Loading…
Menu icon Search icon
Contact us
Mobile filter icon Mobile contact icon
Read time: 2 minutes
On this page
Go to
Top of page
News & insights
Stay in touch
Sign up to our mailing list
LinkedIn
Contact us
Print this page

When a Data Subject Access Request is not all it seems!

There are concerns that the Data Subject Access Request widely publicised as part of our rights under GDPR might be used as a vehicle for identity theft.
 

Using social engineering techniques (LinkedIn, Facebook etc) it is feasible that a Data Subject Access Request (DSAR) may contain enough information for you to assume that the data request is genuine.

The valuable information you hold (particularly on ex-employees) could be used for identity theft or fraud. You might be called, as part of the request, to supply valuable items such as name, address, date and place of birth, national insurance number; all great ingredients of an identity thief’s toolkit.

We recommend that your privacy policy states clearly that your DSAR process requires a robust verification of identity and address and that it is reinforced by independent confirmation.

If possible, seek to engage the requestor to both clarify the scope of the request and to ensure that you have sight of originals or certified copies of originals. Bear in mind that whilst identity verification may not be used to unduly delay a response, the DSAR clock does not start ticking until you have received the required information and may be required to prevent an inadvertent breach.

About the author

David Fardell

+44 (0)20 7556 1437
fardelld@buzzacott.co.uk

Using social engineering techniques (LinkedIn, Facebook etc) it is feasible that a Data Subject Access Request (DSAR) may contain enough information for you to assume that the data request is genuine.

The valuable information you hold (particularly on ex-employees) could be used for identity theft or fraud. You might be called, as part of the request, to supply valuable items such as name, address, date and place of birth, national insurance number; all great ingredients of an identity thief’s toolkit.

We recommend that your privacy policy states clearly that your DSAR process requires a robust verification of identity and address and that it is reinforced by independent confirmation.

If possible, seek to engage the requestor to both clarify the scope of the request and to ensure that you have sight of originals or certified copies of originals. Bear in mind that whilst identity verification may not be used to unduly delay a response, the DSAR clock does not start ticking until you have received the required information and may be required to prevent an inadvertent breach.

Related links
17 December 2020
Furlough scheme further extended to April 2021
The extension is intended to provide greater certainty for employers, allowing a degree of planning for the future. … Read more Learning and development 2 Is flexible working the right choice for your organisation?
Organisations are now planning a workplace return, but what should you consider when deciding if implementing flexible… Read more buzzacott_HR_advice_for_businesses HR advice for businesses 4 Find the Sheryl to your Mark: why the right people strategy matters for growing tech companies
When you’re looking to grow your business, it can be hard to know where to focus your energy… Read more Contact us 6
© 2018 Buzzacott LLP All rights reserved   |   
Sign up to our mailing list   |    Anti-slavery statement
Privacy policy   |    Accessibility   |   Transparency report   |   Gender pay gap report   |   Diversity and inclusion   |   Cookies   |   Legal
close back
Your search for "..."
did not yield any results.
... results for "..."
Search Tags
We use cookies for the best experience on our website and also to analyse web traffic. For more information see our Cookie notice. By clicking accept all you agree to our use of cookies. To alter the types of cookies we use click “Cookie settings”.
Accept all Cookie settings
Our use of cookies

We use necessary cookies to make our site work. We’d also like to set optional analytics and marketing cookies. We won't set these cookies unless you choose to turn these cookies on. Using this tool will also set a cookie on your device to remember your preferences.

For more information about the cookies we use, see our Cookies page.

Please be aware:

— If you delete all your cookies you will have to update your preferences with us again.
— If you use a different device or browser you will have to tell us your preferences again.

Necessary cookies
Always active

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

rc::a
Persistent
This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.
rc::b
Session
This cookie is used to distinguish between humans and bots.
rc::c
Expires: Session
This cookie is used to distinguish between humans and bots.
PHPSESSID
Expires: Session
Preserves user session state across page requests.
_GRECAPTCHA
Expires: 179 Days
This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.
test_cookie
Expires: 1 Day
Used by Google Ads to check if the user's browser supports cookies.
Analytics cookies
Inactive

Analytics cookies help us to understand how visitors interact with our website by collecting and reporting information anonymously.

