There has been a recent news story about a man making subject access requests in the name of his girlfriend (with her knowledge) to see how much information he could obtain. On the basis of his research 1 in four companies gave him information on the basis of the information he had provided.
This comes down to poor verification processes in place at the organisations before they give the information out. So here are some basic principles for verifying the identity of a person making a subject access request.
Don’t ask for more information than you need. This means not asking for a copy of their passport (which a number of organisations seem to do). What is the purpose of collecting a copy of their passport, what are you going to compare it to? How are you going to store it going forward?
Use something that you already know or hold to verify their identity. For each email subject access request that one of my clients receives, they will contact the individual on the mobile number they hold in their records to check that the request has come from them. Another client will ask for the sort code of the bank account that payment is collected from. Think about the information you hold and work out what would be unique to the individual. An email address is easily hacked or the password shared. Therefore the request may not be who it claims to be from.
Work out how you will verify verbal requests. You cannot ask someone to put their request in writing so how will you manage verbal requests and verify the identify of the individual?
How do you manage requests from third parties claiming to be acting on another individuals behalf. What will you do to verify the individual has provided their authority to act?
How are you recording the verification of identity for the records?
Don’t be afraid to refuse a request because you cannot confirm their identity. Be confident in your processes to assure yourself you are providing the information to the right person and if you can’t confirm their identity, refuse the request.
For those of you who are interested, here is the news report that BBC News published. It’s well worth a read.
If you have as subject access request and do not know how to respond, please contact us and we’ll be happy to help. You can call us on 020 8720 6585.