07 January, 2020
Of all the data subject rights that individuals are granted under the GDPR and Data Protection Act 2018, the ability to make a Subject Access Request (SAR) for their own personal data is very likely to be the most pertinent right that an organisation will come across. Here we shall look quickly at recent, important changes to deadline considerations organisations will now have to comply with as well as a recent field test assessing organisation's ability to identify requesters correctly.
Following a ruling by the Court of Justice of the European Union (CJEU), there has been a change in how to interpret timescales for responding to a subject access request (SAR), as well as other individual rights requests.
The GDPR states that requests by individuals (such as a SAR) must be dealt with within 1 month. The timescale has now been clarified to make clear that the day of receipt if the SAR should be treated as 'day one', as opposed to the day after receipt e.g. a request received on 23rd Aug should be responded to by 23rd September, not 24th September as was previously calculated prior to this ruling.
The loss of one day may seem trivial, with organisations encouraged to ensure their SAR procedures do not leave their response to the crux of the deadline, however any constriction of required deadlines needs to now be reflected in organisations policies, procedures and staff training to ensure that this is not over-looked.
Earlier this year, university researcher James Pavur conducted a test of dozens of organisations SAR procedures throughout the UK and the US before presenting his findings at the annual Black Hat conference in Las Vegas in August. He contacted firms asking for personal data about his fiancé, not himself, to see what information he could gather without any actual proof he was acting with her consent.
It is important to note that this was all done without forging his fiancé's signature, he instead relied on existing information which could easily be compiled by even a rudimentary identity thief.
Each firm was asked what information they had on his fiancé, with an accompanying letter reminding the recipients of the one month deadline, as well as intimidating that he could provide additional identification if required through a 'secure online portal'. This was a deliberate ploy as he waged that most firms would lack such a capability and there're not pursue additional checks.
If am organisation gave up information to this initial request, Mr Pavur then used this data to answer follow-up questions thus granting even further access in an ever expanding cycle. This replicated typical identity theft tactics used in the real world, gathering publically available information from social media sites or professional networking sites to act as a 'small hook' to get access to someone's data before expanding the attack as new data was given out.
Some organisations had a strong initial response, such as asking for photo ID or a signed consent form, but then fell foul by allowing their standards to drop when offered alternative ID such as a redacted bank statement.
Whilst he had access to real documents of his fiancé, Mr Pavur noted that he deliberately chose documents that could be easily fabricated by an identity thief. In one case, he was able to convince an organisation to accept postmarked envelope as proof that he was acting as her agent, which is obviously far below a reasonable standard.
Overall, he was able to gather sixty spate pieces of information, from a list of previous purchases, her credit card number and expiry dates, several addresses, train journey movements and online login credentials. Incredibly, criminal data was shared with him by one organisations, one of the most tightly controlled types of personal data under current data protection laws.
Of the 83 organisations he conducted, 24% gave information without verifying his identity, 16% requested an easily forged type of ID, 39% asked for photo ID.
Some firms managed to fail the test without sharing aby data at all, with 5% denying they had his fiancés personal data at all (which they did) and 3% misinterpreting the request and subsequently deleting all her data, which is a breach of GDPR in its own regard.
Finally, 13% of the organisations contacted ignored the request altogether, which whilst this meant the "victim's" data was safe from Mr Pavur, did mean that there is still a significant portion of businesses who still do not have proper procedures or training in place in order to deal with SARs.
Without naming names, Mr Pavur noted that large organisations tended to do well, especially those from technologically based sectors, with small organisations tending to ignore the requests completely.
The main danger zone for accidently sharing data with identity thieves came from mid-sized organisations who appeared to have some form of GDPR compliance in place but these procedures were not robust enough to interrogate his role as a third party requester.
It is important to remember that third parties can act as an agent for an individual in order to press their data rights, but the consent to act in such a regard needs to be fully demonstrable. Organisations need to verify that the requester is either the data subject themselves or a third party (which may not be an individual themselves e.g. a law firm acting for their client) has the requisite authority to be making the request. Identification may be needed as well as proof of a Power of attorney/written consent for any agent act in the data subject's place.
If there is ever any doubt, always get back in touch with the requester to fully establish their identity and relationship to the individual concerned. Identity theft is a major concern in the 21st century, with the digitization and public publishing of people's personal data making this more viable than ever for any would be thief. As has been shown, confusion over GDPR can offer an additional 'in' for thieves though this can be closed off by the implementation of proper policies, procedures and training.
For more information contact Daniel Milnes in our Governance, Procurement & Information department via email or phone on 01254 222313. Alternatively send any question through to Forbes Solicitors via our online Contact Form.