We are testing a new Post

Data breaches pose a threat to all businesses, with small enterprises bearing a significant vulnerability. Beyond the numbers lies a hidden landscape of vulnerabilities, especially for smaller entities. These breaches extend beyond financial repercussions, infiltrating trust and credibility, often compromising the very essence of a business.

BY Matthew Brown

Here is some guidance Data Subject Access Requests (DSARs).

Neither GDPR, nor the ICO provide specific details on what would be considered reasonable and proportionate. This is left for organisations to decide.

Below is guidance on what approach to take?

Employee or ex-employee requests

If you receive a request via your business email system from a member of staff, you already know who they are and proof of ID is not needed. However, it is likely to be necessary to ask for some proof of ID with requests from ex-employees. This could be asking for their staff ID number and NI number.


No additional information requested

Based on the context of the relationship with the requester and the nature of personal data to be provided, there are certain scenarios where it is probably not proportionate to request specific documents as proof of ID. I have given some examples below;

  • Where someone has an online account and submits a DSAR from an email address which is linked to their account, asking for it to be posted to an address currently held for them.
  • A request is received from a business email address, which matches the record held and the response will be given to the same email address.
  • Where you are able to conduct sufficient internal checks to validate the request, based on information they already know about the individual.


Additional information

Where there are doubts about the identity of the individual, you should request photo identification (e.g. a passport or driving licence) along with proof of address (such as a utility bill). Always log receipt, and then immediately and securely destroy copies of passports and driving licences and confirm same with requestor.


Third-party requests on behalf of a requestor

Always request that the third-party provides a signed letter of authority from the original requestor.

When someone makes a request on behalf of someone else, be this a law firm or a relative, clearly a robust approach needs to be taken. You absolutely want to check this is okay, for example asking for evidence of Power of Attorney or a letter of authority. This approach is supported by the ICO’s guidance which states:

“An individual may prefer a third party (e.g. a relative, friend or solicitor) to make a SAR on their behalf. The GDPR does not prevent this, however you need to be satisfied that the third party making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide evidence of this. This might be a written authority to make the request or a more general power of attorney.”

The ICO’s guidance also makes specific reference to requests made by via a third party portal, and says you need to consider if you are able to verify identity and are satisfied the third party portal is acting with the authority and on behalf of the individual. It specifically states:

“You are not obliged to take proactive steps to discover that a SAR has been made. Therefore, if you cannot view a SAR without paying a fee or signing up to a service, you have not ‘received’ the SAR and are not obliged to respond. You should note that it is the portal’s responsibility to provide evidence that it has appropriate authority to act on the individual’s behalf. Mere reference to the terms and conditions of its service are unlikely to be sufficient for this purpose (see ‘Can a request be made on behalf of someone?’ above). The portal should provide this evidence when it makes the request (ie in the same way as other third parties). When responding to a SAR, you are also not obliged to pay a fee or sign up to any third party service. If you are in this position you should instead provide the information directly to the individual.”

In summary, it may not always be necessary to ask for additional documentation as proof of identity, where you’ve no doubt the individual is who they say they are, or can verify this in another way.

Finally, if you’re in any doubt, and the individual can’t or won’t prove who they are, you may take the decision not to fulfil a request. Just make sure you have document your decision and can defend it.

Add Your Heading Text Here


Relevant updates

Dive into some further information


We are testing a new Post


The Silent Revolution: How User Privacy Concerns Are Shaping the Future of Digital Marketing


The Functionality Compromise