- A recent test DSAR has demonstrated companies’ differing approaches to DSAR compliance
- Despite the DSAR being made by a third party on behalf of the data subject, it is clear companies are uncertain regarding when or how they should ask for ID verification
- ICO guidance urges data controllers to be satisfied that any third party making a DSAR is entitled to act on behalf of the individual data subject
Article 15 of the GDPR gives data subjects the right to obtain a copy of their personal data held by data controllers who process their personal data. Over the course of the past year, we’ve seen increasingly innovative uses of this right, as demonstrated recently by James Pavur, a researcher at the University of Oxford.
Mr Pavur, a security expert, contacted 150 UK and US firms asking each of them to provide him with a copy of all of the personal data they held pertaining to his fiancée. Of those 150, 83 companies confirmed they held his fiancée’s personal data. 24% of the organisations who confirmed they held relevant personal data provided Mr Pavur with this personal data without any further attempt to verify his identity or authority.
Perhaps most worryingly, it appears Mr Pavur was able to obtain a wide range of personal data about his fiancée from these subject access requests, ranging from the results of a criminal background check and her full social security number to passwords, her mother’s maiden name and credit card details. One threat intelligence company sent Mr Pavur a list of her email addresses and passwords which had already been compromised by cyber hacks and attacks – some of which still worked on her various online accounts.
Confirming a data subject’s identity: when to ask and what to ask for
The ICO states in its Guide to the GDPR that organisations who receive a data subject access request are entitled to ask an individual for more information if “you have doubts about the identity of the person making the request”. However, the ICO also confirms an organisation can only ask for information “that is necessary to confirm who they are. The key to this is proportionality“.
The proportionality test will need to be applied on a case by case basis when organisations receive subject access requests; however, it is likely that factors such as the categories of personal data requested (and notably whether this includes special category data) as well as whether the data subject is well-known to the organisation are likely to be relevant.
In addition, the GDPR does not prevent an individual making a request for access via a third party acting on their behalf, such as in this instance. The ICO guidance states, in such a scenario the data controller needs to be satisfied the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request or it might be a more general power of attorney.
Of the 83 organisations who confirmed that they held personal data of Mr Pavur’s fiancée, 39% requested a “strong” form of ID (i.e. a passport or driving licence) and 16% requested a form of ID which could be easily forged (for example, a bank statement). In a fairly extreme response, 3% of organisations deleted all personal data they held about his fiancée.
It is clear from this experiment that organisations have varying levels of knowledge and processes in place to respond to subject access requests, and it would be helpful for further guidance to be provided by the various European regulators about what ID is appropriate to request and in what circumstances. Hopefully, in line with the spirit of the GDPR, this guidance will be uniform across the various EU jurisdictions; however, with guidance often being published on a regulator to regulator basis, it remains to be seen if this will be the case.