I agree 100%, a simple "ID checked" flag would be OK. Where I think the DPA fits into it is that without the DPA, a lot more people would store those details just because. With the DPA in place I'm a lot more comfortable sharing information like that, knowing that either they just store a flag, or if they store more than that I am protected.
