The Subject Access Scam

How well-known organisations are abusing our right of Subject Access to avoid having to comply with requests.

I recently started receiving marketing e-mails from a retail chain out of the blue. The organisation claimed that they had obtained my information via a form that I submitted on their website to sign-up to marketing emails. I didn’t submit the form but that’s an article for another day; that organisations are adding individuals stored in mailing lists, to their own web-forms and registering them.

As I’d never had anything to do with this organisation, I submitted a Subject Access Request (SAR). The organisation replied as follows:

We are writing in response to your Data Privacy Request in which you have requested a copy of all information we hold about you. In order for us to proceed, we require further information to verify your identity. We are asking for this to ensure that we are completing request(s) only for those who are legally entitled and are the accurate data subject.

Please can you provide:

1. Utility Bill
2. Account Details (name, first line and postcode of billing address and email address)
3. Photo ID (passport or driving licence)

Please note that the information we process about you may have changed since you initially submitted it. However, you may not have updated our systems. For example, you no longer use your maiden name or you have recently moved address.

You can submit the above mentioned information via email or post. Please note that we cannot guarantee the security of documents sent over the Internet and that doing so is entirely at your own risk. Once we have verified your identity, we will respond to your request in accordance with our legal obligations. 

It’s a fairly typical response to an SAR right? But note how they’ve automatically assumed that I am an identified natural person on their system. Yet, they’d confirmed previously that they had obtained my information via their public-facing web-form when I apparently signed-up to receive marketing emails from them. These email sign-up forms tend to only collect a small amount of personal data – name, email address, country etc., so why are they asking me to provide formal identification? Simple; it’s self-serving: they do it by default and they do it to put us off.

Let’s clarify a few facts

An identifiable natural person is a data subject that the data controller cannot formally identify from the information that they hold about the individual. In other words, they will hold enough information about an individual to single them out from a group, but not enough information to knock on their front door.

An identified natural person is a data subject that the data controller has formally identified. They hold enough information about the individual to knock on their front door.

To my employer therefore, I am an identified natural person, but to a data controller that obtains a small amount of my personal data, I am likely to be an identifiable natural person.

Finally, let’s clarify the statutory definition of a data subject, found at Article 4(1) GDPR:

(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Let’s apply the facts

It’s Recital 64 GDPR, that data controllers are relying on to “formally identify” anyone that submits an SAR:

The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.

Once we understand that a “data subject” is a variable – based on whether they are identified or identifiable, then it’s clear to see why data controllers need to respond accordingly. Thus, Recital 64 translates into…

The GDPR instructs a data controller to use REASONABLE measures to verify the IDENTITY of the NATURAL PERSON who requests access.

Verifying the IDENTITY if the natural person, will be WHOLLY DEPENDANT on what information they hold about the natural person.

Now, if a data subject has been identified by the data controller, then a reasonable course of action might be to ask for some formal ID. However, if the data subject is only identifiable by the data controller, then they cannot request formal ID because a data controller cannot use the SAR process to change the status of a natural person from identifiable to identified. In other words, they cannot use the SAR process to formally identify someone who is not already identified on their system.

I sought advice from the ICO, and they clarified as follows:

Any organisation will need to ensure the identity of an individual before releasing personal data and as you rightly point out this should be appropriate and not be used to gather further personal information.

In my experience, the majority of organisations will require us to provide formal identification regardless, because their main aim is to deny us of our key right. Take a look at some privacy notices – they’re all at it. And in some cases, they will be doing this because they don’t want to tell us how they obtained our data.

Finally, the company eventually gave in and accepted that they had misled me, they said:

I have reviewed all the correspondence associated with your request and would like to apologise if our handling of your query has not always been clear or satisfactory. As a data controller, we have a responsibility to ensure that we do not inadvertently disclose personal information to someone other than the data subject. This is why we take steps to verify the identity of individuals making subject access requests. We acknowledge, however, that in this case, the request for additional documents to verify your identity was disproportionate and we apologise for any inconvenience this may have caused.

So, there you go.

Here’s my SAR process

If I have no prior relationship with the data controller, when they ask me to provide formal ID, I ask them to provide me with the data categories, pursuant to Article 14(1)(d) GDPR. If they come back and tell me that they only hold my name, email address and location, then I remind them that they can only use this information to verify my identity.

If they refuse, then it’s a complaint to the ICO followed by a claim for compensation if they do not comply once the ICO has told them to. I’d seek compensation in the small claims court before seeking a court order and I’d use the money to pay for a court order. I’d then file a claim to recover the costs of the court order, if the judge doesn’t award me those costs anyway.

What I want to see is a growth of no-win, no-fee solicitors that focus on data protection law. They’re gradually appearing and in the near future, it will be common practice to claim compensation for an infringement.