Dear Northumbria Police and Crime Commissioner,

According to information previously published under the auspices of Vera Baird the office of the PCC for Northumbria is defined as a competent authority under schedule 7 of the DPA (https://www.legislation.gov.uk/ukpga/201...)

1. Please specify what if any requirements and or checks were undertaken on any part of, or person within, the office of the PCC before this definition/ certification was applied to your office.

2. Please specify if there is any time limit applied to the "Competent Authority" certification? applied to your office.

3. Please specify if there is any requirement for any checks or measures of any description to ensure maintenance of any "competencies" regarding this description and if so

4. please specify what they are an how often they are required to be undertaken.

Having just looked at your response here https://www.whatdotheyknow.com/request/p... I have noted a number of issues which Mr Kevin Payne appears to be unaware, not least of which is that of 6 questions asked he only responded to 5, ignoring completely the request for "can I have a copy of the risk rating that you use to evaluate data security incidents?"

5. Please confirm whether you have any policy or procedure in place to address Data Security Incidents, and if so provide a copy along with any definitions for and or examples of any risk ratings used or incidents that have already happened.

In the two word documents provided to Mr Knight, which when downloaded from his response show a date of 10/15/2020 being todays date,

6. please provide any date information detailing when those formats were originally brought into use.

I ask because the DPA 2018 came into force on the 23 May 2018 from which point the time limit for compliance with a SAR became one calendar month, and yet your template, in use apparently for the last 29 months has been unlawfully quoting the time limit for compliance with the DPA 1998.

In addition the GDPR became law in the UK on the 25 May 2018.

Both the DPA 2018 and GDPR state that where the data controller holds a reasonable belief that a Subject Access Request originates from a person not entitled to receive that information then the data controller may request two further forms of ID before complying with that request.

Your word document "SAR ACK Letter" to Mr Knight specifies a "Requirement" for two forms of ID without specifying any "reasonable belief" that the applicant is not entitled to receive the information requested.

In addition that standard template letter identifies the required ID to be "A copy of two identification documentation to contain your name in full and date of birth, the
other to contain your name and current address, e.g. birth certificate, current passport, driving licence, medical card or utility bill." (The grammatical errors are copied directly from the Original)

The response from Mr Payne to Mr Knights request includes the statement "it may be worth noting that this office has yet to receive a subject access request other than by email since the introduction of the Data Protection Act 2018."

7. Please specify how many SARs have been received by the OPCC since the 23 May 2018.

8. Please specify how many of those recorded SARs arrived by email and how many by surface post or in person hand delivered.

Of the total number of SARs ,

9. please specify how many were required to provide the two forms of ID prior to your compliance with the requirements of law.

10. Please specify for how many of those requests any member of the OPCC detailed any "reasonable beliefs" or indeed any "unreasonable Beliefs" or any beliefs at all that the SAR had originated from anyone other than the lawful recipient and provide a list of the types of belief so specified.

11. In relation to the SARs received, please specify how many were received from a communication source which the OPCC had not been in regular communication with prior to the SAR being received.

12. In relation to the SARs received, please specify how many of the data subjects, who had been in communication with the OPCC for the OPCC to hold any data regarding them, had as part of their recorded information held, "verified" (i.e. checked with a secondary source other than the data subject, or by official documentation) their Full Name and Date of Birth, or their name and postal address prior to the SAR being received.

Since I would assume from Mr Paynes comment that all SARs had arrived by email, (a form of communication in which it is not usually accepted to include a surface mail return address, and if you reasonably believe the originator is lying about their identity then you must reasonably believe they would lie about their postal address also) and I believe there is no possible way the "required" documentation can possibly verify the data subjects identity in relation to the records held by the OPCC.

13. Please specify any policy, procedure or document of any description which clearly specifies how an identity document showing a full name and date of birth along with a name and postal address can possibly be used to identify a data subject in relation to the information held, who's only avenues of communication have been with the OPCC via Email and or Telephone.

14. Please also provide a link to or a copy of any provision within the DPA 2018 or GDPR which states that any Data Subject can only request information be sent to a registered postal address.

15. Please specify any policy or procedure which would allow Mr Scott Duffy, Director of Confidence, Standards and Statutory Reviews within the OPCC to respond to communication addressed to Ms McGuinness almost immediately upon receipt and where that ability is specified in his stated role profile.

16. Finally, please specify the contact details for the person and the organisation responsible for awarding the OPCC Northumbria the accreditation of being a "Competent Authority" as I wish to contact them regarding having that accreditation removed forthwith.

Yours faithfully,

W Hunter