Dispute over I.D.

[Figgydoody]

Hello all.

 

I am in dispute with a company that are trying to insist that I provide photographic I.D. to prove who I am, and that the ICO is allegedly backing them up in this. The company is not to be trusted, so might as well be Mickey Mouse saying that photo I.D. is required!lol

 

Please don't ask for specifics about the company, can't give them at present, but would appreciate bullet proof arguments, case law, any relevant info so I can tell them to go **** themselves!

 

Thanks in advance!

 

Figgydoody.

[lookinforinfo]

Figgydoody, it is a bit difficult to give advice when you have given so little information. We don't need the name of the company involved but we do need to know why they are asking for it.

 

Is this as a result of you asking for a SAR since companies do have ensure that they are sending data to the correct person. In any situation where the Data protection Act is involved one would

expect that ID was supplied. I cannot think why they would need photographic ID necessarily but I suppose a passport or driving licence would comply with their request. I doubt that the ICO

have said that in as many words and the company stating that are perhaps adding their own gloss on what ICO actually said. You could always ring up the ICO and ask them if it is their policy

and have a real moan if they deny it is.

[Figgydoody]

Hi Lookinforinfo,

 

The company has contacted me on an unsolicited basis numerous times, and when I raised issues of consent, and put a number of questions to them, the issue became a matter of safeguarding personal data. So they were happy to send emails to my email address, and initially were happy to correspond with me on many occasions, without my providing any proof of my I.D.

 

And given that I believe they are the ones who are contravening the Act being in possession of my data, why on earth should I provide them with even more personal info? I don't see why I should comply with their unreasonable demands, when it is highly likely they are acting unlawfully, and the DPA 1998 doesn't state that such specific I.D. need be provided.

 

Figgy.

[lookinforinfo]

If it were an SAR then this is the ICO take on identifying the person requesting data-

 

http://www.ico.org.uk/~/media/documents/library/Data_Protection/Detailed_specialist_guides/subject-access-code-of-practice.PDF

 

Confirming the requester’s identity

 

To avoid personal data about one individual being sent to another,

either accidentally or as a result of deception, you need to be

satisfied that you know the identity of the requester.

You can ask

for enough information to judge whether the person making the

request is the individual to whom the personal data relates (or a

person authorised to make a SAR on their behalf).

The key point is that you must be reasonable about what you ask

for. You should not request a lot more information if the identity of

the person making the request is obvious to you. This is particularly

the case when you have an ongoing relationship with the individual.

 

Example

You have received a written SAR from a current employee.

You know this employee personally and have even had a phone

conversation with them about the request. Although your

organisation’s policy is to verify identity by asking for a copy of a

utility bill, it would be unreasonable to do so in this case since you

know the person making the request.

 

However, you should not assume that, on every occasion,

the person making a request is who they say they are. In some

cases, it is reasonable to ask the person making the request to

verify their identity before sending them information.

 

 

That is pretty vague but most companies would normally have an address for a person making an SAR so as long as the address is the same it would seem nit picking to ask for more info.

You of course may not be requesting something totally different but there is not much out there that you could ask for that would necessitate even stronger Data Protection security.

[caro]

Why not contact the ico for confirmation as to whether the firm are correct?

[stu007]

If they are processing your data and you want to request they stop processing your data you could sent this letter:

 

http://www.consumeractiongroup.co.uk/forum/showthread.php?387321-S10-Notice-To-Cease-Processing-of-Data

[Figgydoody]

Hi Caro,

 

I plan to ring the ICO tomorrow. But the ICO are not always reliable when it comes to interpreting the DPA 98, and I would rather go by what the legislation states as opposed to the 'guidance' offered by the ICO. There are plenty of caggers who seem to have had problems with the ICO, and so if they said yes, you need to provide that level of I.D. I wouldn't be inclined to believe them, because the Act doesn't say that.

 

However, what is obvious is that the ICO do seem to give companies a really easy ride on a variety of matters, so, it wouldn't surprise me at all if they did not see any problem with a company asking for very specific personal data to satisfy themselves that the person is genuine. Which, then means these organisations have amassed even more very detailed and specific personal data, and before you know it, on the nod of the ICO it becomes 'industry good practice' to request photo I.D. (passport/driving licence) and quite probably a bl***y DNA sample for good measure!!!

