I sent a UK company a GDPR erasure request, but they demanded that I email them a copy of my driving licence before actioning my request. Here’s what happened when I challenged their intrusive, unsecure and likely unlawful demand…
I emailed a UK company (‘X’) with an erasure request pursuant to Article 17 of the UK GDPR, asking them to delete all personal data they held on me. Before doing so, I had trouble accessing my X account, so I used their ‘forgot password’ functionality. This involved me entering my email address and X sending me an automatic email containing a unique password reset link, allowing me to set a new password. This gave me access to my X account, enabling me to view all my personal data stored in my account.
X replied to my erasure request the next day – a great response time. However, in their reply, X demanded to be sent a copy of my driving licence to ‘protect my customer data’ as ‘an additional piece of identification’. I am of the opinion that many data controllers demand a copy of photo ID as a matter of routine when data subjects wish to exercise their GDPR rights, with the pure aim of making it more difficult and unattractive for them to do so. This is not data protection by design. After all, X didn’t request a copy of my photo ID before happily sending me a password reset email and thereby giving me access to all my personal data stored in my account.
Let’s take a look at the relevant legislation governing such ‘photo ID’ demands. Article 12(6) of the GDPR states: “Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject”.
This means that a data controller may only request further identification from a data subject if they can demonstrate that they have “reasonable doubts concerning the identity of the natural person making the request”. Of course, any such demand should also be proportionate to the personal data being held by the data controller – they cannot ordinarily demand to be given more personal data than they hold to verify the identity of a data subject (who can by definition be identified or identifiable). This means that a routine policy of demanding photo ID for requests is highly likely to be incompatible with Article 12(6) and the other principles of the GDPR.
Article 12(1) states: “When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means“. Recital 57 states: “Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller”. ICO Guidance states: “If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality. You should take into account what data you hold, the nature of the data, and what you are using it for.”
This further supports the notion that requesting a copy of photo ID for straightforward, electronic requests is unnecessary. Furthermore, I consider photo ID copies in a purely electronic environment to be a weak means of identification: the data controller is not able to verify that the requester’s face matches the picture on the photo ID and electronic images are easily faked through programs like Photoshop. Asking for a copy of photo ID would in my view only be suitable and reliable if a data subject makes a request in person.
Article 12(2) states: “The controller shall facilitate the exercise of data subject rights under Articles 15 to 22“. Recital 59 states: “Modalities should be provided for facilitating the exercise of the data subject’s rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means“.
I consider that this strongly encourages data controllers to provide an easy, embedded way to make a subject request in line with other account management functions. In particular, if a data controller provides user account functionality, they should add an ‘erasure request’ button to users’ account management section. Such a modality is inherently more secure than asking data subjects to send requests via email, let alone sending photo ID copies via email. Such a modality should also almost entirely remove any doubts a data controller may have about a data subject’s identity, as to make the request they need to have access to the account through whatever authentication method the controller uses.
Back to my correspondence with X. In reply to their demand for photo ID, I sent them a data protection complaint email as follows.
“I am disappointed and distressed to see that your position is that you “need to ask an additional piece of identification” to comply with my straightforward erasure request. I consider this to be unlawful under the UK GDPR; you are depriving me of my rights and attempting to collect unnecessary, irrelevant and inadequate data, particularly when viewed alongside your other security and verification processes. If this continues to be your position, please take this email as a data protection complaint pursuant to the ICO’s ‘Raising a concern with an organisation’ protocol. To this end, could you please answer the following questions:
- Do you currently have a data protection officer? If so, can you please ensure that you escalate this to your data protection officer. Please can you also confirm if your data protection officer has been appointed voluntarily or statutorily as per Article 37 UK GDPR?
- Do you have a standard policy of requesting photo identification before you comply with erasure requests? If so, please can you provide me with this policy?
- Please can you provide me with all the information required under Article 13 UK GDPR regarding you collecting and requiring a photocopy of my driving licence after I make a request to exercise my right to erasure?
To lawfully request additional identification before complying with my request, you must have ‘reasonable doubts’ concerning my identity as per Article 12(6) UK GDPR and the applicable ICO guidance on the Right to erasure. Such additional verification requests must also be proportionate and your collection and processing of such personal data must comply with all provisions of the UK GDPR. I consider sending you an electronic copy of the front of my driving licence by email a grossly disproportionate and intrusive means of identification, as well as being inadequate as you are not able to verify that my face matches the photo on the driving licence through an email. I note that you are currently happily sending people ‘forgotten password’ emails to the email address you have on file, after which they can reset the password to their account and gain access to their account on your website. Persons with access to a website account are able to see a lot of personal data contained in this account, effectively only by having access to the email address associated with that account. Please could you also answer the following questions:
- Can you please substantiate what your ‘reasonable doubts’ concerning my identity are in this case?
- Based on these ‘reasonable doubts’, how do you believe you can justify requesting a full copy of the front my driving licence to confirm my identity and how would providing you with such a copy help you confirm my identity?
- If you consider the provision of additional photo identification necessary even after I have demonstrated that I am the person with access to this email address (by reason of me replying to and quoting the email you sent me to my registered email address), why do you not require photo identification for your website users to reset their website password, which then gives them access to the personal data stored in their account?
- Why have you not taken appropriate technical measures to implement a modality on your website to facilitate the right of erasure through the account section?“
I ended the email saying that, if they properly responded to my original request, they could disregard the complaint. I also provided them with my most recent booking reference number (which was visible in my X account). I also said that, if they refused to comply with my original request, I would complain to the ICO and seek an interim injunction and compensation in the County Court pursuant to Articles 79 and 82 of the UK GDPR.
X replied on the same day. They stated that, after checking their process, they could see my identity as “confirmed” meaning their “doubts about the identity, which initially caused [them] to check, did not turn out to be justified”. They subsequently dropped their demand for a photocopy of my driving licence and apologised. I accepted their apology and suggested that they review their internal policies, in particular in light of routine photo ID checks. They said they would do so.
2 weeks later, X confirmed they had processed my erasure request and deleted my data. I do hope that they have now changed their policy of demanding photo ID for routine data subject requests, or better yet have implemented buttons in their website account section to facilitate such requests. While X’s initial response was substandard, I am satisfied with the way in which they dealt with my subsequent complaint and improvement suggestions.
So, the next time a data controller demands to see your photo ID when you try to exercise your rights, ask them what their reasonable doubts about your identity are and compare their demand with the rest of their website processes for restoring accounts. Data controllers should absolutely not be asking for photo ID as a matter of routine and in my view, the only situations in which photo ID is appropriate is for rare, in-person data subject requests; or for sensitive data subject requests where there is no prior relationship and authentication mechanism between the data subject and the controller. There will almost always be a more appropriate, less intrusive means to confirm your identity.
1 Pingback