Indeed. But 'sensitive data' has always had a different Data Protection
treatment to ordinary data. (And probation and mental health
applications are clearly 'sensitive data').
For sensitive data, more checks /of course/ are required.
But in either case (and if you are a public authority there is a legal
obligation - HRA 1998) such checks MUST be 'proportionate'.
I am certainly not going to provide something with sensitive data on it
(like a bank statement), in order to access data which is routine and
NOT sensitive, clearly fails the 'sledgehammer' test for proportionality.
Nigel
Simon Howarth wrote:
> I agree with those that say that some form of verification is reasonable,
> although depending on the type of information required, may lead to a
> request for less "critical" proof.
>
> I dealt with requests for medical records for a NHS Trust for a while, and
> being a mental health trust I don't think we could have been doing our job
> properly if we simply relied on a letter and nothing more.
>
> Part of our process was to send back a form that had to be filled in and
> which request certain information to allow us to proceed knowing that any
> risk of someone impersonating the subject was limited and acceptable.
>
> I would be very worried if I asked for my own sensitive information by
> letter, and was simply granted it - in fact I would be minded to complain to
> the ICO!
>
> Simon Howarth.
>
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of Nigel Roberts
> Sent: 30 October 2006 14:46
> To: [log in to unmask]
> Subject: Re: [data-protection] Verification of requestor identity - subject
> access
>
> RONAN DURNIN wrote:
>> Dear All,
>>
>> I'm currently drafting some guidance concerning subject access requests.
>>
>> With regards to verifying the identity of the requestor is it reasonable
>> to ask that one form of official photographic ID be provided (identity
>> cards, anyone?!) or in the absence of such ID, two of the following:
>
> I would suggest that it is UNREASONABLE. And the reason it is
> unreasonable is that unless the person is at a counter, you have no need
> to have the person's likeness provided or stored.
>
> I will look up the law, but it seems to me that you need to be
> reasonably satisfied that a person making the request is who they say
> they are.
>
> A signed letter, with a reply address ought to be sufficient to satisfy
> 'reasonably satisifed'. Anyone who writes to you purporting to be the
> person concerned commits the offence of forgery if they are not who they
> say they are.
>
> If they have access to the person's address, they can easily get hold of
> a utility bill.
>
> > * Written statement confirming identity of requestor by Religious
> > Minister, Lawyer/Barrister or GP
> >
>
> A bit over the top for a mere SOA (its not a passport application), but
> certainly sufficient for the purpose.
>
> Nigel
>
> PS: Requesting bank or credit card statements is IMO excessive data
> collection -- yoiu have no need to know who I bank with, or what my
> overdraft limit is!!
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving message please send to the list owner
> [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving message please send to the list owner
> [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|