copy

Why it’s not appropriate to ask for a copy of the identity card by default and systematically before you respond to a #GDPR data access request?

The EDPB guidelines on the data subject’s rights of access contain 60 pages of very useful instructions. This article is not elaborating all of it, but only highlights the topics relative to the use of ID card photocopies, as there has been a recent case at the Belgian Data Protection Authority strongly referring to the data access request guidelines by the European Data Protection board (EDPB).

Background

In a recent publication of a case (DOS-2020-05314), the Belgian Data protection Authority decided to classify the complaint itself without any consequences, but they explicitly confirmed that the use of a photocopy of the ID card is a very bad idea in general.

A very clear reminder that you shall not systematically request a copy of the identity card

In the motivation of the case it sets a very clear reminder that it’s considered illegal to systematically request for a copy of an identity card as a condition to respond to a GDPR data access request, in accordance with the EDPB (European Data Protection Board) guidelines on the right to access.

Why is a copy of an ID card a bad idea?

The copy of the ID card contains a lot of sensitive data like your national number, that can be abused to harm you, by stealing your identity.
Using your identity data, people can open bank accounts and credits, steal your many, empty your existing bank account, … so the impact is very personal, very real and very high when your identity is stolen.

EDPB guidelines Guidelines 01/2022 on data subject rights – Right of access

The highlights

The EDPB explains in the executive overview of their guidelines that “The right of access of data subjects is enshrined in Arti. 8 of the EU Charter of Fundamental Rights. It has been a part of the European data protection legal framework since its beginning and is now further developed by more specified and precise rules in Art. 15 GDPR.

“There are no specific requirements on the format of a request. The controller should provide appropriate and user-friendly communication channels that can easily be used by the data subject.”

“The request for additional information must be proportionate to the type of data processed, the damage that could occur etc. in order to avoid excessive data collection.”

Do not excessively demand for personal data when validation of access request

In the guidelines, the EDPB says:

“65. /../ In general, the fact that the controller may request additional information to assess the data subject’s identity cannot lead to excessive demands and to the collection of personal data which are not relevant or necessary to strengthen the link between the individual and the personal data requested.”

Copy of ID card should generally not be considered an appropriate way of authentication

EDPB guideline:

74. Taking into account the fact, that many organisations (e.g. hotels, banks, car rentals) request copies of
their clients’ ID card, it should generally not be considered an appropriate way of authentication
.

Alternatively, the controller may implement a quick and effective security measure to identify a data subject who has been previously authenticated by the controller, e.g. via e-mail or text message containing confirmation links, security questions or confirmation codes.”

Information on the ID that is not necessary for confirming the identity should be hidden

EDPB guidine 75:
In any case, information on the ID that is not necessary for confirming the identity of the data subject,
such as the access and serial-number, nationality, size, eye colour, photo and machine-readable zone,
may be blackened or hidden
by the data subject before submitting it to the controller, except where
national legislation requires a full unredacted copy of the identity card (see para. 77 below).

Generally, the date of issue or expiry date, the issuing authority and the full name matching with the online
account are sufficient for the controller to verify the identity, always provided that the authenticity of
the copy and the relation to the applicant are ensured. Additional information such as the birth date
of the data subject may only be required in case the risk of mistaken identity persists, if the controller
is able to compare it with the information it already processes.

Inform about data minimization and apply it.

EDPB guideline 76.

“To follow the principle of data minimisation

the controller should inform the data subject about the information that is not needed and

about the possibility to blacken or hide those parts of the ID document.

In such a case, if the data subject does not know how or is not able to blacken such information, it is good practice for the controller to blacken it upon receipt of the document, if this is possible for the controller, taking into account the means available to the controller in the given circumstances.”

Making the information available in a commonly used electronic form

Following EDPB guideline, paragraph 32, the controller must provide the answer in a commonly used electronic form.

the event of a request by electronic form means, information shall be provided by electronic means
where possible and unless otherwise requested by the data subject
(see Art. 12(3)). Art. 15(3), third
sentence, complements this requirement in the context of access requests by stating, that the
controller is in addition obliged to provide the answer in a commonly used electronic form, unless
otherwise requested by the data subject
. Art. 15(3) presupposes, that for controllers who are able to
receive electronic requests it will be possible to provide the reply to the request in a commonly used
electronic form (e.g. in PDF). This provision refers to all the information that needs to be provided in
accordance with Art. 15(1) and (2). Therefore, if the data subject submits the request for access by
electronic means, all information must be provided in a commonly used electronic form.”

Some practical data protection life hacks

Protecting your identity card

  • keep your ID card in your pocket or wallet as much as possible.
  • do NOT hand over your identity card to any party, unless it’s a legal authority (police, … )
  • Quickly showing your ID card for validation is fine, but resist to the requests to get a copy of your card.
  • prepare to have a masked paper copy of your ID card,
    • make sure to hide all the irrelevant, sensitive information yourself
    • keep a paper copy in your wallet
  • Prepare a masked digital photo copy of your ID card, yourself.
  • mask all all the irrelevant, sensitive information on your identity card, do it yourself
    • eg, use tippex to wipe out info, but you can simply scratch tippex when an official authority needs to validate your sensitive information)
    • ‘accidental’ copies will still mask your data, and you can detect if an unauthorized party scratches your ID card

From a corporate perspective

  • Do not request copies of identity cards by default, there are many more practical means to verify identity in a secure way
  • Only authenticate ID cards, when there are no other options.
  • use electronic authentication without disclosure of sensitive data
  • use an alternative means of authentication, there are many ways to do this securely
  • do not keep a copy of any identity card, there are virtually NO reasons to keep a copy, quick validation is mostly enough
  • delete any copy of identity cards as soon as possible…

Reference information: