Data Subject Access Request

Home Office Data Subject Access Request: Part Two.

Clicky Steve, , , , , 2 Comments

Back in May I wrote about the data subject access request I had submitted to the Home Office, and how they required a ‘written confirmation of likeness’ signed by a very particular list of people before providing any information. This is purportedly to verify your identity, but as I noted at the time, the requirements are stricter than those that the same organisation sets for processing passport applications. One may reasonably surmise that this could be an attempt to put people off from making these requests.

I am following up with this post to document what happened after I submitted the request, for those interested in the reach and limits of data protection law.

Objection to the Home Office’s disproportionate requirements

At the time, I objected to the unusually stringent verification requirements, as well as that these would not be accepted online. Extract below:

As you will be aware, data controllers are required to undertake ‘reasonable measures’ to verify the identity of the person making the Data Subject Access Request. I submit that by providing a copy of my passport, and the passport number, that this more than satisfies the legal requirement.

Further, I submit that since the list of those who are considered appropriate to provide this written confirmation is less extensive than those who can act as a counter-signatory for a passport application in the first place, that this requirement is demonstrably disproportionate, and as such not required to respond to my request.

The Home Office responded simply to reiterate that the verification must be done via post:

We require that you send in a copy of your ID via the post, please have your photographic ID certified and sent to us at the address below.

 [address omitted]

We request certified ID in this method for security to reduce the chances of fraudulent data requests.

‘To reduce the chances of fraudulent data requests’? Aye, right. They did not address my questions about inconsistency.

I responded to press them on this:

I understand that you are obliged to take ‘reasonable measures’ to verify the identity of the person making the subject access request. However,

1. I do not see how requiring this to come via the post makes any difference whatsoever.

2. The requirements for certification are far stricter in terms of who can make such a certification than those who can counter-sign a passport (https://www.gov.uk/countersigning-passport-applications). This is not ‘reasonable’, or ‘proportionate’ within the meaning of the relevant law.

I am prepared to send in a certified copy of my ID to verify my identity, but I reject the requirement to have the certification made by one of the following:

* a legal representative, registered with the Office for the Immigration Services Commissioner (OISC)
* a solicitor, barrister or chartered legal executive
* a commissioner for oaths
* a registered charity

Instead, I ask you again to confirm that you will accept a ‘written confirmation of true likeness’ from someone on the same list that you accept for passport counter-signatories (detailed in the URL above).

If you refuse this, then your requirements would appear designed solely to prevent people from getting access to their data by implementing unreasonable stipulations, and I will be making a formal complaint to the ICO.

They did not respond to this, or my follow up e-mail a few weeks later, so on the 20th of June I reported them to the UK’s Information Commissioner (ICO).

ICO Complaint

Specifically, I drew attention to the inconsistency in the listed requirements for ID verification when it came to passport applications versus data subject access requests, and that it appeared that those that related to the latter were therefore disproportionate.

They replied in just over a week:

The DPA 1998 and DPA 2018 do not state what identification or verification data controllers may request. Data controllers must be satisfied as to the identity of the requester to ensure personal data is not inappropriately disclosed. This also helps prevent fraud. The ICO therefore reviews concerns regarding this matter on a case-by-case basis.

The ICO is satisfied that generally, the level of identification and verification requested by the HO for SARs is both reasonable and proportionate. This is because the HO must be certain of a requester’s identity before releasing any personal information.

In light of the above, we would advise that you provide the HO with the requested documents and verification of these documents to allow the organisation to process your SAR.

Basically, they just reiterated that data controllers have to take steps to verify the identify of those requesting data before processing a subject access request – choosing not to address the specific questions I had raised around proportionality.

I pressed them on this, and after about a month the ICO responded:

I understand that you are concerned about the level of identification requested by the Home Office for subject access requests, as it requires more identification for this than for passport applications.

As stated previously, this is not a matter that is of concern to the ICO at this time. I understand that it appears there is inconsistency within the Home Office in regards to identification requested. However, due to the nature of information held by the Home Office, it must satisfy itself as to the identity of a requester before disclosing personal data.

As it is not up to the ICO as to what the Home Office requests for different applications, and if you are concerned about inconsistencies within the Home Office, we suggest you raise this with the organisation.

I apologise the ICO can’t be of further assistance at this time. However, please note that the concerns you have raised will be kept on file. This will help us over time to build a picture of the Home Office’s information rights practices.

What this tells us

This process was informative as it demonstrates the barriers that organisations such as the Home Office will place in the way of those who seek to exercise their rights under data protection law. By making the process as difficult and cumbersome as possible, it locks out all but the most determined and able.

It also tells us a bit about the ICO’s role and reach in these cases: Namely, that it is extremely limited – at least when it comes to making assessments of proportionality. Rather than taking a holistic view of the data protection practices and requirements of an organisation, the ICO simply looks at each portion in isolation. In other words, it doesn’t matter whether the Home Office’s approach is entirely inconsistent, and demonstrates a clear lack of proportionality on any reasonable assessment of all the facts. The ICO only has to be satisfied that the requirements relating to a very narrow and immediate situation are proportionate, irrespective of the wider context.

This makes no sense except in the most literal of readings, and makes a mockery of the spirit of data protection legislation. We shouldn’t be too surprised that this is the approach of the Home Office though, given the appalling state of the UK’s immigration law.

I am currently debating whether or not to proceed with the formal ID verification process to see what they will provide once you get through the barriers. Watch this space.

Home Office Data Subject Access Request: Part One

Clicky Steve, , , , , , , , , 1 Comment

Data Subject Access Requests (under Article 10 of the Data Protection Act 1998) are powerful tools that allowed people to request a copy of any information held on them by organisations (with some exceptions). In order to provide a response, a fee of up to £10 could be charged.

