Is it such a big deal?
I regularly submit Subject Access Requests and in response, I am constantly being asked for photo ID as identifying information. I have argued on numerous occasions to the ICO that I'm not going to give any company a copy of my passport or driving licence because of the security risk and because it's excessive.
A data controller can validate me by phoning me and asking me a few questions about my account. Or they could send me a letter to my home address and ask me to quote the reference number on the letter. Or they could wait for the £10 fee to clear and that validates me. Or they could ask me to pay the fee by credit card as that would validate me too!
There are lots of ways that a data controller can be satisfied about my identity without me having to give them photo ID.
The ICO however is adamant that requesting a copy of a passport is not excessive. If the UK's Data Watchdog couldn't care less who sees passport information then what's the big deal? Having said that, the ICO also told me that a year on its own constitutes a date for the purpose of a Subject Access Request. This organisation is not fit for purpose.