One of the many points of the whole GDPR (General Data Protection Regulations) is to improve security on how data on individuals is collected and to reduce the amount of unnecessary information stored on us all.
Many organisations require proof of identity (ID) in order to provide you with a service. From banks to bookkeepers, from IFAs, to accountants and solicitors, from landlords to building societies, there are a whole raft of people who want to see your ID. It’s not because they are nosey or nervous, it is because there are an increasing number of laws that mean they have to have proof of who you are (and sometimes even your immigration status) before they can offer you service.
Do you need to share your passport?
The Information Commissioner’s advice to individuals is that ‘less is more’ and it is not wise to share information about yourself in order to reduce the risk of identity theft. (https://ico.org.uk/your-data-matters/identity-theft/). Sending your passport or driving license to an organisation can put you at risk if you (and they) don’t know what you are doing. You can be putting a lot at risk.
We still hear of people sending copies of their ID documents through the post, or just attaching it to emails.
We have heard tales of passports being photocopied and left in unlocked filing cabinets.
Before you share your ID
Before you hand over documents to confirm your identity ask for a copy of the organisation’s data privacy policy and ask for:
- confirmation of why they need this information (legal basis for processing)
- a copy of their data privacy policy
The data privacy policy should let you know how they intend to store it, secure it and when it will be deleted. It is really important that ID confirmation data is kept within a small group of people who really need to see it. Many organisations share this information too widely and the risk of loss increases with the number of people who have access.
- Ask for a secure method of transmitting this documentation to them
Ordinary post or email is not secure and anyone who asks you to use them has not made a proper assessment of the risks to you involved.
If you can’t get any clarity on this, you may want to think long and hard before sharing your ID with an organisation that has no idea how to proceed. You may be able to find service from someone who is more on the ball for data security.
If you are holding ID information
If you are holding ID confirmation data, it should be securely locked away and access restricted to only those people who need to sign off that the identity has been confirmed or to report to a regulator that this has been done. There is no need for people providing the day to day service to have access to these documents.
You would be wise to encrypt the data, so that even if someone without permission gains access to your systems they cannot read the files.
If you need to send this data on to another organisation you should make sure you have permission to do so before you transmit it and make sure you have a secure method of transmission.
Set up a secure email or online portal for receiving documents. You may have to educate some of your clients on how to use them, but it will be worth it in the long run. Clients can be the biggest hazard to their own data security – but that does not mean you don’t have to set things up properly in the first place.
Is big brother watching you?
You should be extremely careful about storing ID related data in other countries. Not all countries have appropriate data security standards, and even the USA is under fire from the EU over the level of government snooping permitted without a warrant.
If you are a frequent global traveller the chances are your data is already stored in the USA but if you have not travelled recently with an airline you can ask to see what personal data they hold on you and for your ID to be removed.
Identity is valuable
While we all like to imagine nothing will ever happen to us, anyone who has ever suffered from identity theft will tell you how difficult it can be to set things right. People steal ID related documents for a reason – and that reason is to access your money or to set up fake accounts in your name and profit from doing so. If you treat your ID documents as if they were a thousand pounds in cash you would never just put them in the post or email an open to email to a friend saying where they could pick up the cash. If you start to think of ID data in the same way it will set you on the right path.
If you are holding ID data for your customers (because you have to) remember to think of it as them lending you a thousand pounds in cash. Don’t leave it lying around when team members who have no business with it can see it and pick it up. Don’t post it on to other organisations in unsecured mail. Keep it secure and don’t keep it longer than you need to.
Find out more about our referral agreements and how they cover you and your business.
This Post Has 10 Comments
Hello,
is for GDPR a company or a not lucrative entity providing a service, e.g. favoring users having similar needs meet, allowed to ask for a passport scan or another ID document when creating a user account?
I mean, not for profiling, but only for safety purpose, e.g. preventing users to provide false information or to harm other users since they could be easily reported to authorities.
