popi_compliance_monitoring

Overview

  • The right to data portability allows data subjects to obtain their personal information, in certain circumstances, for their own purposes.
  • It allows data subjects to move, copy or transfer personal information from one automated processing system to another in a safe and secure way, without affecting its usability.
  • Doing this enables data subjects to take advantage of applications and services that can use this information for their own purposes, for example, data analytics.
  • The right only applies to records of personal information that you retained longer than was necessary for achieving the purpose for which the information was collected or subsequently processed.

 

Checklist

Preparing for requests for data portability

☐ We know how to recognise a request for data portability and we understand when the right applies.

☐ We have a policy for how to record requests we receive verbally.

☐ We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.

Complying with requests for data portability

☐ We can transmit personal information in structured, commonly used and machine readable formats.

☐ We use secure methods to transmit personal information.

☐ We have processes in place to ensure that we respond to a request for data portability without undue delay and within one month of receipt.

 

Briefly

What is the right to data portability?

The right to data portability gives a data subject the right to receive the personal information you have retained in a structured, commonly used and machine readable format. It also gives the data subject the right to request that you transmit this information directly to another responsible party.

When does the right apply?

The right to data portability only applies when:

  • records of personal information have been retained longer than is necessary for achieving the purpose for which the information was collected or subsequently processed.

What does the right apply to?

Information is only within the scope of the right to data portability if it is personal information of the data subject related to the request.

Does this right only apply to information ‘provided to a responsible party’?

Sometimes the personal information you have retained is easy to identify (e.g. data subject's mailing address, username, age). However, this right applies to all personal information of a data subject that you have retained for longer than necessary.

It also includes any additional information that you have created based on the information a data subject has provided to you. For example, if you use the information a data subject has provided to create a user profile then this information would be in scope of data portability.

You should note that if ‘inferred’ or ‘derived’ data is personal information, you will need to provide it to the data subject if they make a data portability request. It would be good practice to always include this information in your response.

Does the right apply to anonymous or pseudonymous data?

The right to data portability only applies to personal information. This means that it does not apply to genuinely anonymous information. However, pseudonymous information that can be linked back to a data subject (e.g. where that individual provides the respective identifier) is within scope of the right.

What happens if the personal data includes information about others?

If the requested information includes information about other data subjects, you are not permitted to transmit that information.

If the requested information has been provided to you by multiple data subjects (e.g. a joint bank account) you need to be satisfied that all the data subjects agree to the portability request. This means that you will have to seek agreement from all the parties involved.

What is an individual entitled to?

The right to data portability entitles a data subject to:

  • receive a copy of their personal information; and/or
  • have their personal information transmitted from one responsible party to another responsible party.

Data subjects have the right to receive their personal information and store it for further personal use. This allows the data subject to manage and reuse their personal information. For example, a data subject wants to retrieve their banking transactions from a banking application to recalculate the interest charge.

You can achieve this by either:

  • directly transmitting the requested information to the data subject; or
  • providing access to an automated tool that allows the data subject to extract the requested information themselves.

This does not create an obligation for you to allow data subjects more general and routine access to your systems – only for the extraction of their information following a portability request.

You may have a preferred method of providing the information requested depending on the amount and complexity of the information requested. In either case, you need to ensure that the method is secure and acceptable to the data subject.

What are the limits when transmitting personal information to another responsible party?

Data subjects have the right to ask you to transmit their personal information directly to another responsible party without hindrance. If it is technically feasible, you should do this.

You should consider the technical feasibility of a transmission on a request by request basis. The right to data portability does not create an obligation for you to adopt or maintain processing systems which are technically compatible with those of other organisations. However, you should take a reasonable approach, and this should not generally create a barrier to transmission.

Without hindrance means that you should not put in place any legal, technical or financial obstacles which slow down or prevent the transmission of the personal information to the individual, or to another organisation.

However, there may be legitimate reasons why you cannot undertake the transmission. For example, if the transmission would adversely affect the rights and freedoms of others. It is however your responsibility to justify why these reasons are legitimate and why they are not a ‘hindrance’ to the transmission.

Do you have responsibility for the personal information you transmit to others?