With the new GDPR era, these fees are no longer going to apply, and the access requests will now be covered by Section 94 of the Data Protection Act 2018 (which is set for Royal Assent today). As a result, I suspect we will be seeing far more of these requests… and given how underprepared most organisations have proven to be with the DPA 98’s mechanisms, it will be interesting to see how they cope.

I decided to investigate the process myself with none other than the UKVI. Formerly known as the UKBA. The visas and immigration people. I’m pretty sure they must have some interesting information on me, especially given that my spouse is a foreign national.

Handily, they have a page where you can submit your request for information on gov.uk. The process is, as you would expect, fairly convoluted. There are three categories of information you can request: Basic, Specific, or Detailed. For the ‘Detailed’ request, they are still asking for the £10 fee. However, in order to verify your identity, they require a host of information, including:

  • Your passport number.
  • A copy of your passport.
  • Written confirmation that your passport is a ‘true likeness’ of you.

Interestingly, they ask for a lot more information, including your parents’ date of birth, etc. This is noted as being ‘optional’, but still presents itself in such a way that it seems like it might be required. Let’s repeat after me: Data Subject Access Requests should not be an excuse to mine more data. I chose not to provide any more details than was necessary.

Back to what was required: Data controllers have an obligation to take ‘reasonable measures’ to verify the identity of a person making a request, and so some of this is fair enough. However, the passport number alone should be sufficient, since the UKVI hold all of the information anyway. A copy of the passport seems unnecessary, and the written confirmation of the likeness just seems bonkers – especially since the list of people who can give this certification is prohibitively small:

 

  • a legal representative, registered with the Office for the Immigration Services Commissioner (OISC)
  • a solicitor, barrister or chartered legal executive
  • a commissioner for oaths
  • a registered charity

Now, I am not one to suggest that the UKVI may well be trying to make it as difficult as possible for somebody to make a subject access request, but it certainly seems like this is not in the spirit of the GDPR, or the DPA 2018. The list above is even more restrictive than the categories of people who can countersign photos to get a passport in the first place. To illustrate the point, here are the professions of folks who can counter-sign your initial passport application:

Examples of recognised professions include:

  • accountant
  • airline pilot
  • articled clerk of a limited company
  • assurance agent of recognised company
  • bank/building society official
  • barrister
  • chairman/director of limited company
  • chiropodist
  • commissioner for oaths
  • councillor, eg local or county
  • civil servant (permanent)
  • dentist
  • director/manager/personnel officer of a VAT-registered company
  • engineer – with professional qualifications
  • financial services intermediary, eg a stockbroker or insurance broker
  • fire service official
  • funeral director
  • insurance agent (full time) of a recognised company
  • journalist
  • Justice of the Peace
  • legal secretary – fellow or associate member of the Institute of Legal Secretaries and PAs
  • licensee of public house
  • local government officer
  • manager/personnel officer of a limited company
  • member, associate or fellow of a professional body
  • Member of Parliament
  • Merchant Navy officer
  • minister of a recognised religion – including Christian Science
  • nurse – RGN or RMN
  • officer of the armed services
  • optician
  • paralegal – certified paralegal, qualified paralegal or associate member of the Institute of Paralegals
  • person with honours, eg an OBE or MBE
  • pharmacist
  • photographer – professional
  • police officer
  • Post Office official
  • president/secretary of a recognised organisation
  • Salvation Army officer
  • social worker
  • solicitor
  • surveyor
  • teacher, lecturer
  • trade union officer
  • travel agent – qualified
  • valuer or auctioneer – fellows and associate members of the incorporated society
  • Warrant Officers and Chief Petty Officers

This means that the requirements for verifying ‘likeness’ are higher to get information held on you by the UKVI, than they are to get a passport in the first place.

For my subject access request, I have been told I have 15 days to submit the relevant documentation, including the above:

UKVI Requirements

Despite making the application online, I also apparently can’t submit the evidence online – so I’m not sure what the point of offering such a service is in the first place.

In my opinion, the requirements are not ‘reasonable’, and providing my passport number alone should be enough. As a result, I will not be submitting statements from a solicitor or charity at this point to support my request. I am going to operate on the assumption that the online system is not properly equipped to deal with subject access requests properly, and that the evidential standard is being confused with actual visa applications. I have contacted the UKVI directly with these concerns. Here’s what I said:

Reference: [redacted]

Hi,

I have just submitted a Data Subject Access Request under s.10 of the DPA 98 and s.94 of the DPA 2018 (which just received Royal Assent). This should further be considered in light of Article 15 of the GDPR.

As part of the evidential requirements listed on your site, I must provide:

1. A copy of my passport.
2. A ‘written confirmation of true likeness’ from a third party.
3. A letter of permission.

Firstly, I want to point out that there is no way to provide these documents online, despite the initial application being made online. I therefore request that you agree to receive items 1 and 3 electronically, rather than by post.

Secondly, I object to the requirement to provide a written confirmation of true likeness. As you will be aware, data controllers are required to undertake ‘reasonable measures’ to verify the identity of the person making the Data Subject Access Request. I submit that by providing a copy of my passport, and the passport number, that this more than satisfies the legal requirement.

Further, I submit that since the list of those who are considered appropriate to provide this written confirmation is less extensive than those who can act as a counter-signatory for a passport application in the first place, that this requirement is demonstrably disproportionate, and as such not required to respond to my request.

To summarise, please advise that:

1. You will accept items 1 and 2 from the above electronically.
2. That the written confirmation of true likeness is not required to give effect to the request under the relevant law.

Yours sincerely,

We will see what happens. Should my subject access request be denied, then it would appear that the UKVI really are requiring a disproportionately high standard to verify people for their Data Subject Access Requests, and I’ll need to revisit it at that point. Stay tuned.