Proving your identity and GDPR
One of the many points of the whole GDPR (General Data Protection Regulations) is to improve security on how data on individuals is collected and to reduce the amount of unnecessary information stored on us all.
Many organisations require proof of identity (ID) in order to provide you with a service. From banks to bookkeepers, from IFAs, to accountants and solicitors, from landlords to building societies, there are a whole raft of people who want to see your ID. It’s not because they are nosey or nervous, it is because there are an increasing number of laws that mean they have to have proof of who you are (and sometimes even your immigration status) before they can offer you service.
Do you need to share your passport?
The Information Commissioner’s advice to individuals is that ‘less is more’ and it is not wise to share information about yourself in order to reduce the risk of identity theft. (https://ico.org.uk/your-data-matters/identity-theft/). Sending your passport or driving license to an organisation can put you at risk if you (and they) don’t know what you are doing. You can be putting a lot at risk.
We still hear of people sending copies of their ID documents through the post, or just attaching it to emails.
We have heard tales of passports being photocopied and left in unlocked filing cabinets.
Before you share your ID
- confirmation of why they need this information (legal basis for processing)
- Ask for a secure method of transmitting this documentation to them
Ordinary post or email is not secure and anyone who asks you to use them has not made a proper assessment of the risks to you involved.
If you can’t get any clarity on this, you may want to think long and hard before sharing your ID with an organisation that has no idea how to proceed. You may be able to find service from someone who is more on the ball for data security.
If you are holding ID information
If you are holding ID confirmation data, it should be securely locked away and access restricted to only those people who need to sign off that the identity has been confirmed or to report to a regulator that this has been done. There is no need for people providing the day to day service to have access to these documents.
You would be wise to encrypt the data, so that even if someone without permission gains access to your systems they cannot read the files.
If you need to send this data on to another organisation you should make sure you have permission to do so before you transmit it and make sure you have a secure method of transmission.
Set up a secure email or online portal for receiving documents. You may have to educate some of your clients on how to use them, but it will be worth it in the long run. Clients can be the biggest hazard to their own data security – but that does not mean you don’t have to set things up properly in the first place.
Is big brother watching you?
You should be extremely careful about storing ID related data in other countries. Not all countries have appropriate data security standards, and even the USA is under fire from the EU over the level of government snooping permitted without a warrant.
If you are a frequent global traveller the chances are your data is already stored in the USA but if you have not travelled recently with an airline you can ask to see what personal data they hold on you and for your ID to be removed.
Identity is valuable
While we all like to imagine nothing will ever happen to us, anyone who has ever suffered from identity theft will tell you how difficult it can be to set things right. People steal ID related documents for a reason – and that reason is to access your money or to set up fake accounts in your name and profit from doing so. If you treat your ID documents as if they were a thousand pounds in cash you would never just put them in the post or email an open to email to a friend saying where they could pick up the cash. If you start to think of ID data in the same way it will set you on the right path.
If you are holding ID data for your customers (because you have to) remember to think of it as them lending you a thousand pounds in cash. Don’t leave it lying around when team members who have no business with it can see it and pick it up. Don’t post it on to other organisations in unsecured mail. Keep it secure and don’t keep it longer than you need to.