If you provide information directly to a data subject or to another responsible party in response to a data portability request, you are not responsible for any subsequent processing carried out by the data subject or the other organisation. However, you are responsible for the transmission of the information and need to take appropriate measures to ensure that it is transmitted securely and to the right destination.

If you provide information to a data subject, it is possible that they will store the information in a system with less security than your own. Therefore, you should make data subjects aware of this so that they can take steps to protect the information they have received. 

You also need to ensure that you comply with the other provisions in POPIA. For example, whilst there is no specific obligation under the right to data portability to check and verify the quality of the data you transmit, you should already have taken reasonable steps to ensure the accuracy and completeness of this information. Note that the purpose for requesting the transfer of personal information is for the data subject to verify the completeness and accuracy of their personal information in your possession.

How should we provide the data?

You should provide the personal information in a format that is:

  • structured;
  • commonly used; and
  • machine-readable.

These three characteristics can help you decide whether the format you intend to use is appropriate. 

What does ‘structured’ mean?

Structured data allows for easier transfer and increased usability.

The Open Data Handbook defines ‘structured data’ as:

‘data where the structural relation between elements is explicit in the way the data is stored on a computer disk.’

This means that software must be able to extract specific elements of the information. An example of a structured format is a spreadsheet, where the information is organised into rows and columns, i.e. it is ‘structured’. In practice, some of the personal information you process will already be in structured form.

In many cases, if a format is structured it is also machine-readable.

What does ‘commonly used’ mean?

This simply means that the format you choose must be widely-used and well-established.

However, just because a format is ‘commonly used’ does not mean it is appropriate for data portability. You have to consider whether it is ‘structured’, and ‘machine-readable’ as well. Although you may be using common software applications, which save information in commonly-used formats, these may not be sufficient to meet the requirements of data portability.

What does ‘machine-readable’ mean?

The Open Data Handbook states that ‘machine readable’ data is:

‘Data in a data format that can be automatically read and processed by a computer.’

Furthermore, Regulation 2 of the Re-use of Public Sector Information Regulations 2015 defines ‘machine-readable format’ as:

‘A file format structured so that software applications can easily identify, recognise and extract specific data, including individual statements of fact, and their internal structure.’

Machine-readable data can be made directly available to applications that request that data over the web. This is undertaken by means of an application programming interface (“API”).

If you are able to implement such a system then you can facilitate data exchanges with individuals and respond to data portability requests in an easy manner.

Should we use an ‘interoperable’ format?

Interoperability allows different systems to share information and resources. An ‘interoperable format’ is a type of format that allows data to be exchanged between different systems and be understandable to both.

You are not expected to maintain systems that are technically compatible with those of other organisations. Data portability is intended to produce interoperable systems, not compatible ones.

What formats can we use?

You may already be using an appropriate format within your networks and systems, and/or you may be required to use a particular format due to the particular industry or sector you are part of. Provided it meets the requirements of being structured, commonly-used and machine readable then it could be appropriate for a data portability request.

The use of open formats is encouraged. If your processing systems use proprietary formats which data subjects may not be able to access, you will need to perform some additional processing on the personal information in order to put it into the type of format requested by the data subject.

Where no specific format is in common use within your industry or sector, you should provide personal information using open formats such as CSV, XML and JSON. You may also find that these formats are the easiest for you to use when answering data portability requests.

For further information on CSV, XML and JSON, please see below.

What is CSV?

CSV stands for ‘Comma Separated Values’. It is defined by the Open Data Handbook as:

‘a standard format for spreadsheet data. Data is represented in a plain text file, with each data row on a new line and commas separating the values on each row. As a very simple open format it is easy to consume and is widely used for publishing open data.’

CSV is used to exchange data and is widely supported by software applications. Although CSV is not standardised it is nevertheless structured, commonly used and machine-readable and is therefore an appropriate format for you to use when responding to a data portability request.

What is XML?

XML stands for ‘Extensible Markup Language’. It is defined by the Open Data Handbook as:

‘a simple and powerful standard for representing structured data.’

It is a file format that is intended to be both human readable and machine-readable. Unlike CSV, XML is defined by a set of open standards maintained by the World Wide Web Consortium (“W3C”). It is widely used for documents, but can also be used to represent data structures such as those used in web services.

