An academic recently, with the consent of his girlfriend, set about making Subject Access Requests to hundreds of organisation in her name to see who would respond to his request.  It was frightening that over 150 organisations responded to him with data belonging to his girlfriend.  Very few asked him for proof of identity.

It is really important that when you are responding to a Subject Access Request, even if you think you know it is from your employee/ex-employee, that you take steps to ensure the communication has genuinely come from them.  You must make ID checks as it is clearly very easy for criminals to pose as an individual with a view to trying to obtain things like financial details.