Verifying the Identity of Someone Requesting Information Under the GDPR

This blog explores the requirement outlined in both the Data Protection Act 2018 (DPA 2018) and the General Data Protection Regulation (GDPR) regarding the verification of an individual's identity before taking any action or disclosing information in response to their request, in accordance with GDPR principles. Our clients frequently approach our consultants with inquiries and concerns regarding the necessary steps to comply with this requirement.

To provide some background, in 2019, a news story highlighted a presentation delivered at the Black Hat security conference in Las Vegas by a PhD student from Oxford University. As part of academic research, the student decided to contact approximately 150 organizations to assess the extent of information he could obtain about his fiancée, with her consent, of course. This study aimed to examine the organizations' adherence to the GDPR principles, including the need for identity verification before granting access to personal information.

Remarkably, he managed to acquire a wealth of "useful" information, including credit card and social security numbers, passwords, and even his fiancée's mother's maiden name. Surprisingly, among the organizations that responded, 24% accepted an email address and phone number as sufficient proof of identity and proceeded to disclose all the files they had on his fiancée. An additional 16% requested easily falsifiable identification information.

This story highlights the importance of understanding and adhering to the identity verification requirement outlined in the DPA 2018 and GDPR, as organizations need to adopt robust measures to ensure the authenticity of individuals making data requests.

So why was it so easy to obtain all this information?

One possible concern raised by organizations is the time constraint imposed by the GDPR regarding response timelines for requests. With the implementation of the GDPR, the response period was reduced from 40 days to one month. Consequently, organizations are eager to handle these requests as promptly and efficiently as possible to comply with the mandated timeframe.

Another plausible explanation is that front-line staff who receive these subject access requests may not be adequately trained on how to handle such requests. The lack of proper training and guidance could lead to uncertainties about what actions should and should not be taken when processing these requests.

Both concerns highlight the importance of organizations investing in proper training programs and resources to ensure that their staff is well-informed and equipped to handle subject access requests in accordance with the GDPR requirements. By doing so, organizations can mitigate the risk of mishandling requests and ensure compliance within the stipulated timeframes.

So, what are the rules around verifying somebody’s identity?

The requirement for data controllers to verify the identity of individuals making requests is clearly outlined in the GDPR. According to the guidance provided by the Information Commissioner's Office (ICO), the controller must comply with a request within one month of receipt, or within one month of receiving any requested information to clarify the request or confirm the requester's identity, whichever is later.

Furthermore, Recital 64 of the GDPR emphasizes the importance of using reasonable measures to verify the identity of a data subject, particularly in the context of online services and online identifiers. It explicitly states that controllers should not retain personal data solely for the purpose of being able to respond to potential requests.

This obligation to verify identity prior to disclosing information is well-established and commonly practiced, especially in verbal interactions such as customer services and call centres, where individuals are required to provide information known only to them as a means of identification. This requirement also applies to requests made by representatives of data subjects, such as family members or individuals acting under power of attorney, supported by court orders or completion of disclosure approval forms. If identity verification cannot be achieved, the request should be formally denied in writing to the individual making the request.

Adhering to these guidelines ensures compliance with the GDPR's identity verification requirements and helps safeguard personal data. If organizations require assistance in implementing these measures, they may seek the expertise of a GDPR consultancy to provide guidance and support throughout the process.