“I run a small franchise electronics store. I collect basic personal information from our customers that we keep on file and use for marketing notifications to our customers. The other day an upset customer demanded to know what personal information we have of her and said that the POPI Act gave her the right to request a complete copy of her personal information we have. We gave it to her, but I was just wondering whether she really has the right to ask for this?”
The Protection of Personal Information Act 4 of 2013 (“POPI”) was enacted to promote the constitutional right to privacy and align South Africa with the international community regarding information and data protection. Although POPI has not yet fully come into operation, is has been signed into law and it is only a matter of time before it comes into effect.
POPI places an important responsibility on parties who collect, store, use and destroy personal information (“responsible parties”) and also provides rights and remedies to persons whose personal information is being processed (“data subjects”).
POPI authorises data subjects to request access to the personal information held by a responsible party, as well as the amendment and deletion of such information under certain circumstances. Responsible parties are obliged, if so requested, to provide confirmation free of charge to data subjects that they hold their personal information, to provide a description of the personal information in question and to confirm the identity of all third parties or the categories of third parties who have received their personal information.
Any such request from a data subject must be complied with –
- within a reasonable time;
- at a prescribed fee (may be levied before the actual record or description of the personal information is made available to the data subject);
- in a reasonable manner and format; and
- in a form that is generally understandable.
Should a responsible party not wish to provide personal information to a data subject such refusal must be based on the same grounds for refusal as allowed under the Promotion of Access to Information Act 2 of 2000.
Data subjects may, in terms of POPI, also request that their personal information be corrected or deleted in circumstances where such information has become outdated, is not accurate, is incomplete, misleading, or excessive, if it has not been obtained by lawful means, or if the responsible party is no longer entitled to retain the information.
In terms of POPI responsible parties are obliged to provide access to personal information of a data subject only to that data subject, unless the data subject consents otherwise, and may require adequate proof of the identity of the data subject prior to them receiving access to their personal information. Responsible parties should comply with such a request within a reasonably practicable timeframe and tender proof that the request had been complied with.
As POPI will apply to your business, it is correct that you provided access to the personal information. This does not mean that such access should be blanket, and our advice would be to consider having a clear data privacy and access policy drafted for your business in terms of which you can in future deal with such requests for information.