Overviewpopi_compliance_monitoring

  • Data subjects have the right to request the restriction or suppression of their personal information.
  • This is not an absolute right and only applies in certain circumstances.
  • When processing is restricted, you are permitted to store the personal infomation, but not use it.
  • A data subject can make a request for restriction verbally or in writing.
  • You have one calendar month to respond to a request.
  • This right has close links to the right to rectification (Section 24) and the right to object (Section 11(3) and 69(3)).

 

Checklist

Preparing for requests for restriction

☐ We know how to recognise a request for restriction and we understand when the right applies.

☐ We have a policy in place for how to record requests we receive verbally.

☐ We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.

Complying with requests for restriction

☐ We have processes in place to ensure that we respond to a request for restriction without undue delay and within one month of receipt.

☐ We are aware of the circumstances when we can extend the time limit to respond to a request.

☐ We have appropriate methods in place to restrict the processing of personal information on our systems.

☐ We have appropriate methods in place to indicate on our systems that further processing has been restricted.

☐ We understand the circumstances when we can process personal information that has been restricted.

☐ We have procedures in place to inform any recipients if we restrict any information we have shared with them.

☐ We understand that we need to tell individuals before we lift a restriction on processing. 

 

Briefly

What is the right to restrict processing?

Section 14 of POPIA gives individuals the right to restrict the processing of their personal infrmation in certain circumstances. This means that a data subject can limit the way that an organisation uses their information. This is an alternative to requesting the erasure of their information.

Data subjects have the right to restrict the processing of their personal information where they have a particular reason for wanting the restriction. This may be because they have issues with the content of the information you hold or how you have processed their information. In most cases you will not be required to restrict a data subject’s personal information indefinitely, but will need to have the restriction in place for a certain period of time.

When does the right to restrict processing apply?

Data subjects have the right to request you restrict the processing of their personal information in the following circumstances:

  • the data subject contests the accuracy or completeness of their personal information and you are verifying the accuracy or completeness of the data;
  • the information has been unlawfully processed (i.e. in breach of the lawfulness requirement) and the data subject opposes erasure and requests restriction instead;
  • you no longer need the personal information but the data subject needs you to keep it in order to establish, exercise or defend a legal claim;
  • the data subject requests you to transmit the personal information into another automated processing system; or
  • the data subject has objected to you processing their information under Section 11, and you are considering whether your legitimate grounds override those of the data subject.

Although this is distinct from the right to rectification and the right to object, there are close links between those rights and the right to restrict processing:

  • if an individual has challenged the accuracy of their data and asked for you to rectify it (Section 24), they also have a right to request you restrict processing while you consider their rectification request; or
  • if an individual exercises their right to object under Section 11(3), you must restrict processing while you consider their objection request.

Therefore, as a matter of good practice you should automatically restrict the processing whilst you are considering its accuracy or completeness, or the legitimate grounds for processing the personal information in question.

How do we restrict processing?

You need to have processes in place that enable you to restrict personal information if required. It is important to note that the definition of processing includes a broad range of operations including collection, structuring, dissemination and erasure of information. Therefore, you should use methods of restriction that are appropriate for the type of processing you are carrying out.

Methods that could be used to restrict information, incude:

  • temporarily moving the information to another processing system;
  • making the information unavailable to users; or
  • temporarily removing published information from a website.

It is particularly important that you consider how you store personal information that you no longer need to process but the data subject has requested you restrict (effectively requesting that you do not erase the data).

If you are using a computer system, you need to use technical measures to ensure that any further processing cannot take place and that the data cannot be changed whilst the restriction is in place. You should also note on your system that the processing of this information has been restricted.

Can we do anything with restricted information?

You must not process the restricted infomation in any way except to store it unless:

  • you have the data subject’s consent;
  • it is for the establishment, exercise or defence of legal claims;
  • it is for the protection of the rights of another data subject; or
  • it is for reasons of important public interest.

Do we have to tell other organisations about the restriction of personal information?

Yes. If you have disclosed the personal information in question to others, you must contact each recipient and inform them of the restriction of the personal data - unless this proves impossible or involves disproportionate effort. You must also inform the data subjects about these recipients.

A recipient is a natural or legal person, public authority, agency or other body to which the personal information are disclosed. This includes responsible parties, operators and persons who, under the direct authority of the responsible party or operator, are authorised to process personal information.

When can we lift the restriction?

In many cases the restriction of processing is only temporary, specifically when the restriction is on the grounds that:

  • the data subject has disputed the accuracy or completeness of the personal information and you are investigating this; or
  • the data subject has objected to you processing their data on the basis that it is necessary for the performance of a task carried out in the public interest or the purposes of your legitimate interests, and you are considering whether your legitimate grounds override those of the data subject.

Once you have made a decision on the accuracy or completeness of the information, or whether your legitimate grounds override those of the data subject, you may decide to lift the restriction.

If you do this, you must inform the data subject before you lift the restriction.

As noted above, these two conditions are linked to the right to rectification and the right to object. This means that if you are informing the data subject that you are lifting the restriction (on the grounds that you are satisfied that the information is accurate and complete, or that your legitimate grounds override theirs) you should also inform them of the reasons for your refusal to act upon their rights. You will also need to inform them of their right to make a complaint to the Information Regulator; and their ability to seek a judicial remedy.

Can we refuse to comply with a request for restriction?

If an exemption applies, you can refuse to comply with a request for restriction (wholly or partly). Not all of the exemptions apply in the same way, and you should look at each exemption carefully to see how it applies to a particular request.

What should we do if we refuse to comply with a request for restriction?

You must inform the data subject without undue delay and within one month of receipt of the request.         

You should inform the data subject about:

  • the reasons you are not taking action;
  • their right to make a complaint to the Information Regulator; and
  • their ability to seek to enforce this right through a judicial remedy.

How do we recognise a request?

POPIA does not specify how to make a valid request. Therefore, a data subject can make a request for restriction verbally or in writing. It can also be made to any part of your organisation and does not have to be to a specific person or contact point.

A request does not have to include the phrase 'request for restriction' as long as one of the conditions listed above apply.

This presents a challenge as any of your employees could receive a valid verbal request. However, you have a legal responsibility to identify that a data subject has made a request to you and handle it accordingly. Therefore you may need to consider which of your staff who regularly interact with individuals may need specific training to identify a request.

Additionally, it is good practice to have a policy for recording details of the requests you receive, particularly those made by telephone or in person. You may wish to check with the requester that you have understood their request, as this can help avoid later disputes about how you have interpreted the request. We also recommend that you keep a log of verbal requests.

Can we charge a fee?

You cannot charge a fee to comply with a request for restriction.

How long do we have to comply?

You must comply with a request for restriction as soon as reasonably practicable and at the latest within one month of receipt of the request or (if later) within one month of receipt of:

  • any information requested to confirm the requester’s identity.

You should calculate the time limit from the day you receive the request (whether it is a working day or not) until the corresponding calendar date in the next month.

For practical purposes, if a consistent number of days is required (e.g. for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.

Can we extend the time for a response?                             

You can extend the time to respond if the request is complex or you have received a number of requests from the data subject. You must let the data subject know within one month of receiving their request and explain why the extension is necessary.

Can we ask an individual for ID?

If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality. You should take into account what data you hold, the nature of the data, and what you are using it for.

You must let the data subject know without undue delay and within one month that you need more information from them to confirm their identity. You do not need to comply with the request until you have received the additional information.