Handling and Processing of Requests from Data Subjects in relation to POPIA

 

 

1.               INTRODUCTION
  • All of the sections of the Protection of Personal Information Act 4 of 2013 (“POPIA”) became effective on 1 July 2020. In terms of POPIA, all data subjects, as this term is defined in POPIA (“Data Subject/s”) have the right to request an organisation to confirm whether such organisation holds information about them.
  • For this reason, the Organisation has implemented this policy (“Policy”) to regulate any requests by Data Subjects for any personal information, as this term is defined in POPIA (“Personal Information”), that the Organisation may process in relation to such Data Subject.
  • At the outset, it must be understood that no information will be provided by the Organisation unless (i) the Data Subject has requested this in writing, (ii) the Data Subject has been properly identified, and (iii) all other provisions set out in this Policy have been complied with.

 

2.               OBJECTIVE

The objective of this procedure is to effectively assist Data Subjects that approach the Organisation so that the Organisation can provide the Data Subject in question with a record or a description of their Personal Information that the Organisation may store on its systems.

 

3.               SCOPE
  • This document is applicable to all Data Subjects that have the right to request a record or description of their Personal Information held by the Organisation.
  • Unless the contrary is specified, to the extent that any terms used in this Policy are defined in POPIA, such terms will be given the meaning ascribed to them in POPIA.

 

4.               REFERENCE DOCUMENTS

This policy should be read in conjunction with any other of the Organisation’s privacy policies that may be relevant including, without limitation, the Information Privacy Policy of the Organisation.

 

5.               PROCEDURES
  • Formal request from the Data Subject
    • A formal request from a Data Subject for information that the Organisation holds about them, must be made in writing accompanied with adequate proof of identification, which at a minimum includes a certified copy of the Data Subject’s (i) identity document (“ID”) or passport, and (ii) proof of residence.
    • Any (i) employees, (ii) contractors, (iii) visitors, and / or (iv) other persons authorised to access and use the Organisation’s systems (“Users”) who receive a written request in respect of data held by the Organisation in relation to POPIA must forward it to the information officer of the Organisation (“Information Officer”) immediately. A Data Subject has a right to request this information.
  • Processing the request from the Data Subject
    • Natural Person Data Subject requesting information
      • The natural person Data Subject must request in writing (i) whether the Organisation processes any of their Personal Information, and (ii) a record of such Personal Information. This written request must be sent to the Information Officer. The Information Officer will request a certified copy of the individual’s (i) ID or passport, and (ii) proof of residence. Once this has been received and verified, the Information Officer will then be authorised to release the Personal Information in question (unless the Organisation cannot release such information for good reason, such as if granting the Data Subject access would interfere with the privacy of others or would result in a breach of confidentiality by the Organisation. The Organisation will always provide the Data Subject with written reasons if this is the case.
      • The Information Officer must:
        • record the Data Subject request on the Organisation’s request system; and
        • safely store the certified copy of the (i) ID and passport, and (ii) proof of address, either in a file in a locked cupboard (if these are in paper format) or online in an encrypted folder which cannot be accessed by an unauthorised party.
      • Juristic Person requesting information
        • The Juristic person in question must request in writing (i) whether the Organisation processes any of its Personal Information, and (ii) a record of such Personal Information. This written request must be sent to the Information Officer. The Information Officer must then request an appropriate document to identify such juristic person. For an Organisation this will be certified copies of the following:
          • CIPC documents;
          • FICA documents for the Organisation (including proof of business premises); and
          • Directors’ details and copies of all director’s ID’s or passports.

 

 

 

 

 

