GDPR Request to Talk Talk

yellowplum

In a nutshell I put a request through via post. Received an email reply asking me to identify myself (which is fine) although I believe sufficient information was given at the time of the letter. 

What was odd was the information they asked for in order to identify myself, they asked for a driving licence or passport AND utility bill (not talk talk). I am uncomfortable providing this information to them as I don't know what they are doing with it and it is overkill since they can identify me in other ways.  I don't know how they will process this information on indeed store it, it is only very insecure to send it via email to them. Even the ICO website states that this is overkill

Has anyone had experience with these odd requests for too much data to identify yourself?  How did you respond?  

MattMattMattUK

They need to identify you as it is a breach of data protection to give one person someone else's data, they asking for those details to comply with that, even if it might be a little excessive. 

If you do not identify yourself they will not send the data, so it is up to you, if you really feel you need the data then you will have to identify yourself, if you do not need the data then do not bother.

davidmcn

yellowplum said:

Has anyone had experience with these odd requests for too much data to identify yourself? 

It's not odd, it's quite normal (and proper) for them to require ID. There are no generally-applicable rules about what they must accept. You're already trusting them with your phone calls or internet data, I'm not sure this adds much to any risk really.

born_again

Given the number of time Talk Talk have had data breeches.
Overkill is something they need.

Uptown_Boy

They absolutely do not need a copy of your passport or driving licence. Not at all. (How would they use it to identify that you are you? They don't know what you look like after all). There is guidance on the ICO website about just this scenario, as I recall.

A copy of two utility bills (both redacted) which confirm your name and address, and/or a redacted utility bill and a redacted copy of your bank statement, is all that's needed to confirm your identity.

yellowplum

born_again said:

Given the number of time Talk Talk have had data breeches.
Overkill is something they need.

That's exactly what I was thinking!

yellowplum

Uptown_Boy said:

They absolutely do not need a copy of your passport or driving licence. Not at all. (How would they use it to identify that you are you? They don't know what you look like after all). There is guidance on the ICO website about just this scenario, as I recall.

A copy of two utility bills (both redacted) which confirm your name and address, and/or a redacted utility bill and a redacted copy of your bank statement, is all that's needed to confirm your identity.

Yes, indeed I did read this and something else someone wrote. A legal review of it that basically said that if under GDPR you go in as overkill (which they have in this instance) rather then using identifiable markers you may have already then you open yourself up to a further complaint and damages from the ICO.

I received letter in the post acknowledging it and also one via email.  So clearly they have data they can use, they have used the email address on my letter (or the one on my account). hmm.