Subject access requests and identity verification: navigating a data controller’s catch-22
September 2019 | PROFESSIONAL INSIGHT | DATA PRIVACY
Financier Worldwide Magazine
September 2019 Issue
No longer is the bark of sanctions for violating the European Union’s General Data Protection Regulation (GDPR) worse than its bite. With its recent issuance of back-to-back fines against British Airways and Marriott International totalling more than £282m, the UK’s Information Commissioner’s Office (ICO) has made clear that, when non-compliant data protection practices are identified, the ICO will not hesitate to flex its enforcement muscles.
Previously, the largest fine imposed for a GDPR violation was the €57m levied against Google earlier this year by CNIL, the French Data Protection Authority. Unlike the fines against British Airways and Marriott arising out of data breaches, Google was fined over its lack of transparency about how it was collecting and sharing user data. Whether the ICO’s recent activity foreshadows that data protection authorities intend to impose larger penalties for security breaches than for data processing violations remains to be seen.
Regardless, the ICO’s imposition of giant back-to-back fines should serve as a reminder (or a wake-up call) that compliance with the GDPR must be a priority for companies established in the European Economic Area (EEA), and those that target goods and services to, or monitor the behaviour of, individuals located in the EEA. As information commissioner Elizabeth Denham has made clear: “[W]hen you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights”.
But what about when a security breach occurs, not because hackers have employed criminal means to gain access to the personal data of thousands – perhaps millions – of data subjects, but instead because the data controller, or those in its employ, accidentally, but voluntarily, hands such data over to individuals unauthorised to receive it? By failing to implement proper measures for verifying the identity of an individual that has submitted a “subject access request”, seeking information regarding her personal data in the controller’s possession, a data controller could very well have an insider threat situation on its hands.
The threat is quite real. According to the ICO’s own statistics on data security incident trends, the mishandling of subject access requests – more specifically, providing data to the “incorrect recipient” – is the data protection concern about which the regulator receives the largest number of complaints.
Voilà, the data controller’s catch-22
Failing to timely – typically, one month from the date the request is received – or satisfactorily respond to a single subject access request theoretically subjects the data controller to a fine of 4 percent of gross annual revenue or €20m, whichever is greater. But providing the information to someone who is neither the actual data subject nor a third party authorised to receive such information constitutes a data breach for which the controller could be slapped with the same penalty.
With non-compliance an inadvisable option, and the threat of inadvertent unauthorised disclosure a real possibility, what should a data controller do when it receives a subject access request from someone whose identity is in question? The GDPR allows a controller with “reasonable doubts concerning the identity of the natural person making the request... [to] request the provision of additional information necessary to confirm the identity of the data subject.” Indeed, the GDPR expects controllers to use “all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers”.
The keys to identity verification are the existence of reasonable doubt about the requester’s identity, and requesting only what additional information is “necessary” – keeping in mind the GDPR’s bedrock principles of data minimisation and proportionality – and that can be obtained by “reasonable measures”.
Compliance with the “reasonable doubt” requirement is pretty straightforward. Requesting additional information from an individual who calls to make a subject access request on behalf of ‘Daniel Day-Lewis’ is likely to be reasonable; asking for more information from a current employee who makes a request in-person to its employer, a small company, is probably not.
Ensuring that the information requested, and the measures employed to obtain that information, are reasonable turns on a more nuanced context-driven and risk-based approach. In many situations, the most reasonable method of confirming the requester’s identity will be to use data already in the controller’s possession.
Where, for example, a subject access request arrives by way of email, the controller could: (i) call the individual using the number on file to confirm the request; (ii) ask that the individual submit the same request by SMS, and confirm that the phone number matches the one on file; (iii) request the individual provide the login credentials used to access the controller’s website, if applicable; and (iv) pose questions regarding recent interactions the individual has had with the controller. If the controller is an online merchant, the individual could be asked to provide the date and cost of her most recent purchase.
Requesting the individual send a copy of a passport or driver’s licence is not generally advisable and should be viewed as a last resort in a high-risk situation. For example, if the controller possesses information falling within the GDPR’s “special categories of personal data”, such as data concerning health or relating to the data subject’s sex life, then the risk posed by requesting an identification document may be outweighed by the risk of making an unauthorised production due to inadequate identity verification.
Even so, the safest option, where feasible, will typically be to ask the requester to present her identification at the controller’s place of employment rather than to ask that she send a copy of the same. In a similar vein, the GDPR contemplates that controllers will “not retain personal data for the sole purpose of being able to react to potential requests”.
Although the disciplinary potential may not be on the same scale as in the recent data breach situations involving British Airways and Marriott, failing to adequately respond to a subject access request, or providing information to an unauthorised individual, can each subject a data controller to significant penalties, including large fines, as well as negative publicity and loss of consumer trust. By implementing clear, company-wide protocols regarding the handling of subject access requests and by properly training employees to recognise and respond to such requests – particularly when it comes to verifying the requester’s identity – data controllers can effectively navigate this compliance conundrum.
Kate Paine is an associate and Alfred J. Saikali is chair of privacy and data security at Shook, Hardy & Bacon LLP. Ms Paine can be contacted on +1 (813) 202 7151 or by email: email@example.com. Mr Saikali can be contacted on +1 (305) 358 5171 or by email: firstname.lastname@example.org.
© Financier Worldwide
Kate Paine and Alfred J. Saikali
Shook, Hardy & Bacon LLP