- If approached, you are required to confirm, without delay and free of charge, whether or not you hold personal information about the data subject making the request.
- If requested, you are required to provide the data subject with the record or a description of the personal information about the data subject you hold.
- You are required to provide information to data subjects about the identity of all third parties, or categories of third parties, who have, or have had, access to their personal information.
- Data subjects have the right to access their personal information. They must make a data subject access request using the prescribed form.
- Data subjects can object to your processing of their personal information and you must stop the processing unless you have a legal basis to continue the processing.
- Data subjects have the right to request you correct or delete personal information about them in your possession or under your control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.
- Data subjects have the right to request you destroy or delete a record of personal information about them that you are no longer authorised to retain.
- If you are required to correct, delete or destroy personal information at the request of a data subject, you are also required, if requested by the data subject, to provide the data subject, to his or her satisfaction, with credible evidence supporting the correction or deletion.
- If the personal information corrected could have or has had an impact on decisions that have been or will be taken in respect of the data subject in question, you must, if reasonably practicable, inform each person or body or responsible party to whom the personal information has been disclosed of those steps.
- You have to respond within a reasonable amount of time - one month.
Preparing for data subject requests
☐ We have sufficient deputy information officers to assist data subjects to exercise their rights without delay.
☐ Our staff know how to recognise a data subject request and understand the rights of data subjects.
☐ We have a policy for how staff are to handle requests they receive directly from data subjects.
☐ We respect data subjects' right to be forgotten.
☐ We understand when we can or must refuse a request and are aware of the information we need to provide to data subjects when we do so.
☐ We understand that if a part of a request must be refused, every other part must be disclosed.
☐ We recognise that if we are required to correct or delete personal information, we may also be required to provide the data subject with assurance that the requested action has been taken.
Complying with data subject requests
☐ We provide a single point of contact for data subject request management / objection / consent withdrawal.
☐ We have processes in place to ensure that we respond to a subject requests without undue delay and within one month of receipt.
☐ We have processes in place to inform each person or body or responsible party to whom we have disclosed personal information that has been subsequently corrected and could have or has had an impact on decision-making by the other responsible party.
☐ We have processes in place to attach the information in such a manner that it will always be read with the information, an indication that a correction of the information has been requested by the data subject but has not been made.
☐ We understand what we need to consider if a request includes information about others before releasing personal information.
☐ We keep a log of all third parties, or categories of third parties, who have, or have had, access to personal information.
☐ We maintain audit trails of all changes we make to personal information.
☐ We are able to cease the processing of personal information when requested to do so.
☐ We ensure our processes to handle data subject requests are secure.
- What is a data subject entitled to?
- What is the right of access?
- How do we recognise a request?
- Should we provide a specially designed form for data subjects to make a subject access request?
- How should we provide the information to data subjects?
- We have received a request, can we amend the information before sending out the response?
- Do we have to explain the contents of the information we send to the data subject?
- Can we charge a fee?
- How long do we have to comply?
- Can we extend the time for a response?
- Can we ask a data subject for ID?
- Can we clarify the request?
- What about requests made on behalf of others?
- What about requests for information about children?
- What about data held by credit reference agencies?
- What should we do if the information includes information about other people?
- What if we use an operator?
- Can we refuse to comply with a request?
- What should we do if we refuse to comply with a request?
- Can I require a data subject to make a subject access request?
Data subjects have the right to:
- obtain confirmation from you that you are processing their personal information;
- obtain from you a copy of their personal information or a description of the personal information about them that you hold;
- obtain from you other supplementary information to help them:
- understand your processing operations and how their rights are protected;
- know how and why you are using their information;
- determine the identity of all third parties, or categories of third parties, who have, or have had, access to the information;
- check you are processing their personal information lawfully.
- stop any unlawful processing of their personal information;
- be forgotten;
- receive independent assurance that you have fulfilled the requests for the correction or deletion of personal information.
The right of access, commonly referred to as a data subject access request (DSAR), gives data subjects the right to obtain:
- a copy of the personal information records of a data subject you hold, or an operator processing on your behalf holds;
- a description of the personal information about the data subject you hold.
