A reader of my previous piece on ‘How to build a sustainable DSR routine’ commented that it would be helpful to get more guidance on how the identity of an individual could/should be confirmed. In this blog post I would like to shed some more light on this issue. As with many things, this sounds like a straightforward task at first but it does become tricky fairly quickly.
Thorough deliberation is required to find the right balance between
- ensuring that the right individual is submitting a data subject request since exposing the personal data to an unauthorised person would result in a data breach, and
- not collecting more personal data than is relevant and necessary to confirm the identity of the individual since doing otherwise would result in a breach of the data minimisation principle
Moreover, it is important to exchange this potentially sensitive information via secure channels.
Here are some tips on how to appropriately verify an individual’s identity as part of a DSR routine. When it comes to verifying an identity, organisations must consider their relationship with the individual and the types, amount and sensitivity of the personal data processed of the individual. If you are processing a lot of data and/or some of that data is considered sensitive, the stricter you should be in your identification efforts. Consider these factors and develop a structure of what identifying information may be requested in what circumstances. There is no one size fits all – e.g., organisations should not request a copy of a passport, ID card or birth certificate as a default means for identifying individuals in all cases since this would be disproportionate. Under some circumstances, however, requesting for an ID copy would be a justified and proportionate measure – e.g., when special categories of personal data are at issue or when respective data processing operations pose a high risk for the data subject (this might be the case, for example, when health data is processed). Provisions of national law should also be taken into account here.
Another important factor to take into account is how you obtained the information you hold in the first place. Has the individual submitted them via an email? If the request is made via the same email address, this may be enough for the identification. The same applies if the information was obtained via an online portal as a logged in user.
There may be circumstances where this may be tricky and not applicable. Here are some suggestions on how to tackle this for some common data subject categories:
- For former employees you could request their employee number, payslip or other relevant employment information issued by your organisation – provided that this information is not in the public realm, and that the requestor can reasonably provide it.
- For applicants that applied via a portal that sends out a submission confirmation and ticket number an organisation may request the application number or start a data subject request after logging into the portal. Alternatively, a confirmation message may be sent to the phone number or email address the applicant originally submitted with their application.
- Similarly, with current customers, verifying the identity can be a straightforward process if the customer communicates via the same channel (e.g., email address) used before. Alternatively, organisations can request a recent bill or other relevant documentation.
- With individuals that have merely been browsing your website, you may not hold directly identifying information. Cookies and other tracking technologies may have been the only personal data you obtained. In such a context the only feasible way to connect an individual with their indirectly identifying information is likely to request the individual to submit the cookies/local storage values dropped on the user’s device. These identifiers are accessible via the Inspect function of most browsers.
Secure ways of exchanging requested information
If an organisation requests for identifying information to be submitted, it is prudent to provide an online portal or give information on how documents can be password protected or encrypted to be attached in an email to ensure that the data is secured.
The issue of collecting more information than is already being processed
Organisations must be careful not to collect more personal data than necessary to verify the requestor’s identity. This means only collecting the minimum amount of personal data required for identity verification purposes. Organisations should avoid requesting additional personal data that is not relevant or necessary for verifying identity.
What to do with information
Beware that you should delete any additional identifying personal data collected during the verification process. This means documenting only that the identity was verified and in what form this was done. Keeping logs ensures that the organisation can demonstrate that it has complied with GDPR requirements without holding onto unnecessary personal data.
The risk of not appropriately identifying an individual that may lead to personal data being revealed to a malicious person impersonating the actual data subject
Failure to appropriately verify the identity of a requester can lead to personal data being revealed to a malicious person who is impersonating the actual data subject, or to the personal data being wrongfully deleted upon request of a malicious person. This can result in serious consequences for both the organisation and the data subject. To avoid this risk, organisations should implement appropriate identity verification procedures that are secure and reliable.