How to Request ID Documents From Clients Without Breaching GDPR

Asking a client for a passport, driving licence, or proof of address feels routine. Onboard a new client, verify a tenant, run a right to work check, satisfy an anti money laundering obligation: the request goes out almost on autopilot. But the moment you ask for an identity document, you have started processing personal data, and UK GDPR applies to how you ask, where the file lands, how long you keep it, and how you destroy it.

The breaches that involve client ID often have nothing to do with sophisticated attacks. A passport scan sits in an inbox for two years, a copy is forwarded to a colleague who did not need it, or nobody can say which lawful basis justified collecting it in the first place. The good news is that a compliant request follows a short, repeatable discipline: collect the minimum, justify it, secure the channel, and delete it when the purpose is met.

This guide walks through that discipline from the requesting side. If you are the professional sending the “please upload your ID” message, these are the four things that keep that request inside the law.

The data minimisation principle is the first thing to get right because it shapes everything that follows. Under UK GDPR, personal data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. The ICO is explicit that you should identify the minimum personal data you need and must not collect personal data on the off chance it might be useful in future.

In practice that means resisting the habit of asking for “a copy of everything”. A passport photo page is not the same as the whole passport. If you only need to confirm a name and date of birth, you may not need a full document scan at all. Decide, before you send the request, exactly which fields you need and why, and ask for that and nothing more.

You cannot process personal data simply because it is convenient. You must have a valid lawful basis under Article 6, and the ICO requires you to be able to demonstrate which basis applies and document it in your privacy information. For ID collection that basis is often legal obligation (for example a statutory check) or legitimate interests, rather than consent, but the right answer depends on your situation.

Whichever basis you rely on, the ICO sets a clear bar on necessity. “Necessary” does not mean absolutely essential, but it must be more than useful: it must be a targeted and proportionate way of achieving a specific purpose, and the basis will not apply if you can reasonably achieve that purpose by less intrusive means or by processing less personal data. That is the same minimisation logic, now wearing a legal hat.

Practically, record three things for each ID request you make routinely: the purpose, the lawful basis, and the retention period. Putting this in your privacy notice is not box ticking; it is the evidence that turns “we always ask for a passport” into a defensible, documented decision.

Once you know what you need and why, the next obligation is how you receive it. The UK GDPR security principle requires you to process personal data securely using “appropriate technical and organisational measures”, and Article 32 specifically calls out measures appropriate to the risk, including pseudonymisation and encryption of personal data.

This is where email quietly fails. Asking a client to email a passport scan means the image is copied into their sent folder, your inbox, your mail provider’s servers, and any backups along the way. The ICO points to encryption as a technical measure that protects personal data and is reversible only with a key, and it provides scenario based guidance on its use. An encrypted, single use request link is a far more proportionate way to collect an identity document than an open mailbox.

For a fuller comparison of the two approaches, see our guide on email versus secure document sharing.

Collecting an ID document securely is only half the obligation; getting rid of it is the other half. Under the storage limitation principle you must not keep personal data for longer than you need it. If you do not have a retention policy, the ICO says you must regularly review what you hold and delete or anonymise anything you no longer need, and you must be able to justify any retention.

A passport copy that has done its job and is still sitting in a shared drive is no longer an asset; it is a liability waiting for a breach. The cleanest position is to hold the document for exactly as long as the purpose requires, with a defined retention period, and then destroy it. Where the collection channel deletes the file automatically after you download it, much of this discipline takes care of itself.

Minimisation and storage limitation are general principles, but some ID requests sit inside specific statutory regimes that set their own rules. Right to work checks are the clearest example, and they show how a legal obligation overrides your own default retention instincts.

When you check a passport for a right to work, the Home Office requires you to copy any page with the expiry date and the applicant's details, that is their nationality, date of birth and photograph, including endorsements such as a work visa. You must keep those copies during the person's employment and for two years after they stop working for you. An employer could face a civil penalty for employing an illegal worker without having carried out a correct check.

Note the nuance: British and Irish citizens cannot get an online share code to prove their right to work, so you must check original documents such as a passport, or use an identity service provider offering Identity Document Validation Technology (IDVT). Even here, minimisation still applies to what you copy: the guidance tells you which pages to retain, not to photocopy the whole document. For agencies running these checks at volume, our guide to right to work checks for recruitment agencies goes deeper.

Can you ask a client for a passport copy under UK GDPR?

Yes, provided you have a valid lawful basis under Article 6 and you only collect what is necessary for a specific purpose. The ICO says necessary does not mean absolutely essential, but the processing must be a targeted and proportionate way of achieving that purpose, and the basis will not apply if you can reasonably achieve the purpose by less intrusive means or by processing less personal data.

How long can you keep a client ID document after collecting it?

Under the storage limitation principle you must not keep personal data for longer than you need it. If you do not have a retention policy you must regularly review what you hold and delete or anonymise anything you no longer need. For a right to work check on an employee, the Home Office requires you to keep the copy during their employment and for two years after they stop working for you.

Is email a secure enough way to collect ID documents?

Email is a poor channel for ID documents because copies linger in sent folders, inboxes and backups long after the purpose is met. The UK GDPR security principle requires appropriate technical measures, and the ICO points to encryption as a measure that protects personal data. An encrypted one time request link that deletes the file after download is a more proportionate way to collect identity documents.