In this just-released finding, an individual complained that a credit bureau required that the individual provide two pieces of identification before providing him a copy of his credit report. The Commissioner consulted with another credit bureau and found that their policy was the same.
In this case, the Commissioner relied on principle 4.9.2, in which an organization can require additional information in order to fulfil an access request. The complaint was not well founded as the credit bureau has to authenticate an individual's identity before handing over this sensitive information. (As an aside: I expect they'd be risking a complaint about inadequate security if they did not do so.)