POPIA Did you know? Dealing with a Data Subject Access Request

The right of access, commonly referred to as Data Subject Access, gives individuals the right to obtain a copy of their personal information as well as other supplementary information. It helps individuals to understand how and why you are using their personal information, and check you are doing it lawfully.

Did you know that in terms of the Protection of Personal Information Act, 2013 (POPIA) a Data Subject (that is the person to whom personal information relates, for example your patients, other service providers, vendors, employees, etc.) has the right to –

  1. Request whether or not you hold personal information about them – free of charge
  2. Request the record or a description of the personal information about them you held
  3. Request information about the identity of all third parties, or categories of third parties, who have, or have had, access to their information
  4. Be advised of the right to request the correction of information you held about them
  5. Request you to correct or delete personal information about them in your possession or under your control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or
  6. Request you to destroy or delete a record of personal information about them that you no longer is authorised to retain.

Can you answer positive on all of the following questions?

Preparing for subject access requests

  1. We know how to recognise a subject access request and we understand when the right of access applies.
  2. We have a policy for how to record requests we receive.
  3. We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.
  4. We understand the nature of the supplementary information we need to provide in response to a subject access request.

Complying with subject access requests

  1. We have processes in place to ensure that we respond to a subject access request without undue delay and within a reasonable time.
  2. We are aware of the circumstances when we need to use the procedure in terms of the Promotion of Access to Information Act, 2000 (PAIA) procedure, and the circumstances we need to use the form in terms of the Regulations of the POPI Act.

How can we help?

So, in reality what does all of this mean for your organisation? The most important thing is ensuring that you have a robust and efficient DSAR process in place, such that your organisation is not merely reactionary but precautionary.

Assent Compliance provides outsourced Information Officers who deal with these types of requests on a daily basis and can therefore work with you to help understand your personal information data and where it is located, design your process, policies & procedures and prepare you for all eventualities.

We can help with:

  1. Our Assent Compliance POPI Compliance Documentation Toolkit – The Toolkit documents are organised to guide you on your implementation path.  Order here.
  2. Information Officer as a Service – It is possible for you to delegate your responsibilities as Information Officer to us, as your Deputy Information Officer (Section 56). We will do all the functions necessary in terms of POPI. 
  3. Privacy Awareness Training for staff members – training is a must [Paragraph 4(1)(e) of the Regulations]
  4. POPI Advisory Services

Leave a Reply

Your email address will not be published. Required fields are marked *