I don't think I've seen any comments about photo evidence, so may have missed
some the discussion, but in my view the degree of verification for a SAR is
likely to reflect the nature of the data to be released. In financial services,
health and social services in particular, at least some of the information is
likely to be very sensitive (not necessarily in just the DPA sense) and subject
to a duty of care. If an organisation already has an image of the individual on
file (or the individual provides the documents in person) then sight of an
official document containing a photo is very good as evidence of identity.
This, tied in with a recent utility bill as evidence of address, provides a
strong degree of confidence that it is dealing with the correct person. If it
doesn't already have an image of the individual on file then a photo isn't of
any help, but the official nature of some documents and the degree of
verification that an individual has to go through to get them still provide a
reasonable degree of comfort.
Why a certified copy? - because an organisation doesn't want to be responsible
for important original documents going missing in the post and copy documents
can be forged. A copy, certified by an appropriate person, reduces the risk of
fraud (I think it may be an offence to photocopy passports though?)
If the data held is innocuous an organisation might decide that the risk and
consequence of fraud is sufficiently limited not to warrant certified copies -
however what at first seems innocuous e.g. name and address may not be innocuous
if, for example, the data subject is in a safe house.
Chris
Carolyn Howard <[log in to unmask]> on 22/10/2003 09:23:52
Please respond to Carolyn Howard <[log in to unmask]>
To: [log in to unmask]
cc: (bcc: Christopher Spray/Group Compliance/South East/RAC Motoring
Services)
Subject: Re: [data-protection] Verifying identification & bought-in lists
Re certified photo evidence as proof of identity - why is a photo
needed? It seems that the subject is objecting to his inclusion on a
mailing list - the data controller in this case won't be able to prove
identity because he/she is provided with a photo and I suspect this
subject will not be happy to provide further info to this degree - why
should the data controller get to see, for example, his driving licence or
passport? Also, why should the subject be put to the extra expense
and inconvenience of getting proof of identity certified? I can see that
in certain sensitive circumstances the requirement for such a degree of
proof might be necessary, but not here.
Para 4.1.3 of the IC's Legal Guidance offers guidance.
Date sent: Tue, 21 Oct 2003 10:02:53 +0100
Send reply to: Tim Trent <[log in to unmask]>
From: Tim Trent <[log in to unmask]>
Subject: Re: [data-protection] Verifying identification &
bought-in lists
To: [log in to unmask]
> I'm afraid you have to bite your tongue with his sarcasm and respond
> by being overwhelmingly charming.
>
> I think it is fair to ask for documentary proof of identity. After
> all you have to protect yourself from sending data to an incorrect
> individual. A logical form of identity is payment by cheque drawn on
> his named account plus a certified copy of a photo-id of relevance.
>
> As for mailing lists, don't get me started!
>
> Apart from generally being poor quality (OK, if you sell a good
> quality list just say so! We'd like to know how good you really are!)
> they are usually very poorly reduplicated (We have just received an
> alleged list of 63,000 names bought by a client for a campaign which
> netts down to about 12,000 usable ones!). And if they have email
> addresses in and are released to you then we totally distrust their
> legality and advise most strongly "DO NOT USE" [ASA and "The Training
> Guild" applies here - see Google and our website]. After all, have
> any of you ever been asked for your email address with "permission to
> sell it to unspecified third parties for unspecified purposes"?
>
> Snail mail and telephone lists are generally better the more expensive
> they are. But that is not a hard and fast rule, and is open to price
> abuse. Data evaporates at approximately 20% per annum. If the data
> subjects are students (hence mobile population) the evaporation rate
> is substantially higher.
>
>
> Tim Trent - Consultant
> Direct: +44(0)1344 392644 Mobile:+44(0)7710 126618
> email: [log in to unmask]
> <mailto:[log in to unmask]>
> Marketing Improvement Limited, Abbey House, Grenville Place,
> Bracknell, United Kingdom, RG12 1BP
> http://www.marketingimprovement.com
> <http://www.marketingimprovement.com>
>
>
>
> This message is for the intended addressee's use only. It may contain
> confidential, proprietary or legally privileged information. No
> confidentiality or privilege is waived or lost by any
> mis-transmission. If you receive this message in error, please
> immediately delete it and all copies of it from your system, destroy
> any hard copies of it and notify the sender. You must not, directly or
> indirectly, use, disclose, distribute, print, or copy any part of this
> message if you are not the intended recipient. Any views expressed in
> this message are those of the individual sender, except where the
> message states otherwise and the sender is authorised to state them to
> be the views of any such entity.
>
>
>
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of Paula Owen Sent:
> Tuesday, October 21, 2003 9:39 AM To: [log in to unmask]
> Subject: [data-protection] Verifying identification & bought-in lists
>
> Hi All
>
> I've had my first complaint/SAR from an customer - we have been beyond
> reproach before ;-)
>
> It is a very sarcastic letter and concerns a mailout sent to this
> chap's parent's home (where he has not lived for 18 months). The
> reason we have had this complaint, and others, is that we bought in
> lists from outside (in good faith).
>
> I have 2 questions:
>
> - how do people ask for proof of identity on a written SAR? As he is
> being
> rude and sarcastic and quoting DP '98 word for word I want to make
> sure I do everything totally by the book - hence I feel I should
> require him to prove his identity before I carry out the SAR. But I'm
> not sure what type of proof I should ask for??? Can people give me
> any examples of what they do?
>
> - my other question is regarding bought in lists. I was not
> consulted by
> the marketing team before they did this, for which there will be
> words, but it's done now and we must face the consequences. What
> assurances can you get from your contractors and suppliers of these
> lists that they are 'clean' and up to date (as other complaints have
> been about deceased recipients of our letters).
>
> We bought in 1 million names so approx 10 complaints so far isn't too
> bad I assume, but as we try to be as 'best practice' as possible, this
> really is dissappointing.
>
> Thanks for any replies/advice in advance
>
> Paula
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> http://www.jiscmail.ac.uk/help/commandref.htm
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> http://www.jiscmail.ac.uk/help/commandref.htm
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
http://www.rac.co.uk
http://www.racbusiness.co.uk
http://www.bsm.co.uk
Any opinions expressed in this e-mail are those of the individual and not
necessarily the company. This e-mail and any attachments are confidential to RAC
and/or BSM and are solely for use by the intended recipient.
If you are not the intended recipient you must not disclose, copy or distribute
its contents to any other person nor use its contents in any way.
If you have received this e-mail in error please forward a copy of this e-mail
to "[log in to unmask]".
RAC Motoring Services: Registered England 1424399
VAT Reg No. GB 238640945
British School of Motoring: Registered England 291902
VAT Reg No. GB 239505847
Registered Office(s): 1 Forest Road, Feltham, TW 13 7RR
This e-mail and any attachments has been scanned for the presence of computer
viruses. RAC/BSM accept no responsibility for computer viruses once this e-mail
has been transmitted.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|