 

Which of course will prove problematic for those of us who believe supplying such info is beyond the pale, and so we then have to decide to bite the bullet to get our SAR's fulfilled or not pursue our claims!

 

Yep, I know it's a rant, but hopefully the basis for it resonates with people?!

 

Figgy.

[caro]

I don't really understand why you'd bother getting into any discussion with them unless you want to use their services or whatever, especially when you don't know them.

[Figgydoody]

They have sent me unsolicited emails, lots of them! So I want to know what info they have, where they got it from and evidence of my consent to receive such emails, which I know I haven't given! So they have acquired, processed and undoubtedly shared my personal data unlawfully.

[dx100uk]

I really doubt they have

 

you have sadly prob been the cause of it.

 

BT

insurance

mobile phone account

PDL applications

 

and a whole host of these type of people that you sign up too

often send your emails on in lists

 

what people don't read is the small print

that says they can unless you unsub from it.

 

if you want he info the companyhas on you viaSAR

 

i'd send a copy of a utils bill

or

ctax bill

 

showing you are resident at the address

 

that's all you need to send

 

there is NO requirement to send ANY photo ID

nor is there a requirement to send additional proof of your sig

 

as you have to sign an SAR anyway.

 

pers id not be bothering

 

and live with it

 

dx

[Figgydoody]

Hi DX,

 

I am extremely careful who I share my data with and obsessively tick/untick boxes as necessary. Don't ask me how I know, but I know this company hasn't got the requisite consent to have acquired, processed and shared my data.

 

This is a big deal, these companies are sharing data with the world and his wife, in a lot of cases without consent, or without the appropriate consent, which amounts to the same thing. This situation is no different to the banks passing on your data to DCA's unlawfully for example, or the many other examples of banks, DCA's and CRA's carrying out unlawful practices with your personal data. The organisation may be different, but the principle is still the same!

 

I don't see why I should send even a council tax or utility bill, the salient point is, that to contact me by email, they have to have my consent in the first place under the PECR, so they are the ones who have to prove to me that they have a lawful/legitimate right to be in possession of my personal data.

 

It would make no sense whatsoever that they can send me numerous emails, (so using my data) and yet I have to prove my identity to their satisfaction, when they are using the data unlawfully.

 

I won't live with any situation that involves my personal data being abused and shared indiscriminately, we won't let the banks, DCA's and CRA's get away with it, so why accept it from other companies who are doing exactly the same thing?

 

Figgy.

[Klandestine]

The thing is these days you may have agreed to share your email address with this company - lots of terms and conditions which you obviously have to accept contain these type of clauses.

 

Will sending an email to them from the account they initially emailed you with not suffice?

[Figgydoody]

I haven't agreed to this company sending me emails, and they have done so unlawfully. They won't provide any evidence of my alleged consent to receive such emails, because they can't provide it, as it doesn't exist!

 

Much communication has passed between them and me, by email and they are trying to justify what they have done without furnishing proof that they have a legal right under the PECR and the DPA 1998 to send emails in the first place!

 

If a company is in possession of, processing and sharing your personal data unlawfully, do you consider it reasonable that they require you to provide evidence of your identity that goes beyond all reasonable requirements to be acceptable? And let's be clear here, this isn't a financial institution or other organisation that holds specific and/or sensitive info about me, yet they want to hold me to a level of scrutiny that not even an organisation that holds very personal/sensitive info would require!

 

Just because a company asks for a litany of personal I.D. to satisfy themselves as to your identity, does it mean you should acquiesce without questioning whether they are being reasonable in their request and whether they have a legal right to such info? If you simply accept that you MUST supply whatever they have asked for, you are adding to the problem by handing over whatever is asked for, without ever looking at the motivation for these companies demanding that you comply!

 

If you do nothing else, question everything, and accept NOTHING at face value!!! Apathy causes misery, maybe not today, but it will catch up with you, it always does! That's why CAG exists!

 

Figgy.