Third Party Data Subject Access Requests
For any representative, agent or other third-party data subject access request (DSAR), it is the third parties responsibility under the Applied GDPR and Data Protection Act 2018 to provide evidence of entitlement (written authority or general power of attorney).
They should provide copies of the authority from the individual(s), including adequate proof of identity of the individual along with their own evidenced proof of identity.
Given the amount of fake email scams going on, with malicious intruders claiming to be organisations, it may be worth thinking about a way of confirming that the requesting organisation is genuine, especially if they are making the request by email.
- Is the request trackable via the http header?
- Does the request include the company logo, registered address, company number which could then be cross referenced from Companies House.
- Does it include personal data of third parties? In which case you should be questioning the adequacy of the organisation as a controller etc.
- If in doubt use the technique often referred to as “the malicous intruder test”. Which is as simple as using your favourite search engine locate their main telephone number independently of the email communication and check their credentials.
In the case of pubic body organisations, they should also be stating under what/which provision of the legislation they are making the request. Most of these organisations would make requests in written form, so be careful, and question anyone who may make or mention a data subject access request in person and bombard you with snippets of the legislation, perhaps to imply that they are there under official public body business. If this happens simply ask them “are you requesting on behalf of the organisation or as an individual who just happens to work for one?”
If under official business then refer them to their own internal policy and do not disclose any personal data at that time to them.
As an individual, refer them to your own policy for data subject access requests, (which remember, don’t have to be in written form under the legislation, but should include providing proof of their identify) and process the request under your own policy, again do not disclose anything at that time.
There are of course occassions that may require an urgent disclosure, under the thirty day timeframe. If this is the case, seek guidance from the personal responsible for data protection and privacy within your organisation.