_dc_gtm_UA-#
Expires: 1 day
Used by Google Tag Manager to control the loading of a Google Analytics script tag.
_ga
Expires: 2 years
Registers a unique ID that is used to generate statistical data on how the visitor uses the website (Google Analytics).
_gat
Expires: 1 day
Used by Google Analytics to throttle request rate.
_gid
Expires: 1 day
Registers a unique ID that is used to generate statistical data on how the visitor uses the website (Google Analytics).
collect
Expires: Session
Used to send data to Google Analytics about the visitor’s device and behaviour. Tracks the visitor across devices and marketing channels.
_hjClosedSurveyInvites
Expires: 1 year
Hotjar cookie that is set once a visitor interacts with a Survey invitation modal pop-up. It is used to ensure that the same invite does not reappear if it has already been shown.
_hjDonePolls
Expires: 1 year
Hotjar cookie that is set once a visitor completes a poll using the Feedback Poll widget. It is used to ensure that the same poll does not reappear if it has already been filled in.
_hjMinimizedPolls
Expires: 1 year
Hotjar cookie that is set once a visitor minimised a Feedback Poll widget. It is used to ensure that the widget stays minimised when the visitor navigates through your site.
_hjIncludedInSample
Expires: 1 year
Hotjar cookie that is set to let Hotjar know whether that visitor is included in the sample which is used to generate Funnels.
_hjShownFeedbackMessage
Expires: 1 year
Hotjar cookie that is set when a visitor minimised or completes Incoming Feedback. This is done so that the Incoming Feedback will load as minimised immediately if the visitor navigates to another page where it is set to show.
_hjid
Expires: 1 year
Hotjar cookie that is set when the customer first lands on a page with the Hotjar script. It is used to persist the Hotjar User ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjRecordingLastActivity
Expires: Session
This should be found in Session storage (as opposed to cookies). This gets updated when a visitor recording starts and when data is sent through the WebSocket (the visitor performs an action that Hotjar records).
_hjTLDTest
Expires: Session
When the Hotjar script executes we try to determine the most generic cookie path we should use, instead of the page hostname. This is done so that cookies can be shared across subdomains (where applicable). To determine this, we try to store the _hjTLDTest cookie for different URL substring alternatives until it fails. After this check, the cookie is removed.
_hjUserAttributesHash
Expires: Session
User Attributes sent through the Hotjar Identify API are cached for the duration of the session in order to know when an attribute has changed and needs to be updated.
_hjCachedUserAttributes
Expires: Session
This cookie stores User Attributes which are sent through the Hotjar Identify API, whenever the user is not in the sample. These attributes will only be saved if the user interacts with a Hotjar Feedback tool.
_hjLocalStorageTest
Expires: 100ms
This cookie is used to check if the Hotjar Tracking Script can use local storage. If it can, a value of 1 is set in this cookie. The data stored in_hjLocalStorageTest has no expiration time, but it is deleted almost immediately after it is created.
_hjIncludedInSample
Expires: Session
Session cookie which is destroyed when user leaves the Hotjar site.
_gcl_au
Expires: 3 months
Used by Google AdSense for experimenting with advertisement efficiency across websites using their services.
ads/ga-audiences
Expires: Session
Used by Google AdWords to re-engage visitors that are likely to convert to customers based on the visitor's online behaviour across websites.
Marketing cookies
Inactive

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

Category
Expires: 2 months
Used to remember your area of interest on Buzzacott.co.uk / Buzzacott.hk.
_fbp
Expires: 3 months
Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers.
fr
Expires: 3 months
Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers.
tr
Expires: 3 months
Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers.
_gcl_au
Expires: 3 months
Used by Google AdSense for experimenting with advertisement efficiency across websites using their services.
IDE
Expires: 1 year
Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
pagead/1p-user-list/#
Expires: Session
Tracks if the user has shown interest in specific products or events across multiple websites and detects h ow the user navigates between sites. This is used for measurement of advertisement efforts and facilitates payment of referral-fees bet ween websites.
Cookie management
Use of cookies Necessary cookies Analytics cookies Marketing cookies Allow all Save settings
Use of cookies Necessary cookies Analytics cookies Marketing cookies
Accept all Save settings