POPIA Compliance: Importance of Handling Data Subject Requests Correctly

Problem

The Protection of Personal Information Act, 2013 (POPIA) is designed to respond to a growing concern about inappropriate use of personal information and add responsibilities for organisations for their response to data breaches. These ‘data subject requests’ are your responsibility as a responsible party. If you don’t comply, you would normally face real scrutiny not only from te Information Regulator but even the press at home.

In this newsletter, we explore POPIA data subject rights, including what a data subject access request is and how organisations can handle these requests efficiently.

What is a data subject access request (DSAR)?

Under POPIA, individuals have certain rights that organisations (responsible parties) must uphold. A data subject access request (DSAR) is the way for an individual to submit a request to exercise one or more of those rights. For example, one data subject right granted by POPIA is the right of access by the data subject, so it enables individuals to submit DSARs to find out what personal information a particular data responsible Party has collected about them.

What actions do you need to take when we receive a DSAR?

An individual who makes a DSAR expects to receive information on whether you are processing their personal information, a copy of that data, your privacy notice and supplementary information. You need to make sure that you have procedures in place to address DSARs promptly – see our 03.1_Procedure for Handling of Data Subject Request.

Remember that POPIA rights are not absolute; an individual’s fundamental rights have to be balanced against factors such as legitimate public interest. If you have solid grounds, you can refuse to comply with a DSAR, but you must clearly explain your reasons.

What data can be requested?

POPIA applies to personal information — any data that relates to or can be used to identify a person in any way. Examples could include the emails sent between certain people during a certain time period, all workplace data and HR records related to the individual, and the person’s medical history.

What supplementary data should be provided? In addition to a copy of the individual’s personal information, organisations also have to provide the information in their section 18 Privacy Notifications – see our 03.3_POPIA Section 18 Privacy Notification – Clients.

Solution

How can you ensure you can handle DSARs?

The best way to ensure compliance with the data subject rights detailed above is to implement the following best practices:

• Know your personal information. It’s essential to know precisely what regulated information you have, where it resides, where it came from, whom you share it with and your purpose in processing it. Personal information can be stored in a wide range of repositories, including email, personal computers, file stores, databases and cloud-based platforms (see our 01.1_Lists_Roles_Responsiblities_Operating_Processes).
• Document your Data Subject Requests – see our 03.6_Data Subject Request Register; 03.7_Form 1_Objection to the Processing of Personal Information; 03.8_Form 2_Request Correction Deletion Personal Information and 03.9_Form02_Request for Access to Record.
• Determine the basis for processing of all personal information. Once you know what personal information you have, figure out why you store it in the first place. Having clear documentation of each subject’s consent is critical for justifying storing and processing their personal information. If you do not have a clear reason for storing a given piece of personal information, delete it – (see our 01.1_Lists_Roles_Responsiblities_Operating_Processes).
• Create rules for handling each type of special personal information. Establishing data-centric security workflows will help you avoid costly data breaches and compliance violations. These workflows should based on careful consideration of questions such as, Where should each type of data be stored and for how long? Who should have access to which data? How may specific types of data be used? ( see our 00.2_Document Retention and Destruction Policy, 00.3_Personal Information Assets Information Classification Matrix and Handling Guide)
• Regularly assess your IT risks. Establish a reliable and repeated risk assessment and mitigation process to identify and prioritise the risks threatening data security. Ideally, you want to cover all risks, but in practice, you have to set priorities and protect your most important or sensitive data first. Update access rights to make sure that protected information is available only to authorised personnel and only on a need-to-know basis (see our 02.1_Personal Information Protection Policy; 02.5_Access and Confidentiality Agreement with Employees; 05.2_Minimum Access Policy).
• Regularly update your security policies. These policies are your evidence that your organisation is doing everything it can to properly store and process the personal information of customers. Whenever you modify your policies, document each change you make.
• Hire a consultant to your Information Officer if necessary. If you are uncertain about personal information management, you should consult with or hire a consultant for your Information Officer — an internal or external advisor who has responsibility for POPIA compliance.
• Provide an easy way for users to submit DSARs. Many organisations offer online DSAR forms to ensure requests go to the correct person or department and contain the necessary information. Without such a form, customers are likely to submit their request using the first email address they find.
• Use secure methods of authentication. You are obliged to make sure that each request is made by a legitimate person — but do not do so by requesting POPIA-protected data that you don’t already have, such as identity card numbers, passports or other official documents. Instead, a good option is verify the request by asking the person to provide some personal information you already have.