Complaint as Sinn Féin asks for bank statements and photo ID from people looking to access data party holds on them
May 01 2021 02:30 AM
The Data Protection Commissioner (DPC) is examining a fresh complaint against Sinn Féin which is now asking for bank statements and photo identification from people requesting access to data the party holds on them.
Sinn Féin’s request for photo ID and bank statements in order to verify people’s identities has been described as “excessive and disproportionate” with the party facing new questions from the DPC over its handling of the names, addresses and perceived voting intentions of millions of voters on an internal database.
In an email sent to people who have filed requests under EU right to access data law, Sinn Féin states: “We require a copy of your passport or driving licence or other form of official identification and proof of address so that we can confirm your identity.
“Please provide a clear image or a scanned copy of a bank statement or utility bill showing your address. You may redact all detail from the bank statement or utility bill except the letterhead and your name and address. This is a legal requirement to ensure we do not comply with a request about you that is not from you.”
However, Daragh O’Brien, managing director of data protection and strategy consultancy Castlebridge Associates, said what Sinn Féin was looking for was “manifestly excessive” and that he had filed a complaint to the DPC over the matter.
“The key test is whether it is necessary and proportionate and it is not. They shouldn’t have asked for it,” Mr O’Brien said. “Any data protection officer who has had proper training should know that’s not the way to go.”
DPC deputy commissioner Graham Doyle said: “I can confirm that we have received a complaint in relation to this matter and are assessing it.”
Sinn Féin defended the practice saying it was “important not to release personal data to a requester who may not actually be the data subject concerned”.
A spokesperson said: “Sinn Féin has requested identifying information for the sole purpose of confirming the identity of the requester. Data provided for the purpose of identifying a requester is destroyed after the requester is identified.
“In the event that a requester cannot provide the documentation, Sinn Féin provides identification by alternative means; such as confirmation of address by sending correspondence to the address given by the requester. If the requester is already sufficiently identified to Sinn Féin, these documents are not required.”
However, Mr O’Brien said that as soon as a right to access request is made, Sinn Féin should look at the data they have on the person to determine whether the request is valid.
“A really simple way to disclose the data is in a password-
protected file and post the password to the address on the electoral register. Then you know that it’s gone to the address the person is living at.”