As simple as: “We are processing your request, once we need more evidence we will contact you.” The day that their turn has come remind them to upload their personal data. Process the request, delete the data in 24 hours.
If you don’t hear back, even better, less private data to worry about.
This is not a tradeoff-less scenario. Most users will be pretty irritated if, for example, you ask them to re-upload the front and back of the id in question at a later date because you deleted it last time for their protection.
I personally think doing ID verification of physical documents over the internet is just a non-starter. I've unfortunately had to support such systems for years at a time, and I'm thankful I don't do it anymore.
They were already irritated, right. Also keeping around a file which you said yourself it was not useful, makes still no sense - especially when you regularly delete the useful files by policy. So yes, the failure was by design.
If you don’t hear back, even better, less private data to worry about.