Tax and Legal Insights | 3 min read

POPIA Explained – Part 8

Data subject participation

By Lize de la Harpe, legal adviser

In the last edition we recapped on the eight conditions for the lawful processing of personal information and discussed Security safeguards in detail.

In this edition we will move on to the last condition, namely Data subject participation.

Let’s recap

As explained previously, POPIA requires the responsible party to process personal information lawfully and in a manner that does not infringe on the privacy of data subjects.

In order for such processing to be “lawful” it must comply with the conditions as set out in the act. Section 4 of POPI lists eight conditions for the lawful processing of personal information, namely:

  1. Accountability (as referred to in section 8);
  2. Processing Limitation (as referred to in sections 9 to 12);
  3. Purpose specification (as referred to in sections 13 and 14)
  4. Further processing limitation (as referred to in section 15);
  5. Information quality (as referred to in section 16);
  6. Openness (as referred to in sections 17 and 18);
  7. Security safeguards (as referred to in sections 19 to 22); and
  8. Data subject participation (as referred to in sections 23 to 25).

Let’s look at Condition 8, namely Data subject participation, in more detail.

Data subject participation – sections 23 to 25

Access to personal information – section 23

Data subjects have the right to:

  1. ask a responsible party (*free of charge!) whether or not it holds personal information about them; and
  • request the record or a description of his/her personal information (*subject to a fee as disclosed upfront!) including details of all third parties which have or had access to the information.

Important to remember: a responsible party must ensure that it has established the identity of the data subject prior to providing the information requested (put differently, only data subjects or their authorised representatives may have access to their personal information). Responsible parties must answer such a request for access within a reasonable time. (*PS: although the act does not state the time period within which to reply, a reasonable time would typically be within 30 days after the request, unless unreasonable in the circumstances).

Section 23(2) states that when a responsible party provides the data subject with the requested information, the responsible party must inform the data subject of his/her right to request the correction thereof (as specified in section 24 which is discussed below).

There are however certain circumstances where a responsible party may refuse to disclose the information requested. Section 23(4) states that a responsible party may or must refuse (as the case may be) to disclose any information requested to which the grounds for refusal** of access to records as set out in Chapter 4 of Parts 2 and 3 of the Promotion of Access to Information Act, 2000 (“PAIA”) apply.

**Fyi: the grounds for refusal as listed in PAIA include instances where disclosure would involve the unreasonable disclosure of personal information about a third party (or it would constitute an action for breach of a duty of confidence owed to a third party in terms of an agreement), where the record is subject to legal privilege or contains trade secrets or confidential information of the responsible party or a third party and where refusal would be in the public interest.

Correction of personal information – section 24

A data subject may request (in the prescribed manner) a responsible party to:

  1. correct or delete personal information about the data subject that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or
  • destroy or delete a record of personal information which the responsible party is no longer authorised to keep in terms of section 14 the Act (*PS we will come back to section 14 and the retention of records in a later edition!).

Upon receipt of such a request, a responsible party must as soon as reasonably practical:

  1. correct or destroy the information, as the case may be;
  2. notify the data subject of the actions taken as a result of the request and provide evidence in support thereof or notify the data subject if the responsible party refuses to make the correction;
  3. where the responsible party is unable to agree to the data subject’s request, and where the data subject so requests, flag the information as having been challenged.

If a correction of personal information will have an impact on decisions which have been or will be taken in respect of the data subject, the responsible party must, if reasonably practicable, inform all third parties to whom the information has previously been disclosed of the change (*for example, a fund administrator informing the retirement fund in question of incorrect beneficiaries).

A responsible party does not have to inform third parties if it is impossible to trace the parties since the responsible party no longer has the information required for this or when it would involve a disproportionate effort on the responsible party’s part. 

Manner of access – section 25

The provisions of sections 18 (form of requests for accessing records held by public bodies) and 53 (form of requests for accessing records held by private bodies) of PAIA apply to requests made in terms of section 23 of POPIA (as discussed above).

Conclusion

We have now covered the last Condition, namely Data subject participation – in the next edition we will move on to the concept of Consent and discuss it in more detail.

Glacier Financial Solutions (Pty) Ltd and Sanlam Life Insurance Ltd are licensed financial services providers

Your Next Read

Investment Insights | 1 min read
New opportunity to invest in The Glacier Top Brands Return Enhancer
Investment Insights | 1 min read
Wealth Edge Endowment Plan now open for AIFA relationship advice advisers

We use cookies to give you the very best possible online experience. By continuing, you confirm that you’re on board with our privacy policy.

What Glacier Insights is…and isn’t

Glacier Insights provides investment professionals and financial intermediaries with information on the markets in general, Glacier products, and the services we offer. This website is not primarily for private individuals, but we are pretty sure that everyone interested in investing would find the content useful. If you are a private individual, please seek financial advice from a registered financial intermediary before you invest. A trained financial intermediary will help you determine which of our products are most appropriate for your needs. Glacier Insights is not designed to replace the job and expertise of a professional financial intermediary.

Content use and ownership

We love that you want to browse Glacier Insights, and please let us know if there is any more information that you would like us to provide. Also know that the intellectual property rights in the content are protected by local and international laws and agreements. So, our intellectual property may not be used in any way without our consent or the consent of any business that licensed us to use its intellectual property. This includes reproducing, changing, publishing, displaying, distributing, licensing or creating by-products of the content on this site, unless you receive our permission in writing. The website with all its content is owned by or licensed to Glacier by Sanlam, and includes text, graphics, icons, hyperlinks, private information and designs.

I have read the above and understand the purpose of the Glacier Insights website.

No, I do not agree

Receive the latest Glacier Insights delivered to your inbox


Please enabled javascript to view Glacier.