I agree with those that say that some form of verification is reasonable,
although depending on the type of information required, may lead to a
request for less "critical" proof.
I dealt with requests for medical records for a NHS Trust for a while, and
being a mental health trust I don't think we could have been doing our job
properly if we simply relied on a letter and nothing more.
Part of our process was to send back a form that had to be filled in and
which request certain information to allow us to proceed knowing that any
risk of someone impersonating the subject was limited and acceptable.
I would be very worried if I asked for my own sensitive information by
letter, and was simply granted it - in fact I would be minded to complain to
the ICO!
Simon Howarth.
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Nigel Roberts
Sent: 30 October 2006 14:46
To: [log in to unmask]
Subject: Re: [data-protection] Verification of requestor identity - subject
access
RONAN DURNIN wrote:
> Dear All,
>
> I'm currently drafting some guidance concerning subject access requests.
>
> With regards to verifying the identity of the requestor is it reasonable
> to ask that one form of official photographic ID be provided (identity
> cards, anyone?!) or in the absence of such ID, two of the following:
I would suggest that it is UNREASONABLE. And the reason it is
unreasonable is that unless the person is at a counter, you have no need
to have the person's likeness provided or stored.
I will look up the law, but it seems to me that you need to be
reasonably satisfied that a person making the request is who they say
they are.
A signed letter, with a reply address ought to be sufficient to satisfy
'reasonably satisifed'. Anyone who writes to you purporting to be the
person concerned commits the offence of forgery if they are not who they
say they are.
If they have access to the person's address, they can easily get hold of
a utility bill.
> * Written statement confirming identity of requestor by Religious
> Minister, Lawyer/Barrister or GP
>
A bit over the top for a mere SOA (its not a passport application), but
certainly sufficient for the purpose.
Nigel
PS: Requesting bank or credit card statements is IMO excessive data
collection -- yoiu have no need to know who I bank with, or what my
overdraft limit is!!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|