For some requests, the POPIA regulations specify how to make a valid request. Where the regulations are silent about requests, the data subject can make a data subject request to your staff verbally or in writing. They can request any part of your organisation (including by social media) and does not have to be to a specific person or contact point.
This presents a challenge as any of your employees could receive a valid request. You have a legal responsibility to identify that a data subject has made a request to you and handle it accordingly. Consequently, you should consider which of your staff who regularly interact with data subjects may need specific training to identify a request and know which must be made using the prescribed form.
It would be good practice to have a policy for recording details of the requests you receive, particularly those made by telephone or in person. You may wish to check with the requester that you have understood their request, as this can help avoid later disputes about how you have interpreted the request. We also recommend that you keep a log of all requests.
Online forms can make it easier both for you to recognise a data subject request and for the data subject to include all the details you might need to locate the information they want or change in processing they require. You should therefore consider designing data subject request forms that data subjects can complete and submit to you electronically.
Where the Regulations don't prescribe the form to be used, a data subject request is valid if it is submitted by any means, so you must comply with these requests you receive in a letter, a standard email or verbally. You must make it clear when it is compulsory to use a prescribed form.
If a data subject makes a request electronically, you should provide the information to the data subject in a commonly used electronic format, unless the data subject requests otherwise.
Best practice would be to provide remote access to a secure self-service system that would provide the data subject with direct access to his, her or its information. This will not be appropriate for all organisations, but there are some sectors where this may work well.
However, providing remote access should not adversely affect the rights of others – including trade secrets or intellectual property.
A data subject request relates to the information held at the time the request was received. However, in many cases, routine use of the information may result in it being amended or even deleted while you are dealing with the request. So it would be reasonable for you to supply the information you hold when you send out a response, even if this is different to that held when you received the request.
However, it is not acceptable to amend or delete the information if you would not otherwise have done so.
POPIA requires that the information you provide to a data subject is in a reasonable manner and format, and in a form that is generally understandable. This will be particularly important where the information is addressed to a child.
At its most basic, this means that the additional information you provide in response to a request should be capable of being understood by the average person (or child). However, you are not required to ensure that that the information is provided in a form that can be understood by the particular data subject making the request.
You cannot charge a fee to comply with a data subject request, other than for reproduction.
You must comply with a request without undue delay and at the latest within one month of receipt of the request or (if later) within one month of receipt of:
- any information requested to confirm the requester’s identity.
You should calculate the time limit from the day you receive the request (whether it is a working day or not) until the corresponding calendar date in the next month.
You can extend the time to respond if the request is complex or you have received a number of requests from the data subject. You must let the data subject know within one month of receiving their request and explain why the extension is necessary.
If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality.
You need to let the data subject know as soon as possible that you need more information from them to confirm their identity before responding to their request. The period for responding to the request begins when you receive the additional information.
If you process a large amount of information about a data subject, you may ask them to specify the information or processing activities their request relates to before responding to the request. However, this does not affect the timescale for responding - you must still respond to their request within one month.
You cannot ask the requester to narrow the scope of their request, but you can ask them to provide additional details that will help you locate the requested information, such as the context in which their information may have been processed and the likely dates when processing occurred. However, a requester is entitled to ask for ‘all the information you hold’ about them. If a data subject refuses to provide any additional information or does not respond to you, you must still comply with their request by making reasonable searches for the information covered by the request. The time limit is not paused whilst you wait for a response, so you should begin searching for information as soon as possible. You should ensure you have appropriate records management procedures in place to handle large requests and locate information efficiently.
POPIA does not prevent a data subject making a subject access request via a third party. This can be an attorney acting on behalf of a data subject, but it could simply be that an data subject feels comfortable allowing someone else to act for them. In these cases, you need to be satisfied that the third party making the request is entitled to act on behalf of the data subject, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request or it might be a more general power of attorney.
If there is no evidence that a third party is authorised to act on behalf of a data subject, you are not required to respond to the data subject request. However, if you are able to contact the data subject, you should respond to them directly to confirm whether they wish to make a data subject request.
