We are coming to the end of our POPI series. The first seven POPI Conditions for Lawful Processing have been discussed in detail in our previous articles and this month it is time for a discussion of the eighth and final condition: Data Subject Participation. This condition is comprised of three elements, namely (i) access to personal information, (ii) correction of personal information and (iii) the manner in which the personal information is accessed.
Applicable popi sections and commentary
The relevant sections of POPI applicable to “data subject participation” have been reproduced below with our commentary:
Access to Personal Information
Section 23 “Access to personal information.—
(1) A data subject, having provided adequate proof of identity, has the right to—
(a) request a responsible party to confirm, free of charge, whether or not the responsible party holds personal information about the data subject; and
(b) request from a responsible party the record or a description of the personal information about the data subject held by the responsible party, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information—
(i) within a reasonable time;
(ii) at a prescribed fee, if any;
(iii) in a reasonable manner and format; and
(iv) in a form that is generally understandable.
(2) If, in response to a request in terms of subsection (1), personal information is communicated to a data subject, the data subject must be advised of the right in terms of section 24 to request the correction of information.
(3) If a data subject is required by a responsible party to pay a fee for services provided to the data subject in terms of subsection (1) (b) to enable the responsible party to respond to a request, the responsible party—
(a) must give the applicant a written estimate of the fee before providing the services; and
(b) may require the applicant to pay a deposit for all or part of the fee.
(4) (a) A responsible party may or must refuse, as the case may be, to disclose any information requested in terms of subsection (1) to which the grounds for refusal of access to records set out in the applicable sections of Chapter 4 of Part 2 and Chapter 4 of Part 3 of the Promotion of Access to Information Act apply.
(b) The provisions of sections 30 and 61 of the Promotion of Access to Information Act are applicable in respect of access to health or other records.
(5) If a request for access to personal information is made to a responsible party and part of that information may or must be refused in terms of subsection (4) (a), every other part must be disclosed.”
Commentary to Section 23 above:
- Data subjects have a right to access their personal information records and receive copies of these records. This right is not, however, unlimited. A responsible party will have some discretion as to the process to be followed in allowing data subjects to request access to their information, as well as the means through which the data subject will be obliged to identify him/herself before being given access to their personal information. One method of regulating these requests may be through a responsible party’s PAIA manual or a similar ‘personal information request document’.
- If it appears that a responsible party is indeed in possession of certain information about a data subject, the data subject may request that responsible party to provide it with a record of this information.
- Within that record provided to the data subject, the responsible party will have to bring to the attention of the data subject that it has the right in terms of section 24 to request a correction to such information.
- Depending on the costs that a responsible party may have incurred or anticipates incurring in the process of providing the above information to the data subject, the responsible party may request the data subject for reimbursement therefor.
- Where the provisions of the Promotion of Access to Information Act 4 of 2000 (“PAIA”) so permit, a responsible party may refuse to disclose particular information to the data subject. If, however, such right to refuse relates only to certain information, the remaining information (in respect of which PAIA permits disclosure) must be disclosed to the data subject.
Correction of Personal Information
Section 24: “Correction of personal information.—
(1) A data subject may, in the prescribed manner, request a responsible party to—
(a) correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or
(b) destroy or delete a record of personal information about the data subject that the responsible party is no longer authorised to retain in terms of section 14.
(2) On receipt of a request in terms of subsection (1) a responsible party must, as soon as reasonably practicable—
(a) correct the information;
(b) destroy or delete the information;
(c) provide the data subject, to his or her satisfaction, with credible evidence in support of the information; or
(d) where agreement cannot be reached between the responsible party and the data subject, and if the data subject so requests, take such steps as are reasonable in the circumstances, to attach to the information in such a manner that it will always be read with the information, an indication that a correction of the information has been requested but has not been made.
(3) If the responsible party has taken steps under subsection (2) that result in a change to the information and the changed information has an impact on decisions that have been or will be taken in respect of the data subject in question, the responsible party must, if reasonably practicable, inform each person or body or responsible party to whom the personal information has been disclosed of those steps.
(4) The responsible party must notify a data subject, who has made a request in terms of subsection (1), of the action taken as a result of the request.”
Commentary to Section 24 above:
- After receiving a record of personal information from a responsible party in terms of section 23, a data subject may request the deletion or correction of such personal information.
- Any request made by a data subject should be made on the basis of the personal information in question being inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.
- If the data subject has requested the deletion or correction of its personal information in accordance with section 23 and 24, the responsible party may do so, alternatively, it may provide the data subject with credible evidence in support of the personal information, or where agreement cannot be reached and the responsible party believes it is entitled to maintain the personal information, there may be circumstances in which a kind of disclaimer is attached to the information, informing users that a correction to this information has been requested but not made.
- If a responsible party has changed information in relation to a data subject, and this change has an impact on decisions that have been or will be taken in respect of that data subject, the responsible party must (if reasonably practicable) inform each person to whom that personal information has been disclosed of such change.
Manner of Access
Section 25: “Manner of access.—
The provisions of sections 18 and 53 of the Promotion of Access to Information Act apply to requests made in terms of section 23 of this Act.”
Commentary to Section 25 above:
- This section provides that the data subject may make use of the relevant provisions in PAIA to make a request for personal information in terms of section 23 of POPI.
- In each PAIA request for personal information, there will need to be a procedure through which the responsible party appropriately identifies the data subject as the person to whom the relevant personal information relates.
Essentially, POPI’s Condition 8 aims to ensure a practical and accessible transparency for data subjects in the processing of personal information. This transparency demands that a responsible party allows a data subject to have a say in the processing of the personal information in the possession or under the control of such responsible party. Ultimately, this all boils down to a responsible party’s responsibility to maintain up-to-date information registers and implement suitable controls, so that it is able to easily (i) identify what personal information is in its possession or under its control; (ii) identify to whom does that personal information relate; and (iii) update such personal information.