PCN for double dipping without stopping

Chilts

Le_Kirk said:

Report them again to ICO for asking for photo ID  and not just getting on with what they've been told to do by the ICO!

Haha, I like it! 

Replied to ICO to inform them that the PPC are requesting photo ID

Chilts

Le_Kirk said:

Report them again to ICO for asking for photo ID  and not just getting on with what they've been told to do by the ICO!

The ICO have replied and told me that it’s perfectly acceptable for them to ask for ID, which I completely understand but I have asked for clarity in exactly what ID. 

Le_Kirk

Chilts said:

Le_Kirk said:

Report them again to ICO for asking for photo ID  and not just getting on with what they've been told to do by the ICO!

The ICO have replied and told me that it’s perfectly acceptable for them to ask for ID, which I completely understand but I have asked for clarity in exactly what ID. 

Yes but not photo ID.  To what are they going to compare it?  Do they have access to a database of photos of every person in UK.  Nowhere on the ICO website does it mention photo ID.

Fruitcake

The ICO on their website states that asking for photo' ID is unreasonable, so you should quote it back to the ICO in your complaint.

Le_Kirk

Fruitcake said:

The ICO on their website states that asking for photo' ID is unreasonable, so you should quote it back to the ICO in your complaint.

Excellent, where did you find it, I thought that I had seen it some time ago but now can find no mention of photo ID, either needed or not needed.

Fruitcake

The exact words are less distinct than I thought.

From the ICO website - 
How to deal with a request for information: a step-by-step guide | ICO

"There’s little point insisting on photo ID if you don’t know what the requester looks like – it should be proportionate."

Le_Kirk

Ta @Fruitcake, I was looking in the advice to "the public" never thought (this time) to look in "advice to organisations"!  shame it doesn't specifically state NOT REQUIRED or UNLAWFUL rather than LITTLE POINT but hey ho, something to advise motorists about.

1505grandad

Not sure of the date of the above but:-

https://dpnetwork.org.uk/subject-access-requests-proof-of-id/

[Update] In the ICO’s detailed Right of Access Guidance (published October 2020) it states;

“You can ask for enough information to judge whether the requester (or the person the request is made on behalf of) is the person that the data is about. The key point is that you must be reasonable and proportionate about what you ask for. You should not request more information if the requester’s identity is obvious to you. This is particularly the case when you have an ongoing relationship with the individual.”

It continues to say:

“You should also not request formal identification documents unless necessary. First you should think about other reasonable and proportionate ways you can verify an individual’s identity. You may already have verification measures in place which you can use, for example a username and password.

However, you should not assume that on every occasion the requester is who they say they are. In some cases, it is reasonable to ask the requester to verify their identity before sending them information.

How you receive the SAR might affect your decision about whether you need to confirm the requester’s identity.”

Neither GDPR, nor the ICO provide specific details on what would be considered reasonable and proportionate. This is left for organisations to judge.

Fruitcake

With regards to, "This is particularly the case when you have an ongoing relationship with the individual.”

To me this means if you have received a PCN or court claim, quoting the PPC's own reference/PCN/claim number back at them along with your name should be sufficient proof of ID.

I do hate the word "ongoing" though. "Continuing" was a perfectly acceptable word when I wore a younger man's clothes.

Le_Kirk

1505grandad said:

Not sure of the date of the above but:-

https://dpnetwork.org.uk/subject-access-requests-proof-of-id/

[Update] In the ICO’s detailed Right of Access Guidance (published October 2020) it states;

“You can ask for enough information to judge whether the requester (or the person the request is made on behalf of) is the person that the data is about. The key point is that you must be reasonable and proportionate about what you ask for. You should not request more information if the requester’s identity is obvious to you. This is particularly the case when you have an ongoing relationship with the individual.”

It continues to say:

“You should also not request formal identification documents unless necessary. First you should think about other reasonable and proportionate ways you can verify an individual’s identity. You may already have verification measures in place which you can use, for example a username and password.

However, you should not assume that on every occasion the requester is who they say they are. In some cases, it is reasonable to ask the requester to verify their identity before sending them information.

How you receive the SAR might affect your decision about whether you need to confirm the requester’s identity.”

Neither GDPR, nor the ICO provide specific details on what would be considered reasonable and proportionate. This is left for organisations to judge.

@1505grandad great ammunition for any poster who is having issues with PPC wanting unwarranted ID confirmation.  Yet again it doesn't specifically mention PHOTO ID and one can perhaps take it that if it doesn't state so, then it isn't required!