When a data subject requests access to their own data, an accountable organisation should have policies and procedures in place to provide access within the deadlines stipulated by the applicable laws. Organisations also need to ensure that they are only providing data belonging to that specific subject. But what should they do to identify the data subject making the request, while remaining compliant with the laws?
With the GDPR fully applicable and the CCPA on the way, more attention than ever before is being given to the rights of data subjects and how authentication should be handled. Should you always ask for a copy of a passport or ID document, or is the confirmation of a name and date of birth sufficient? Neither the GDPR nor the CCPA give explicit guidance, but here are some guidelines:
The simplest and most efficient way to let individuals exercise their data subject rights is to give them access to their account data in an online environment. This also facilitates the authentication process of the data subject, because the credentials used to access the account can be deemed sufficient proof that the data subject is the person accessing the account. Extra care would, however, be required if the organisation had recently suffered a data breach exposing user names and passwords. Additional measures would then need to be implemented to authenticate the identity of users, including resetting all passwords.
In several countries, other forms of online identification exist as well, for example government-issued online authentication mechanisms, that sometimes can be used in the private sector too, or bank ID’s, that have been given a wider use. The latter is for example the case in Sweden (BankID) and the Netherlands (iDin).
Requesting a copy of a passport or I.D. document
For their own peace of mind, many organisations request a copy of a passport, driver’s license or I.D. card when dealing with a data subject rights request. They claim that this is the only way for them to be sure that the data subject is actually the person who is making the request. However, several DPAs have issued warnings that this could be considered excessive data collection, which is not allowed.
For example, a person’s passport or ID could contain additional information, such as a national identification number, and by requesting these documents, the organisation would have access to even more sensitive data.
Additionally, in the EU and elsewhere the processing of a national identification number is restricted to specific situations provided by law, which does not include dealing with data subject rights. In such jurisdictions, since the national identification number cannot be used for data subject authentication, organisations should warn individuals that their number should be made unintelligible on any documents they provide. Also, organisations need a process in place to delete such numbers should they not have been made unintelligible.
Instead of a passport or ID, many DPAs recommend that you start with the information that is already included in the request. If that is sufficient for you to verify the identity of the requestor, you can provide access. If not, you could first consider asking for additional information based on what you know about the data subject, or make use of a pre-set security question.
The important thing to note is that regulators cannot agree, from country to country, on the best means of authenticating a data subject while still protecting their privacy rights. For example, the Canadian regulator suggests using something the individual knows, has or is/does, and requesting a passport should be the last resort. While in Mexico, the federal DPA INAI advises the use of a passport as the preferred means of identification. The German DPA recommends using other means of authentication, like the person’s postal address.
The Dutch DPA provides the clearest position and states on its website that asking for a copy of an identity card in many situations would constitute excessive data processing, which is not allowed. As a rule of thumb, you could consider that the more sensitive the data, the more stringent the verification should be, while remaining within the boundaries of applicable laws.
Organisations need to be cautious not to over-collect personal data or make it overly difficult for people to exercise their rights. If you do choose to collect sensitive information, such as a passport number, keep in mind that it could constitute a request for an excessive amount of personal data – beyond the scope of the original data collected – and you would need to protect it with enhanced security measures.
You might even need to conduct a DPIA (Data Protection Impact Assessment) before implementing such an authentication method. In short, if you need additional information for authentication, ensure that it is relevant and the least amount required to ensure data minimisation and fairness.
Do you want to learn more about authenticating data subjects while remaining compliant with applicable laws? Download our new Handbook today!