Data Subject Rights
Everyone has the right to be informed if someone is collecting their personal information, or if their personal information has been accessed by an unauthorized person. In addition, they have the right of access to their personal information and to require that personal information be corrected or destroyed, or they may object to their personal information being processed.
The Act does not apply to personal information processed
- in the course of a personal or household activity,
- or where the processing authority is a public body involved in national security, defense, public safety, anti-money laundering,
- or the Cabinet or Executive Council of the Province
- or as part of a judicial function.
Personal information can only be processed: (Section 11)
- with the consent of the “data subject”; or
- if it is necessary for the conclusion or performance of a contract to which the “data subject” is a party; or
- if it is required by law; or
- if it protects a legitimate interest of the “data subject”; or
- if it is necessary to pursue your legitimate interests or the interest of a third party to whom the information is supplied.
Everyone has the right to object to having their personal information processed. They have the right to withdraw their consent, or object if they can show legitimate grounds for their objection.
A Responsible Party has to collect personal information directly from the “data subject”, unless:
- this information is contained in some public record or has been deliberately published by the data subject;
- collecting the information from another source does not prejudice the subject;
- it is necessary for some public purpose; or to protect their own interests;
- obtaining the information directly from the subject would prejudice a lawful purpose or is not reasonably possible.
Personal Information may only be collected for a specific, explicitly defined and lawful purpose and the data subject must be aware of the purpose for which the information is being collected. (section 13)
Once the Personal Information is no longer needed for the specific purpose for which it was gathered, it must be disposed of (or the data subject must be “de-identified”).
Personal Information may only be kept if it is allowed by law, or the information is needed to keep the record for lawful purpose or in accordance with the contract between the company and the data subject, or the data subject has consented to the data processor keeping the records. (section 14)
The company is entitled to keep records of personal information for historical, statistical or research purposes if it has been “de-identified” and safeguards have been established to prevent the records being used for any other purposes.
Records must be destroyed in a way that prevents them from being reconstructed.
Personal information may only be used for the purpose which the data was collected. (section 15)
Documentation relating to personal information and how it has been processed must be maintained as referred to in section 14 or 51 of the Promotion of Access to Information Act.
When information is being collected, data subjects must be made aware of: (section 18)
- the information that is being collected and if the information is not being collected from the subject, the subject must be made aware of the source from which the information is being collected;
- the name and address of the person/organisation collecting the information;
- the purpose of the collection of information;
- what period the information will be retained for and assurance given that it will be destroyed by given date;
- whether the supply of the information by the subject is voluntary or mandatory;
- the consequences of failure to provide the information;
- whether the information is being collected in accordance with any law;
- if it is intended for the information to leave the country and what level of protection will be afforded to the information after it has left South Africa.
- who will be receiving the information;
- that the data subject has access to the information and the right to rectify any details;
- that the data subject has the right to object to the information being processed (if such right exists);
- that the data subject has the right to lodge a complaint to the Information Regulator. The contact details of the Information Regulator must also be supplied. (section 18)
These requirements have to be met before the information is collected directly from the subject, or soon as reasonably practicable. If additional information is collected from a subject for a different purpose, the same process must be followed.
This article must be read in conjunction with the POPI Act which can be downloaded from Act No. 4 of 2013 : Protection of Personal Information Act, 2013