Every day, a new case of penalties pops out in the media about companies asking for too much identity information. When we talk about too much information, what is too much? Where do the companies cross the line?
Sending the photocopy of the ID card scenario
Making photocopies of ID cards or scanning and sending them using various messaging providers is a serious problem. This practice for proving an identity and obtaining identity data is still common across EU member states. For example, the tourism and hospitality industry highly relies on this practice – photocopying ID cards, passports, and other documents. The major problem in that situation is that the user can not control his data, which could be misused by other persons and be exposed to identity theft. On the other hand, if the user refuses his ID card to be photocopied or scanned, he can’t get the service he wants.
This practice of photocopying and scanning is not a crime. Still, EU Regulation 2018/1725, as well as GDPR, states that the party responsible for processing personal data is the data controller. The data controller can also delegate the processing of personal data to another party – the data processor. So, in that case, the data controller is responsible for the lawful processing of data subjects and their protection. The data controller and processor should always follow the principle of “data minimization.”
Data minimisation principle
The “data minimisation” principle encourages a minimalist approach and is described in Article 5(1)(c) of the GDPR and Article 4(1)(c) of EU Regulation 2018/1725. Both of the regulations state that personal data should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” This means that the data controller should only request the limited personal data that they really need and keep it for as long as they need it (until they fulfill a purpose for which they were collected). They should identify the minimum amount of personal data necessary to fulfill their purpose, but no more.
The data minimisation principle also applies to scanned or photocopied personal documents, but how can you photocopy an ID card if you only need the person’s address or his birth year? Companies should always know the purpose, why they collect the data, and how to use them. The most significant question for the data minimisation principle is whether there is a way to achieve the purpose without collecting all the data from the user.
Apart from the GDPR and other regulations, collecting the minimum amount of data should always be the best practice for companies to maintain customers’ trust and reduce the risk of unauthorized access and other security issues.
Data minimising ID wallet solutions
Is there a way to follow the data minimisation principle to achieve the purpose without collecting all the data from the user? Absolutely. ID wallets are a much-needed service to overcome the issue of asking for too much identity information.
ID wallets can contain trusted digital identity credentials. Using an ID wallet, identity verification, and authentication can be anonymous – the user doesn’t have to share anything about himself except the data that the data processor asks for. This way, users share their identity data in a privacy-preserving manner and ensure that only authorized individuals can access their stored documents, safeguarding their identity and personal data. Every time a user decides to share his identity data with a company, the company must precisely define its needs. Users can then transparently review the data the company requested and determine if they are willing to share it with the company or not.
Identyum can help
We have created our Identyum ID Wallet and Identify service to ensure companies can easily follow the data minimisation principle and are GDPR compliant. Our services make it easy for companies to collect the information they need while providing their customers with a secure, reliable way of providing it. With Identify, companies can check an individual’s age, name, address, and NIN number against official records from all over Europe. All of this information is collected in one place for a high level of confidence in the authenticity of information about another person’s identity.
Try it today and contact us for more information.