Is there a cryptographic solution to the GDPR SAR ID check problem?
There are two bits of apparently contradictory advice on the internet. The first is somewhat harder to find because it seems so obvious:
- Don't give out your personal information unless you first find out how it's going to be used and how it will be protected
The second in some form is in most pages from the google of "How do I make a subject access request"
- Your SAR should include:Your name ... Your current contact details
Also relevant is the advice given to companies in regards identity verification when presented with an SAR. From here Recital 64 of GDPR states;
“The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.”
In the ICO’s detailed Right of Access Guidance (published October 2020) it states;
You can ask for enough information to judge whether the requester (or the person the request is made on behalf of) is the person that the data is about.
Some situations where I am sending an SAR are somewhat adversarial, as in I suspect they do not have a valid justification for processing my personal information. In these situations I do not want to send any information they do not already have, and it does not seem "reasonable and proportionate" for the data controller to request data they do not hold. Is there an accepted mechanism to solve this problem?
I know one should not design ones own schemes, but just to demonstrate the sort of thing I am thinking about one could send the md5 hash of ones identifiers with "randomStringOne" appended and request the data controller send the md5 hash of any identifiers they request (such as driving licence number for driving licence) with "randomStringTwo" appended.
