So you might think this isn't even a question you need to ask - surely the answer is you only release personal data to the person who it relates to.
This exercise proved a couple of really interesting points:
- Small companies often ignored them - this is against the law.
- Larger, tech savvy companies did the right thing at the right time.
- 1 in 4 of the companies contacted delivered personal data about someone else when requested.
- Medium sized companies were most likely to reveal personal data about someone else.
This is really shocking information when details of hotel stays, criminal records checks and train journeys were released to someone other than the subject.
So what should we be doing to help avoid this?
Can we ask an individual for ID?
First and foremost we recommend you confirm the identity of the requestor before any release of data in the form of photo ID and / or proof of address.
Col8's Subject Access Request tool Data Transparency helps you to manage this process by collecting the ID against the request before starting, meaning you will not provide information against the law like companies did during this exercise.
If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality.
Now this is a tricky one and something that GDPR has bought as a burden to companies. Not only do you need to release this information within 31 days of beginning the process but also you need to protect other peoples personal data as well.
In terms of data like video this means redacting other people from the shots as shown on the right. Data Transparency has access to AI video redacting tools to help with this process as well.
What about requests made on behalf of others?
There are some examples where you can and should release personal information to a third party. The ICO gives the following guidance but we suggest you contact them specifically if you are unsure as to whether or not to release the data.
The GDPR does not prevent an individual making a subject access request via a third party. Often, this will be a solicitor acting on behalf of a client, but it could simply be that an individual feels comfortable allowing someone else to act for them. In these cases, you need to be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request or it might be a more general power of attorney.
A lot of the issues we have seen here relate to the process not being understood. We know this is hard for organisations of any size to manage and often everyone is trying to reinvent the wheel. That is why we created Data Transparency to help make the flow of information for Subject Access Requests around video simple and easy.