Oct 26, 2020, 16:58 PM
Principle 8 – Data Subject Participation
It goes without saying that a data subject must be part of the processing of their personal information, as already determined by the consent provisions in POPIA. This principle takes it further by dealing with access, correction and deletion of personal information
MYTH: IF A DATA SUBJECT REQUESTS ME TO DELETE THEIR PERSONAL INFORMATION, I MUST DO SO IMMEDIATELY.
RESPONSE: IN GENERAL, WHEN THERE IS A CONTRACT OR LEGITIMATE INTEREST TO PROTECT, THE RESPONSIBLE PARTY DOES NOT HAVE TO DELETE PERSONAL INFORMATION IF REQUESTED TO DO SO
We will first look into the provisions of Section 23 of POPIA, which deals with the data subject’s rights to access their personal information.
Access To Personal Information
A data subject may
- Request a responsible party to reveal to them free of charge whether it holds any personal information on the data subject. Remember it is very important for the responsible party to request the data subject to prove their identity. We have seen a very interesting academic article where a person used the equivalent of POPIA in Europe called GDPR to steal the personal information of data subjects. Many people believe that when someone requests their personal information, it simply has to be provided to them, or it will be a breach of the law. This is incorrect. A responsible party has the right to first verify the identity of the data subject before dealing with any requests in respect of personal information.
- Request the responsible party to provide them with a record of the personal information it holds on them, including information about the identity of all third parties, or categories of third parties that have or have had access to the information
- Within a reasonable time
- At a prescribed fee
- In a reasonable manner or format
- In a form that is understandable
When this information is provided to the subject the data subject must also be informed of their right to correct the information. Remember, since it is the duty of the responsible party to ensure that the information it holds is up to date and correct, this is a golden opportunity to ensure that the information of the particular data subject is accurate and up to date.
POPIA provides that the responsible party may charge a fee for the provision of the information, but the fee must be reasonable and you must provide the data subject with a written estimate of the fee. You may also request a deposit, before starting to work on providing the information.
POPIA allows for the refusal to provide certain information as provided for in the Promotion of Access to Information Act (PAIA), but for the sake of brevity we will not discuss all those provisions here. You can access PAIA here (https://www.justice.gov.za/legislation/acts/2000-002.pdf) and specifically refer to Chapter 4 of Part 2 and Chapter 4 of Part 3, as well as Sections 30 and 61
Correction or Deletion of Personal Information
We touched on the requirement to inform the data subject of their right to request correction of their personal information above and we will now look at the provisions that deal with correction and deletion of personal information
This section is again jam packed so it is important to take care of the various provisions.
- A data subject may request a responsible party to correct or delete personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully or
- To destroy or delete a record of personal information that the responsible party is no longer authorised to retain.
Once the responsible party has received such a request it must as soon as possible:
- Correct the information
- Destroy or delete it
- Provide the data subject with credible evidence that the request has been carried out or
- If the responsible party does not agree with the data subject that the information has to be corrected, keep a record with the personal information that the correction has been requested but not done and the reasons for not making the correction. This must always be read with the record of personal information.
If any of the steps above have been taken and it will somehow impact on the data subject or affect decisions that will taken about the data subject, the responsible party must inform each person or body or responsible party to whom this information has been disclosed.
It goes without saying that the data subject must be informed about any action that has been taken in respect of a request for correction or deletion.
We have said this many times before but it is very important to retain records of all requests and actions taken in respect of a data subject’s personal information.
TIP: A request for correction is a perfect opportunity to also ensure that all other records pertaining to the data subject are accurate. Even if the data subject requests only one record to be updated, make use of the opportunity to update all other relevant records..
- Adv. Rian Schoeman