Identity Verification
Before disclosing personal data, you must be satisfied that the requester is who they claim to be. Verifying identity in SAR Portal is a single click — the Mark Verified button. When you click it, the app records that the subject was verified, when, and the method it set automatically, so you have defensible evidence under GDPR Article 12.
What Gets Recorded
When you mark a case verified, the app stores a structured record:
- That identity was verified — the case status changes to Identity Verified
- Verification method — set automatically (see below); you do not choose it
- Timestamp — captured automatically
This record is written to the audit trail and cannot be edited after the fact, giving you a reliable compliance record.
How the Method Is Recorded
You don’t pick a verification method from a menu — the app derives it from how the case reached you:
| Recorded method | When it applies |
|---|---|
| Manual review | An admin or case manager clicked Mark Verified on the case after satisfying themselves of the subject’s identity |
| Portal token | The request came through your public portal — the subject already verified control of their email with a one-time code at submission, so the case arrives pre-verified |
Portal submissions are pre-verified
Requests submitted through your public portal verify the subject's email at submission time (email OTP), so they arrive with the Portal token method already recorded. You don't need to take any further action to capture the method.No method picker or notes field
There is no dropdown to choose among email OTP, ID document, knowledge-based or other methods, and no free-text verification-notes box. Verification is one click and the method is set for you. If you carried out additional identity checks (e.g. you inspected an ID document), record those in the case Notes.How to Verify a Case
- Open the case from your Cases list
- Once you’re satisfied the requester is genuine, click Mark Verified
- The case status changes to Identity Verified and the record — method and timestamp — is written to the audit trail automatically
Only Admins, Case Managers and Reviewers who are working the case can mark it verified.
Good Practice
- Satisfy yourself of the subject’s identity before clicking Mark Verified, especially for access requests containing sensitive data or requests received through unverified channels.
- If you carried out a specific check (matched details against your records, inspected an ID document, asked knowledge-based questions), note what you did in the case Notes so the audit trail tells the full story alongside the auto-recorded method.
- When you go to close a case, the Close Case dialog warns you if no identity verification was recorded — treat that as a prompt to verify first unless you’re closing for a reason that doesn’t require it (e.g. the subject couldn’t be identified).
Next Steps
- Case Statuses - Understand the workflow states
- Case Actions - Available actions for processing