POPIA DATA SUBJECT REQUEST PROCEDURE
1. PURPOSE AND INTRODUCTION
- This procedure supports Mustard Seed Tree’s Protection of Personal Information Policy which has been developed to give effect to the Protection of Personal Information Act, 4 of 2013 (herein after referred to as “POPIA”) and the regulations promulgated in terms thereof (herein after referred to as “Regulations”).
- POPIA provides for a number of different personal information requests to be made to the Information Officer of a company, who processes information of data subjects.
- This procedure outlines the steps to be taken to address any one of the above according to the specified requirements regarding time scales and manner prescribed by POPIA, the Promotion of Access to Information Act, 2 of 2000 (herein after referred to as “PAIA”) and the regulations promulgated in terms of the mentioned legislation.
- The Data Request Decision-making Guidelines supports this Procedure and must be used as and when a decision to grant or refuse a request by a requester is taken.
- The following documents need to be considered part of this Procedure:
- Mustard Seed Tree’s Protection of Personal Information Policy
- Customer Privacy Notice
- Request Register/Log
- Request Procedure flowchart (step by step process)
- Request/Objection Forms, 1, 2, 3, and 4
- Form 1 Request for Access and Additional Information
- Form 2 – Request for Correction or Deletion
- Form 3 – Request to Limit Processing
- Form 4 – Objection to Processing
- Personal Information Processing Manual Procedures
- Records Retention Policy
- Security Incident Management Policy
- Security Incident Notification Procedures
2. SECTIONS OF POPI AND PAIA ADDRESSED
- POPIA:
- Section 5 – Rights of Data Subjects
- Section 11(3)(a) – Objection to Processing of Personal Information read with section 11(1(d) to (f)
- Section 3(b) – Objection to processing of Personal Information for purposes of direct marketing other than by means of unsolicited electronic communications
- Section 23 – Access to Personal Information
- Section 24 – Correction and/or deletion of Personal Information
- Section 55 and Regulation 4 – Duties and responsibilities of Information Officers
- Section 74 (1) or (2) – Appeals to the Information Regulator
- Regulation 2 and 3 and Forms 1 and 2 Regulation 6 –
- PAIA:
- Section 50 – Right of access to records of private bodies
- Section 51 – Manual
- Section 52 – Voluntary disclosure and automatic availability of certain records
- Section 53 – Form of request
- Section 54 – Fees
- Section 55 – Records that cannot be found or do not exist
- Section 56 – Decision on Request and notification thereof
- Section 57 – Extension of period to deal with the request
- Section 58 – Deemed refusal of request
- