Back in May I wrote about the data subject access request I had submitted to the Home Office, and how they required a ‘written confirmation of likeness’ signed by a very particular list of people before providing any information. This is purportedly to verify your identity, but as I noted at the time, the requirements are stricter than those that the same organisation sets for processing passport applications. One may reasonably surmise that this could be an attempt to put people off from making these requests.
I am following up with this post to document what happened after I submitted the request, for those interested in the reach and limits of data protection law.
Objection to the Home Office’s disproportionate requirements
At the time, I objected to the unusually stringent verification requirements, as well as that these would not be accepted online. Extract below:
As you will be aware, data controllers are required to undertake ‘reasonable measures’ to verify the identity of the person making the Data Subject Access Request. I submit that by providing a copy of my passport, and the passport number, that this more than satisfies the legal requirement.
Further, I submit that since the list of those who are considered appropriate to provide this written confirmation is less extensive than those who can act as a counter-signatory for a passport application in the first place, that this requirement is demonstrably disproportionate, and as such not required to respond to my request.
The Home Office responded simply to reiterate that the verification must be done via post:
We require that you send in a copy of your ID via the post, please have your photographic ID certified and sent to us at the address below.
We request certified ID in this method for security to reduce the chances of fraudulent data requests.
‘To reduce the chances of fraudulent data requests’? Aye, right. They did not address my questions about inconsistency.
I responded to press them on this:
I understand that you are obliged to take ‘reasonable measures’ to verify the identity of the person making the subject access request. However,
1. I do not see how requiring this to come via the post makes any difference whatsoever.
2. The requirements for certification are far stricter in terms of who can make such a certification than those who can counter-sign a passport (https://www.gov.uk/countersigning-passport-applications). This is not ‘reasonable’, or ‘proportionate’ within the meaning of the relevant law.
I am prepared to send in a certified copy of my ID to verify my identity, but I reject the requirement to have the certification made by one of the following:
* a legal representative, registered with the Office for the Immigration Services Commissioner (OISC)
* a solicitor, barrister or chartered legal executive
* a commissioner for oaths
* a registered charity
Instead, I ask you again to confirm that you will accept a ‘written confirmation of true likeness’ from someone on the same list that you accept for passport counter-signatories (detailed in the URL above).
If you refuse this, then your requirements would appear designed solely to prevent people from getting access to their data by implementing unreasonable stipulations, and I will be making a formal complaint to the ICO.
They did not respond to this, or my follow up e-mail a few weeks later, so on the 20th of June I reported them to the UK’s Information Commissioner (ICO).
Specifically, I drew attention to the inconsistency in the listed requirements for ID verification when it came to passport applications versus data subject access requests, and that it appeared that those that related to the latter were therefore disproportionate.
They replied in just over a week:
The DPA 1998 and DPA 2018 do not state what identification or verification data controllers may request. Data controllers must be satisfied as to the identity of the requester to ensure personal data is not inappropriately disclosed. This also helps prevent fraud. The ICO therefore reviews concerns regarding this matter on a case-by-case basis.
The ICO is satisfied that generally, the level of identification and verification requested by the HO for SARs is both reasonable and proportionate. This is because the HO must be certain of a requester’s identity before releasing any personal information.
In light of the above, we would advise that you provide the HO with the requested documents and verification of these documents to allow the organisation to process your SAR.
Basically, they just reiterated that data controllers have to take steps to verify the identify of those requesting data before processing a subject access request – choosing not to address the specific questions I had raised around proportionality.
I pressed them on this, and after about a month the ICO responded:
I understand that you are concerned about the level of identification requested by the Home Office for subject access requests, as it requires more identification for this than for passport applications.
As stated previously, this is not a matter that is of concern to the ICO at this time. I understand that it appears there is inconsistency within the Home Office in regards to identification requested. However, due to the nature of information held by the Home Office, it must satisfy itself as to the identity of a requester before disclosing personal data.
As it is not up to the ICO as to what the Home Office requests for different applications, and if you are concerned about inconsistencies within the Home Office, we suggest you raise this with the organisation.
I apologise the ICO can’t be of further assistance at this time. However, please note that the concerns you have raised will be kept on file. This will help us over time to build a picture of the Home Office’s information rights practices.
What this tells us
This process was informative as it demonstrates the barriers that organisations such as the Home Office will place in the way of those who seek to exercise their rights under data protection law. By making the process as difficult and cumbersome as possible, it locks out all but the most determined and able.
It also tells us a bit about the ICO’s role and reach in these cases: Namely, that it is extremely limited – at least when it comes to making assessments of proportionality. Rather than taking a holistic view of the data protection practices and requirements of an organisation, the ICO simply looks at each portion in isolation. In other words, it doesn’t matter whether the Home Office’s approach is entirely inconsistent, and demonstrates a clear lack of proportionality on any reasonable assessment of all the facts. The ICO only has to be satisfied that the requirements relating to a very narrow and immediate situation are proportionate, irrespective of the wider context.
This makes no sense except in the most literal of readings, and makes a mockery of the spirit of data protection legislation. We shouldn’t be too surprised that this is the approach of the Home Office though, given the appalling state of the UK’s immigration law.
I am currently debating whether or not to proceed with the formal ID verification process to see what they will provide once you get through the barriers. Watch this space.