Subject access requests - don't be caught aiding and abetting identify theft

Honouring a subject access request often delivers a dream set of personal data for a malicious actor intent on identity theft. Poor procedures, with inadequate controls could leave an organisation open to civil claims for losses where a data subject becomes a victim.

A data subject has a right to access a copy of all the personal information that you hold on them. You can’t make the process of obtaining that data deliberately complicated, however you can and should make appropriate efforts to ensure that you are honouring a request that is actually from the data subject.

Subject Access Requests provide an easy way for criminals to augment a small piece of (possibly trivial) personal information with much more valuable data to then be used for financial gain. Although you may consider the information that you hold to be low risk, consider the part it may play as a piece in a bigger jigsaw.

In a scenario where there is a claim for loss, you would need to have a defendable position that you had made appropriate efforts to verify the identity of the subject access request. The ICO guidance on verification of ID describes this as:

If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality.

This clearly leaves the onus of responsibility on the data controller to judge what proportionate looks like. The best chance of getting this judgement right is to follow the UK government guidance for appropriate ID verification. This still requires judgements to be made, but provides some point of reference for proportionality.

Whatever level you decide on it’s critical that you embed these criteria into your written subject rights requests polices and standard operating procedures. Only by doing this can you defend your position when challenged.

If you would like support in reviewing your current practices, or in identifying appropriate ID verification procedures for your specific situation then drop me an email (hello@oliverwestmancott.com) or phone on 020-3393 1899.