed Right of Access Guidance (published October 2020) it states;

You can ask for enough information to judge whether the requester (or the person the request is made on behalf of) is the person that the data is about. The key point is that you must be reasonable and proportionate about what you ask for. You should not request more information if the requester’s identity is obvious to you. This is particularly the case when you have an ongoing relationship with the individual.

You should also not request formal identification documents unless necessary.

One Data Controller that publishes their requirements is the Credit Industy Fraud Avoidance System. They include in the list data that is not obviously optimised for establishing that the data they hold is about the individual making the request. This is perhaps most obvious in the request for "address history for the last 6 years", but it also includes two proofs of identiy one of which must be "a copy of your valid passport, driving licence, biometric residents permit or national identity card", given that this private company is very unlikely to have this data, and this may be special category data.

What do we know about the limits of data that can be requested before the data controller has to provide any data? Do we know if those making a SAR can request proof that the data controller has the data that is being requested? The technical details of how this could be done are the subject of this question.

User65535
  • 10,342
  • 5
  • 40
  • 88

1 Answers1

4

"Reasonable and proportionate" means what it says

It means a proportionate response that a reasonable person would make in the circumstances. Sometimes, it may be reasonable and proportionate to ask for address histories or ID, and other times or other circumstances, not.

Cifas, the organisation you linked to, processes the financial data of the customers of their members: histories of loan applications, loan rejections, missed payments, etc. This is highly sensitive data, and it is "reasonable and proportionate" that they should be very thorough in their identification before they disclose it.

As described, it appears that this is a tiered process: they require certain information, and they might require formal identification documents. Presumably, the first is sufficient to identify you to determine if they actually hold any info on you, and the second is needed before they can give it to you if they do; this seems "reasonable and appropriate".

They almost certainly don't have your ID information before you give it to them as part of the SAR, but that doesn't matter. By providing the IDs, you have demonstrated that you can access a government-issued ID, which they can then verify. This is not as good as you coming in for an interview and bringing that ID (for example, I can access all my family's passports), but that's probably "reasonable and sufficient".

Dale M
  • 237,717
  • 18
  • 273
  • 546