Procedure

Verification guidelines: personal data

Updated on 29 March 2023

Why we sometimes need proof of identification in order to keep your data safe.

On this page

Introduction

The University of Dundee has various policies and procedures which relate to staff, students and other data subjects under which the University requires to take reasonable steps to safeguard personal data.

To keep data safe, we sometimes need our students, staff and other data subjects to provide proof of identification.

To avoid personal data about one individual being sent to another, either accidentally or as a result of deception, the University needs to be satisfied that:

  • we know the identity of the individual who we are apparently dealing with and if they are being represented that that the representative is duly authorised; and
  • the data we hold relates to the individual in question (e.g., when an individual has similar identifying details to another person).

The University will ask for enough information to satisfy itself on the above. The key point is that the University must be reasonable and proportionate about what we ask for. The University will not request more information if an individual’s identity is obvious.

This guidance sets out how the University will act in respect of verifying:

  • identity
  • authorisation of a third party to act on behalf of a data subject (such as staff or student).

Please note that this is for guidance purposes only and the University reserves the right to process personal data subject to its legal and regulatory obligations and as necessary.

Stage 1 - standards stage

Stage 1 will apply to non-sensitive, non-special category data personal data. An example would be a routine complaint under the University’s complaints handling procedure (CHP).

Verification process

If you are a student or staff member, we will accept identity verification through:

  1. Presentation of a Staff or Student ID card; and/or
  2. An email from your University email account ending @dundee.ac.uk

If you seeking to appoint someone to act on your behalf, before we can speak to that person, we will need to establish proof of authority through:

  1. An email from your University email account ending @dundee.ac.uk with a statement which provides written consent for a named person to act on your behalf.
  2. The written consent should include: Your full name and details, the full name and contact details of your agent, your relationship with the named person.

Stage 2 - enhanced stage

Stage 2 will apply to sensitive, special category data personal data. An example would be a safeguarding investigation.

The level of checks for Stage 2 are stricter as the possible harm and distress that inappropriate disclosure of the information could cause to the individual concerned is greater.

Verification process

If you are a student or staff member and the matter relates directly to you and your data, we will accept identity verification through:

  1. Presentation of a Staff or Student ID card;
  2. An email from your University email account ending @dundee.ac.uk

If you seeking to appoint someone to act on your behalf, before we can speak to that person, we will need to establish proof of authority through:

  1. An email from your University email account ending @dundee.ac.uk with a statement which provides written consent for a named person to act on your behalf.
  2. The written consent must include:
    1. Your full name and signature;
    2. The named person’s full name and contact details,
    3. Your relationship with the named person;
    4. A power of attorney in favour of the named person in the matter;
    5. A scanned copy of your ID card;
    6. A proof of signature for comparison purposes;
    7. details of where the University should send our final response (if different from your contact details).

If you’d prefer to give any documents to the University in person, then please make an appointment by contacting our Student Services Team.

Verification - next steps

If the requested information is sufficient and you are satisfied, keep a record of the ID supplied. You can at that point respond to the individual and/or any named person(s) acting on their behalf.

If the requested information is not sufficient then further steps may need to be taken to verify the individual’s identity.

For example, the ID documents may not be sufficient if an individual supplies information which raises doubts about their identity, or you have reasonable concerns that the ID is fraudulent, or the individual has obtained it fraudulently.

Please contact Information Governance for further assistance.

From Academic and Corporate Governance
Corporate information category Data protection