On September 9, 2024, the Data State Inspectorate (DVI) published a guide on how organizations that process data and obtain necessary information conveniently through telephone can verify the identity of the caller. The DVI used examples and scenarios to illustrate its points and recommendations.

The DVI clarified that there is no statutory act or external rule that says certain categories of data should be requested by telephone. Therefore, the DVI recommended that anyone handling data must make their own assessment of how much data they will request from a caller to ensure that they are who they say they are.

The DVI also acknowledged that while a password or keyword known to both parties can be used to identify a person by telephone, most organizations choose to identify the caller by asking them to provide a number of personal details, such as their first name, last name, email address, username, contact number, personal identification number, and/or address. Although the more data requested is likely to accurately identify the caller, it is also a greater intrusion into the person's privacy. Thus, the DVI advised organizations to observe proportionality in their activities.

When requesting information from the caller, the DVI instructed organizations to use common sense and to clearly state why the information is needed and that without providing it, the person will not receive the service, which is available only to persons with certain access rights.

Furthermore, the DVI noted that some organizations use authentication tools such as Smart ID or a secure electronic signature to identify the customer who called.

You can read the press release, only available in Latvian, here.