Proving Your Identity When You Make a Data Request

Why an organisation asks you to prove who you are

A data-subject request gives you access to information that is, by definition, about you. That is exactly why the organisation receiving it has to pause and check who is asking. Handing your records to the wrong person would itself be a personal-data breach, so a sensible identity check protects you as much as it protects the organisation.

Under UK GDPR, a controller (the organisation that decides how your data is used) is allowed to ask for reasonable information to confirm your identity where it has genuine, good-faith doubt about who sent the request. The ICO, the UK's data-protection regulator, frames this as a balancing act: enough checking to be confident, never so much that it becomes a barrier.

The key word is reasonable. Verification is meant to be proportionate to the sensitivity of the data involved. A request to see a mailing-list entry should not trigger the same scrutiny as a request for detailed financial or health records.

• The check confirms the request genuinely comes from you, not someone impersonating you.
• It must be proportionate to how sensitive the requested data is.
• It cannot be used as a tactic to delay or discourage a legitimate request.

What an organisation can reasonably ask for

There is no single fixed list of documents under UK GDPR. What counts as reasonable depends on the relationship you already have with the organisation and the data at stake. Often the simplest proof is something only you would know or control, rather than a formal ID document.

If you already hold an account, replying from the registered email address, answering a security question, or confirming details the organisation already has on file is frequently enough. Where the data is more sensitive, the organisation may ask for a copy of an identity document, though it should only request what it genuinely needs and should let you redact details that are not relevant to the check.

A useful rule of thumb: the organisation should ask for the least amount of information needed to be confident it is really you. If a request for documents feels disproportionate to what you are asking to see, you are entitled to ask why that level of proof is necessary.

• Confirming details from an existing account or registered email.
• Answering a security question already linked to your record.
• A redacted copy of an identity document, only where the data is sensitive enough to justify it.

How to clear the identity check smoothly

You can keep the verification step short by anticipating it. Sending your request from the email or account the organisation already associates with you removes most of the friction before it starts, and being specific about what you want helps the organisation match you to the right records quickly.

If you are asked for more than feels proportionate, it is reasonable to ask the organisation to explain what it needs and why. The time limit for responding to your request can pause while it is waiting for the information it reasonably needs to verify you, so providing what is genuinely required promptly keeps the clock moving in your favour.

This article is general information, not legal advice. If an organisation refuses to act, insists on excessive proof, or uses verification to avoid answering, you can raise the matter with the ICO. OSINTA helps you understand your own footprint and prepare your own requests; the decision about what to send, and to whom, always stays with you.

• Send the request from the email or account the organisation already has on file.
• Be specific about which data you are asking for, so they can locate it.
• Provide only what is genuinely needed, and ask for an explanation if a request seems excessive.

Frequently asked questions

Related terms

• Data Subject Access Request (DSAR)
• GDPR (General Data Protection Regulation)
• Personal data
• Data controller