  • Once such documents have been received, the Information Officer will then be authorised to release the personal information to the individual (unless the Organisation cannot release such information for good reason, such as if granting the Data Subject access would interfere with the privacy of others or would result in a breach of confidentiality by the Organisation. The Organisation will always provide the Data Subject with written reasons if this is the case). The Information Officer must:
    • record the Data Subject request on the Organisation’s request system; and
    • safely store the certified copies of all of the above documents either in a file in a locked cupboard (if these are in paper format) or online in an encrypted folder which cannot be accessed by an unauthorised party.
  • Update the information of the Data Subject
    • The Data Subject may request the Organisation to (i) correct or delete and of his / her / its Personal Information if it is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or has been obtained unlawfully, or (ii) destroy such record of Personal Information. If such a request is made, the Organisation must send this request to the Information Officer, who will then decide what action to take in respect of such Personal Information. If the information is destroyed or deleted, the Data Subject must be provided with credible evidence that this has been done. If instructed to do so by the Information Officer, the User in question must advise the Data Subject of any adverse consequences of deleting of destroying any Personal Information, including whether this will have an impact on the Organisation’s ability to provide goods and / or services to the Data Subject, if this is applicable in the circumstances.
  • Timeline
    • As soon as a request for information has been received in writing and the Data Subject has been properly identified and verified, the Organisation will have 20 (Twenty) working days to provide the Data Subject with the information in question, subject to anything to the contrary set out in this Policy.
  • Cost of providing information
    • Data Subjects have the right to contact the Organisation to ask the Organisation to:
      • confirm that the Organisation holds the Data Subject’s Personal Information at no charge;
      • provide the Data Subject with access to any records containing the Data Subject’s Personal Information or a description of such Personal Information that the Organisation holds, subject to payment of a prescribed fee under POPIA; and / or
      • confirm the identity or categories of third parties who have had, or currently have, access to the Data Subject’s Personal Information, also subject to payment of a prescribed fee under POPIA.
    • Delivery method of the information
      • Information may be shared with the Data Subject under this Policy in the following ways:
        • The information may be provided to the Data Subject in person; provided that the Data Subject must sign for the information received; or
        • The information may be provided to the Data Subject to the email address that such Data Subject has chosen in writing. Any information provided by email must be password protected with an 8 (Eight) character password that must contain at least one upper case and lower-case character, and at least one numeric and one special character; provided that the password:
          • must not be sent in the same email as the information; and
          • must be sent via a different application, preferably WhatsApp. This will prevent an unauthorised individual having access to the email address being able to open the file without also having the password.
6.               RIGHTS RESERVED BY THE ORGANISATION

The Organisation reserves the right to monitor, audit, screen, and preserve Organisation information as the Organisation deems necessary, in its sole discretion, in order to maintain compliance with this Policy and, by extension, all relevant provisions of POPIA. Any dissemination, unauthorised use or benefit from any Organisation information by a User in contravention of this Policy may result in disciplinary action being taken against such User by the Organisation. Furthermore, the use of any account or system in such a way that breaches any of the provisions of this Policy will be reported to the appropriate supervisor or manager within the Organisation, which may lead to further disciplinary action being taken.

 

7.               ENFORCEMENT AND POTENTIAL DISCIPLINARY ACTIONS

Any violation of this Policy may result in disciplinary action being taken against the User in question. Such disciplinary action will be taken in accordance with the Organisation’s applicable disciplinary code, and may include the (i) termination of employment in relation to employees of the Organisation, or (ii) cancellation or termination of contractual relations in the case of other Users, such as contractors or consultants. Notwithstanding the aforegoing, should any authorised User fail to adhere to this policy, the individual will be dealt with as prescribed by the Organisation’s disciplinary code and procedures.

 

8.               POLICY AWARENESS AND UPDATE
  • Training and awareness: The (i) requirement for, and (ii) a User’s obligation in terms of, this Policy will be explained in detail in the Organisation’s induction program, in the case of employees of the Organisation. Further training and additional awareness regarding the Policy will be offered from time to time by the Organisation. The Organisation will specifically make Users who are not employees of the Organisation aware of the Policy.
  • Dissemination: This Policy will be made available on the Organisation’s network, intranet or similar portals.
  • Review: This Policy will be reviewed from time to time in order to ensure ongoing compliance with POPIA, but such revisions will take place at least annually. More frequent review may be required in response to (i) exceptional circumstances, (ii) organisational change, or (iii) relevant changes in legislation or guidance.

 

9.               SECURITY

 

  • We take the security of personal data very seriously and always do our best to comply with applicable data protection laws. Our hosting company will host our website in a secure server environment that uses a firewall and other advanced security measures to prevent interference or access from outside intruders. We authorise access to personal data only for those employees who require it to fulfil their job responsibilities. We implement disaster recover procedures where appropriate.

 

Author