Nigel - ask and you shall receive :)
Section 7(3) A data controller is not obliged to comply with the request
under this section unless he is supplied wit such information as he may
reasonably require in order to satisfy himself as to the identity of the
person making the request and to locate the information which that person
seeks.
Proportionality is the key and while it may be reasonable to ask for more
stringent proof of ID for cases where sensitive data is involved this isn't,
in my experience, always necessary.
Working in a social care environment a lot of the personal data we hold is
of a sensitive nature but as we have many requests from people well known to
the department we don't always ask for ID - we know the requestor so there
is no benefit in asking for proof of their ID despite the sensitive nature
of the data requested.
That said if we received a request from someone not currently known we would
of course ask for proof of their ID, usually a copy of their passport or
similar.
Lee
-----Original Message-----
From: Nigel Roberts [mailto:[log in to unmask]
<mailto:[log in to unmask]> ]
Sent: Tue 31 October 2006 07:23
To: [log in to unmask]
Subject: Re: [data-protection] Verification of requestor identity - subject
access
I think this expresses very well the concept I was unsuccessfully grasping
at. If you are a bank, as a matter of opinion, I think it is REASONABLE for
you to ask for my passport/ID card as you have those already (or data of
similar sensitity) by the operation of statutory rules (I.e anti-money
laundering) (However, askin for these by post STILL does not stop id
theft!!). If I make an SAR on a company or organisation like a spammer which
SHOULD have no data, or marginal data about me, then sending such data is
UNREASONABLE (again, IMO).
Whether something is reasonable or not, is often irrelevant.
The question is what is LAWFUL??
I have yet to find the relevant section of the Act. (Can anyone direct me to
it?). But I seem to recall the expression "sufficient to identify"
being bandied about.
This is a LONG way from "*prove* your identity". It is not the same at all.
I submit that name and address is normally "sufficient to identify" me in
most circumstances. (Where you the data are stored agaisnt a previous
address, then that address is would be required to be sufficient.)
Ultimately it is a matter of construction and you can't decide on 'gut-feel'
unless the word 'reasonably' appears in the law. You have to apply statutory
interpretation to the relevant section.
Anyone able to quote chapter and verse?
Regards
Tony Bowden wrote:
> On Mon, Oct 30, 2006 at 04:28:57PM -0000, Tim Trent wrote:
>
>>Since people worry about ID Theft, I think it is valid to ask for
>>serious ID, even for "trivial" details. This is for our protection as
>>much as theirs.
>>The more private the data the more security we need to deploy.
>
>
> I think a good rule of thumb is that you should not be requesting any
> form that ID that provides any data that you don't already
> (legitimately) hold on the data subject.
>
> i.e. proving identity should not involve revealing more information
> than would already be known.
>
> Tony
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
<http://www.jiscmail.ac.uk/lists/data-protection.html>
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> http://www.jiscmail.ac.uk/help/commandref.htm
<http://www.jiscmail.ac.uk/help/commandref.htm>
> Any queries about sending or receiving message please send to the list
owner
> [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
--
Nigel Roberts BSc CEng FBCS DipEngLaw, Director Island Networks, 4&5 St
Anne's Walk, Alderney, GY9 3JZ (GG) Tel. 01481 822800 (office) or 0870 321
2282 (direct)
Mobile: 07010 7011 13 or +423 663 178 200
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
<http://www.jiscmail.ac.uk/lists/data-protection.html>
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
<http://www.jiscmail.ac.uk/help/commandref.htm>
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses using Sophos
anti-virus software.
www.mimesweeper.com
www.sophos.com
**********************************************************************
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
