On the basis that you are entitled to ask a data subject for any such
information that you may reasonably require to satisfy yourself of
his/her identity I fully support Fatima in her sensible approach. It is
an approach I have also adopted by requesting at least one original
photographic ID (i.e. passport/ photo driving licence) and one original
proof of address (i.e. utility, bank or council tax bill).
Furthermore where someone else is acting on behalf of a data subject, in
additional to a letter of authority I also request the same original
proofs of identity from them as well. This is stated as a requirement
on the SAR Form and if they do not comply then the personal data is not
released. Those wishing to drop safeguards available to them do so at
their own risk.
Barry Humphrey
South Holland DC
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Zohra, Fatima
Sent: 27 July 2006 14:18
To: [log in to unmask]
Subject: [data-protection] Verifying Requests for Personal Data - What's
Reasonable.
Dear Listserv,
As you are no doubt aware the Data Protection Act, specifically section
7(3), states that a Data Controller is not obliged to comply with a
request under this section unless he is supplied with such information
as he may reasonably require in order to satisfy himself as to the
identity of the person making the request..
At Westminster, our current procedure is to ask for original
verification documents sent recorded delivery. Alternative arrangements
for photocopying originals at our One Stop Services which are then
witnessed by staff are also offered. Letters from Solicitors acting on
behalf of clients are acceptable, although we reserve the right to
confirm that this is in fact the case, i.e. a signed letter from the
client must accompany the application, together with address details
etc. Whilst every effort is made to accommodate individual circumstance,
for example, where applicants are physically unable to attend a One Stop
Shop. We reserve the right to maintain our verification standard. This
is in keeping the Metropolitan Police's procedure and most other
institutions, especially those in the private sector. I believe that
these steps are reasonable, as my first duty is to protect individuals
from unlawful disclosures. I also have a duty to the organisation, to
ensure procedures are in place that don't result in unlawful discloses.
Production of original documents is in my view not unreasonable - yet
the OIC is questioning this, by stating it believes that photocopies are
acceptable. Am I now to take it as given that when banks ask for
original documents they are in fact imposing a unreasonable requirement?
Where does this leave us in an age of identity fraud? I would be very
interested to hear from the listserv what procedures/requirements they
have for verifying identity for Subject Access Requests. I have done a
short trawl around Government departments (including the OIC) and
alarmingly they appear to have less stringent procedures than my own. Do
you think we are going over the top on this issue - personally as a
member of the public I would like to think that organisations were doing
everything in their power to stop unlawful disclosures, especially in
the light of recent events.
Fatima Zohra
Corporate Information Manager
Information Services
City of Westminster
************************************************************************
***********
Parking in Westminster is easier with our ParkRight guide. It explains
how to park, where to park and includes a useful map of zone one. For
your free copy call Parking Services on (020) 7823 4567 or visit
www.westminster.gov.uk/parking/
************************************************************************
***********
Westminster City Council switchboard: +44 20 7641 6000
www.westminster.gov.uk
************************************************************************
***********
This E-Mail may contain information which is privileged, confidential
and protected from disclosure.
If you are not the intended recipient of this E-mail or any part of it,
please telephone Westminster City Council immediately on receipt.
You should not disclose the contents to any other person or take copies.
************************************************************************
***********
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list
owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|