Likewise, is the same entity, for safety reasons, allowed to force users to provide they real names to the community and a profile picture to be easily recognized by the other users when meeting in the “real” life?
Thanks.
A lot depends on why and how this is being requested/done. Some organisations are required by law to verify your identity – for example if you are buying airline tickets, checking in and joining their frequent flyer club they will want passports or other suitable ID.
If there is no legal requirement, and the organisation is deciding to do that, they will have to have a legitimate reason under GDPR to collect this data, and, depending on the reason for collection, they will need to do a privacy impact assessment looking at whether there is a less intrusive way to achieve the same objective. It may be verifying your data at sign up is different to displaying real names and pictures during use. They will have to make both assessments and attempt to minimise the data they need in relation to their purpose.
Having done that they need to ensure their Data Privacy Policy sets out the reason for this and it is clearly identified at the point of sign up. They will also need to provide a secure way for you to share passport/ID information, store it, and delete it at the appropriate time. They will also need to establish an appropriate data retention period.
If all of this is clear upon sign up and you do not wish to do this, then your alternative would be to seek an alternative service that has lesser requirements.
There are legitimate privacy interests and concerns where individuals need anonymity such as people fleeing abusive partners. This would have to be balanced against the community objectives, which presumably are to reduce misinformation, harassment etc by removing anonymity.
The internet itself has to wrestle with anonymity versus the effects of lies, deceit, mani8uplation, criminality, and trolls. A lot will depend on the purpose of the group, the alternatives available. GDPR gives us some tools but it does not give us one simple yes/no answer.
Which do you value most? Your privacy or transparency when it comes to other people in the community that you may be dealing with?
To delete my data with Pizza hut rewards, they want a copy of my driving license or passport. I only want my data deleted due to the fact they have been hacked and don’t trust them. Why would I send them my passport?
This is overkill…If I am not part of their rewards scheme, I will not get free garlic bread with every 3 pizzas…not exactly a reason to see a passport. Any advice???
If you are making a Data Subject Access request the organisation is entitled to ask you to verify that you are who you say you are. This includes a request for deletion. A passport seems a bit over the top for pizzas. Ask them if they will accept the email, name and address you registered with and ask them for a copy of their data privacy policy. Tell them you are not going to share identity theft capable personal ID unless it is necessary and unless they can provide a secure transmission method and assurances of secure storage and deletion. The data privacy policy should make it plain the answers to all of this. So ask for that.
what is the minimum amount of information required to verify the identity of a customer to offer a service (eg to honor the warranty of a washing machine)
If you are being asked to provide this information as them for their reason for collecting it and a copy of their data privacy policy. There is no one size fits all answer to this. A lot depends on a) how you bought it (online or in the store) b) whether you bought a separate warranty from them, online or in-store and c) whether your address or email address has changed since the date of purchase.
In order to fix the machine at the very least they will need your address, the address you were at when you purchased, the name of the purchaser and who bought what warranty when. They will probably need a phone number to arrange an an engineer, and even an email if this is how it is done. They may assess that they need more information than this for a specific reason.
Hope this helps.
Can a housing association legitimately store copies of photographic ID securely for the duration of the period the tenancy is live in order to verify identity during the tenancy period and in order to prevent tenancy fraud (i.e. letting a property to one individual and another moving in, sub-letting)?
Yes provided it is plain at the point of asking for the photo ID what purpose you are keeping it for and (data retention) how long post tenancy you intend to keep the ID for it is fine. Remember you should not then use ID collected for one purpose for another unless it is plain you have more than one reason. If you are in the UK you would already be keeping some form of ID/immigration status information anyway when taking on new tenants.
Make sure your data privacy policy makes this all very clear and doubly make sure this information is securely stored and only staff who really need it get access.
Can TNT or FEDEX (Portugal) require a copy of a passport in a private declaration for Customs?
Does every shipper require it or just those two? It may be that is part of Portugal’s regulations on proof of ID for customs and nothing to do with the individual company at all.