POPIA - South Africa - Data Subject Access Requests
Fellow data subject...
To an era where our own personal information is the hottest commodity out there. Where big companies, global organisations and highly successful brands are at war over our data. How old we are, what movies we like, where we want to travel next, what our bucket list looks like.
Our information is out there, and we’re an open and vulnerable target...
This is what we data subjects feel every day when making the decision whether to share personal information. And while there is a lot of truth to that dramatic opening, there is also the comforting fact that the handling of our data is legally protected by the Protection of Personal Information Act, (or POPIA) and that we have a defined set of rights over the collection and use of our data.
For organisations that use our personal information, the key is letting us know exactly what these rights are, how they protect our rights, and the procedure for gaining access to our information.
Data Subjects’ Rights at a GlancePOPIA is absolutely clear. Data subjects (that’s you and I) have the rights to:
- Be informed of certain information, at certain times
- Access our personal information
- Rectify our personal information
- Erase, or delete certain personal information
- Object to the way our information is used
- Have our information transferred to other service providers
- Not be subjected to automated decision making
The Right to Access our Personal Information
All that we as data subjects need is adequate proof of identification to request that the organisation confirms whether they hold our personal information.
We may then request a description of this information including who has had access to the information. The organisation has a responsibility to provide this information about third parties information “in a reasonable manner and in a form that the data subject will easily understand”.
An interpretive dance will not suffice!
We have the right to change or challenge the information that is being processed - e.g., going into the bank to change our credentials from Baldwin to Bieber, or from Cape Town to Caledon.
Under certain circumstances, we even have the right to request that they stop processing our information altogether.
But does the organisation know how to recognise and respond to a request?
They must turn to the Avenger of Access to Information - PAIA (The Promotion of Access to Information Act). All companies need to comply with PAIA, and much of how they would respond will depend on what PAIA has to say (including timings and a guide to fees).
How to access your personal information
Every organisation should provide a mechanism for you to make a request to access your personal information and to make requests for any copies. It should be substantially similar to the format as you will find in the Information Regulator’s Form 2.
You’ll need to provide proof of identity and you should expect the organisation to ask questions that will help them fully understand the nature of your request.
How should they respond?
Well, there’s quite a bit they need to do – from verifying your identity to confirming whether it’s a request for personal information or perhaps some other type of information. It’s also possible that you have applied to the wrong organisation.
If all is good, they must search their systems to look for the personal information concerned.
What if they find stuff?
This is where PAIA becomes their friend. In and among its legalese they will find that much of it makes sense, even to non-legal eagles.
Let’s say the information they’re about to give you contains information about someone’s health. The situation may arise where they must consult with a health practitioner before sharing the personal information.
What if the information contains personal information of a third party? Or the commercial information of a third party? Surely, they will need the third party’s consent to share such information.
Another factor to consider is that of safety and security. What if, by sharing the personal information, it could endanger the life or physical safety of an individual?
But wait, there’s more...
Both POPIA and PAIA have other requirements when it comes to responding to requests for access. Hopefully these organisations will have the proper policy and procedure in place to deal with requests. Let’s encourage them to check out systems such as PrivIQ.