DPA issues

It used to be the case that when a solicitor said that they were acting on behalf of a client that was sufficient authority for the RA to give them information.

Our local RA has suddenly become highly pedantic about this and their SAR form requires us to say that we have seen proof of our client’s ID, which it is rarely possible to obtain with MH clients. Anyway, when a file is opened remotely we often do not receive any forms back from the client.

As the LAA require all advice within the eligibility period to roll up into the same file this is causing us a logistical headache as we are unable to obtain information for the client after the tribunal has concluded. A client who was discharged after the MHT required proof that she was no longer subject to s3 but cannot provide us with proof of her identity, so we are unable to obtain the s23. Also the RA refuse to tell us whether a s2 client has been discharged or placed on s3 at the end of the 28 day period, so we are unable to provide a full closing letter with this info.

We have enough to do without going into battle with the RA about this. Can anyone think of a simple solution?

Maybe a subtle approach would just be to discuss the guidance on the the ICO website.

The How to deal with a request for information: a step-by-step guide | ICO page gives some general guidance (emphasis added):

Step two: Know who you’re dealing with

If you’re not sure the requester is who they say they are, you must check this quickly. You shouldn’t ask for formal ID unless it’s necessary and proportionate. Instead, you could ask questions that only they would know, about reference numbers or appointment details for example. Or you can ask for ID that you can actually verify. There’s little point insisting on photo ID if you don’t know what the requester looks like – it should be proportionate.

The What should we consider when responding to a request? | ICO page goes into more detail (emphasis added):

Can we ask for ID?

You can ask for enough information to judge whether the requester (or the person the request is made on behalf of) is the person that the data is about. The key point is that you must be reasonable and proportionate about what you ask for. You should not request more information if the requester’s identity is obvious to you. This is particularly the case when you have an ongoing relationship with the individual.

The guidance gives this example:

You have received a written SAR from a current employee. You know this employee personally and have even had a phone conversation with them about the request. Although your organisation’s policy is to verify identity by asking for a copy of a utility bill, it is unreasonable to do so in this case since you know the person making the request.

It then follows the example with this:

You should also not request formal identification documents unless necessary. First you should think about other reasonable and proportionate ways you can verify an individual’s identity.

The data controller’s detention of the the requester against his will for compulsory treatment must count as an “ongoing relationship” and, in any event, referring to the patient by name and ward would make his identity obvious.