This means XML can be processed by APIs, facilitating data exchange. For example, you may develop or implement an API to exchange personal data in XML format with another organisation. In the context of data portability, this can allow you to transmit personal data to an individual’s personal data store, or to another organisation if the individual has asked you to do so.

What is JSON?

JSON stands for ‘JavaScript Object Notation’. The Open Data Handbook defines JSON as:

‘a simple but powerful format for data. It can describe complex data structures, is highly machine-readable as well as reasonably human-readable, and is independent of platform and programming language, and is therefore a popular format for data interchange between programs and systems.’

It is a file format based on the JavaScript language that many web sites use and is used as a data interchange format. As with XML, it can be read by humans or machines. It is also a standardised open format maintained by the W3C.

Are these the only formats we can use?

CSV, XML and JSON are three examples of structured, commonly used and machine-readable formats that are appropriate for data portability. However, this does not mean you are obliged to use them. Other formats exist that also meet the requirements of data portability.

Example

The RDF or ‘Resource Description Framework’ format is also a structured, commonly-used, machine-readable format. It is an open standard published by the W3C and is intended to provide interoperability between applications exchanging information.

You should however consider the nature of the portability request. If the data subject cannot make use of the format, even if it is structured, commonly-used and machine-readable then the information will be of no use to him/her/it.

What responsibilities do we have when we receive personal information because of a data portability request?

When you receive personal information that has been transmitted as part of a data portability request, you need to process this information in line with data protection requirements of POPIA.

In deciding whether to accept and retain personal information, you should consider whether the information is relevant and not excessive in relation to the purposes for which you will process it. You also need to consider whether the information contains any third party information.

As a new responsible party, you need to ensure that you have an appropriate lawful basis for processing any third party data and that this processing does not adversely affect the rights and freedoms of those third parties. If you have received personal information which you have no reason to keep, you should delete it as soon as possible. When you accept and retain information, it becomes your responsibility to ensure that you comply with the requirements of POPIA.

In particular, if you receive third party data you should not use this for your own purposes. You should keep the third party data under the sole control of the data subject who has made the portability request, and only used for their own purposes.

 

When can we refuse to comply with a request for data portability?

If an exemption applies, you can refuse to comply with a request for data portability (wholly or partly). Not all of the exemptions apply in the same way, and you should look at each exemption carefully to see how it applies to a particular request. 

What should we do if we refuse to comply with a request for data portability?

You must inform the individual without undue delay and within one month of receipt of the request.                    

You should inform the individual about:

  • the reasons you are not taking action;
  • their right to make a complaint to the Information Regulator; and
  • their ability to seek to enforce this right through a judicial remedy.

You should also provide this information if you request a reasonable fee or need additional information to identify the individual.

How do we recognise a request?

POPIA does not specify how individuals should make data portability requests. Therefore, requests could be made verbally or in writing. They can also be made to anyone who is part of your organisation and do not have to be to a specific person or contact point.

This presents a challenge as any of your employees could receive a valid request. However, you have a legal responsibility to identify that a data subject has made a request to you and handle it accordingly. Therefore you may need to consider which of your staff who regularly interact with individuals may need specific training to identify a request.

Additionally, it is good practice to have a policy for recording details of the requests you receive, particularly those made by telephone or in person. You may wish to check with the requester that you have understood their request, as this can help avoid later disputes about how you have interpreted the request. We also recommend that you keep a log of all requests.

In practice, you may already have processes in place to enable your staff to recognise subject access requests, such as training or established procedures. You could consider adapting them to ensure your staff also recognise data portability requests.

Can we charge a fee?

You cannot charge a fee to comply with a request for data portability.

How long do we have to comply?

You must comply with a request for data portability as soon as reasonably practicable and at the latest within one month of receipt of the request or (if later) within one month of receipt of:

  • any information requested to confirm the requester’s identity; 

You should calculate the time limit from the day you receive the request (whether it is a working day or not) until the corresponding calendar date in the next month.

Can we ask an individual for ID?

If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality. You should take into account what data you hold, the nature of the data, and what you are using it for.

You need to let the individual know as soon as possible that you need more information from them to confirm their identity before responding to their request. The period for responding to the request begins when you receive the additional information.