- POPIA introduces a right for data subjects to have personal information erased.
- The right to erasure is also known as ‘the right to be forgotten’.
- Data subjects must make a request for erasure in writing using the prescribed form (Form 2).
- You have one month to respond to a request.
- The right is not absolute.
- This right is not the only way in which POPIA places an obligation on you to consider whether to delete personal information.
Preparing for requests for erasure
☐ We know how to recognise a request for erasure and we understand when the right applies.
☐ We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.
Complying with requests for erasure
☐ We have processes in place to ensure that we respond to a request for erasure without undue delay and within one month of receipt.
☐ We are aware of the circumstances when we can extend the time limit to respond to a request.
☐ We understand that there is a particular emphasis on the right to erasure if the request relates to information collected from children.
☐ We have procedures in place to inform any recipients if we erase any information we have shared with them.
☐ We have appropriate methods in place to erase information.
- What is the right to erasure?
- When does the right to erasure apply?
- How does the right to erasure apply to data collected from children?
- Do we have to tell other organisations about the erasure of personal data?
- Do we have to erase personal data from backup systems?
- When does the right to erasure not apply?
- Can we refuse to comply with a request for other reasons?
- What should we do if we refuse to comply with a request for erasure?
- How do we recognise a request?
- Can we charge a fee?
- How long do we have to comply?
- Can we extend the time for a response?
- Can we ask an individual for ID?
Under Section 14(4) and 24(1) of POPIA data subjects have the right to have personal information erased. This is also known as the ‘right to be forgotten’. The right is not absolute and does not apply in all certain circumstances.
When does the right to erasure apply?
Data subjects have the right to have their personal information erased if:
- the personal information is no longer necessary for the purpose which you originally collected or processed it for;
- you are relying on consent as your lawful basis for holding the information, and the data subject withdraws his/her/its consent;
- you are relying on legitimate interests as your basis for processing, the data subject objects to the processing of their information, and there is no overriding legitimate interest to continue this processing;
- you are processing the personal information for direct marketing purposes and the data subject objects to that processing;
- you have processed the personal information unlawfully;
- you have to do it to comply with a legal obligation; or
- you have processed the personal information to offer information society services to a child.
How does the right to erasure apply to information collected from children?
There is an emphasis on the right to have personal information erased if the request relates to information collected from children. This reflects the enhanced protection of children’s information, especially in online environments, under POPIA.
Therefore, if you process information collected from children, you should give particular weight to any request for erasure if the processing of the information is based upon consent given by a child – especially any processing of their personal information on the internet. This is still the case when the data subject is no longer a child, because a child may not have been fully aware of the risks involved in the processing at the time of consent.
Do we have to tell other organisations about the erasure of personal information?
POPIA specifies two circumstances where you should tell other organisations about the erasure of personal information:
- the personal information has been disclosed to others; or
- the personal information has been made public in an online environment (for example on social networks, forums or websites).
If you have disclosed the personal information to others, you must contact each recipient and inform them of the erasure, unless this proves impossible or involves disproportionate effort. You must also inform the data subjects about these recipients.
A recipient is natural or legal person, public authority, agency or other body to which the personal information are disclosed. The definition includes responsible parties, operators and persons who, under the direct authority of the responsible party or processor, are authorised to process personal information.
Where personal data has been made public in an online environment reasonable steps should be taken to inform other responsible parties who are processing the personal information to erase links to, copies or replication of that information. When deciding what steps are reasonable you should take into account available technology and the cost of implementation.
Do we have to erase personal data from backup systems?
If a valid erasure request is received and no exemption applies then you will have to take steps to ensure erasure from backup systems as well as live systems. Those steps will depend on your particular circumstances, your retention schedule (particularly in the context of its backups), and the technical mechanisms that are available to you.
You must be absolutely clear with individuals as to what will happen to their information when their erasure request is fulfilled, including in respect of backup systems.
It may be that the erasure request can be instantly fulfilled in respect of live systems, but that the data will remain within the backup environment for a certain period of time until it is overwritten.
The key issue is to put the backup data ‘beyond use’, even if it cannot be immediately overwritten. You must ensure that you do not use the information within the backup for any other purpose, i.e. that the backup is simply held on your systems until it is replaced in line with an established schedule.
When does the right to erasure not apply?
The right to erasure does not apply if processing is necessary for one of the following reasons:
- to exercise the right of freedom of expression and information (i.e. journalistic purposes);
- to comply with a legal obligation;
- for the performance of a task carried out in the public interest or in the exercise of official authority;
- for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
- for the establishment, exercise or defence of legal claims.
POPIA also specifies two circumstances where the right to erasure will not apply to special category information:
- if the processing is necessary for public health purposes in the public interest (e.g. protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or
- if the processing is necessary for the purposes of preventative or occupational medicine (e.g. where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the information is being processed by or under the responsibility of a professional, subject to a legal obligation of professional secrecy (e.g. a health professional).
Can we refuse to comply with a request for other reasons?
If an exemption applies, you can refuse to comply with a request for erasure (wholly or partly). Not all of the exemptions apply in the same way, and you should look at each exemption carefully to see how it applies to a particular request.
What should we do if we refuse to comply with a request for erasure?
You must inform the data subject without undue delay and within one month of receipt of the request.
You should inform the individual about:
- the reasons you are not taking action;
- their right to make a complaint to the Information Regulator; and
- their ability to seek to enforce this right through a judicial remedy.
How do we recognise a request?
The data subject must make a request for erasure in writing or online using the prescribed form. The form can be handed to anyone who is part of your organisation and does not have to be to a specific person or contact point. Best practice would be to have the data subject complete the online form and direct it to the information officer.
It is good practice to keep a log of all requests for erasure.
Can we charge a fee?
You cannot charge a fee to comply with a request for erasure.
How long do we have to comply?
You must comply with a request for erasure as soon as reasonably practicable and at the latest within one month of receipt of the request or (if later) within one month of receipt of:
- any information requested to confirm the requester’s identity.
You should calculate the time limit from the day you receive the request (whether it is a working day or not) until the corresponding calendar date in the next month.
For practical purposes, if a consistent number of days is required (e.g. for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.
Can we extend the time for a response?
You can extend the time to respond if the request is complex or you have received a number of requests from the data subject. You must let the datasubject know within one month of receiving their request and explain why the extension is necessary.
Can we ask an individual for ID?
If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality. You should take into account what data you hold, the nature of the data, and what you are using it for. You may not take a copy of a data subject's identity document.
You must let the individual know without undue delay and within one month that you need more information from them to confirm their identity. You do not need to comply with the request until you have received the additional information.