In most cases, provided you are satisfied that the third party has the appropriate authority, you should respond directly to that third party. However, if you think a data subject may not understand what information would be disclosed, and in particular you are concerned about disclosing excessive information, you should contact the data subject first to make them aware of your concerns. If the data subject agrees, you may send the response directly to them rather than to the third party. The data subject may then choose to share the information with the third party after reviewing it. If you cannot contact the data subject you should provide the requested information to the third party (as long as you are satisfied that they are authorised to act on the data subject’s behalf).
There are cases where a data subject does not have the mental capacity to manage their own affairs. It will be reasonable to assume that an attorney with authority to manage the property and affairs of the data subject has the appropriate authority to make a data subject request on their behalf. The same applies to a person appointed to make decisions about such matters in:
Even if a child is too young to understand the implications of subject access rights, it is still the right of the child rather than of anyone else such as a parent or guardian. So it is the child who has a right of access to the information held about them, even though in the case of young children these rights are likely to be exercised by those with parental responsibility for them.
Before responding to a subject access request for information held about a child, you should consider whether the child is mature enough to understand their rights. If you are confident that the child can understand their rights, then you should usually respond directly to the child. You may, however, allow the parent to exercise the child’s rights on their behalf if the child authorises this, or if it is evident that this is in the best interests of the child.
What matters is that the child can understand (in broad terms) what it means to make a subject access request and how to interpret the information they receive as a result of doing so. When considering borderline cases, you should take into account, among other things:
- the child’s level of maturity and their ability to make decisions like this;
- the nature of the personal information;
- any court orders relating to parental access or responsibility that may apply;
- any duty of confidence owed to the child or young person;
- any consequences of allowing those with parental responsibility access to the child’s or young person’s information. This is particularly important if there have been allegations of abuse or ill treatment;
- any detriment to the child or young person if data subjects with parental responsibility cannot access this information; and
- any views the child or young person has on whether their parents should have access to information about them.
A data subject request to a credit reference agency applies to all information credit reference agency processes relating to the data subject.
Responding to a subject access request may involve providing information that relates both to the data subject making the request and to another data subject.
You cannot comply with the request if it would mean disclosing information about another data subject who can be identified from that information, except if:
- the other data subject has consented to the disclosure; or
- it is reasonable to comply with the request without that data subject’s consent.
In determining whether it is reasonable to disclose the information, you must take into account all of the relevant circumstances, including:
- the type of information that you would disclose;
- any duty of confidentiality you owe to the other data subject;
- any steps you have taken to seek consent from the other data subject;
- whether the other data subject is capable of giving consent; and
- any express refusal of consent by the other data subject.
So, although you may sometimes be able to disclose information relating to a third party, you need to decide whether it is appropriate to do so in each case. This decision will involve balancing the data subject’s right of access against the other data subject’s rights. If the other data subject consents to you disclosing the information about them, then it would be unreasonable not to do so. However, if there is no such consent, you must decide whether to disclose the information anyway.
For the avoidance of doubt, you cannot refuse to provide access to personal information about a data subject simply because you obtained that data from a third party. The rules about third party information apply only to personal information which includes both information about the data subject who is the subject of the request and information about another data subject.
Responsibility for complying with a subject access request lies with you as the responsible party. You need to ensure that you have contractual arrangements in place to guarantee that subject access requests are dealt with properly, irrespective of whether they are sent to you or the operator.
If an exemption applies, you can refuse to comply with a subject access request (wholly or partly). Not all of the exemptions apply in the same way, and you should look at each exemption carefully to see how it applies to a particular request.
You must inform the data subject without undue delay and within one month of receipt of the request.
You should inform the data subject about:
- the reasons you are not taking action;
- their right to make a complaint to the Information Regulator; and
- their ability to seek to enforce this right through a judicial remedy.
You should also provide this information if you request a reasonable fee or need additional information to identify the data subject.
It may be a criminal offence, in certain circumstances and in relation to certain information, to require a data subject to make a subject access request.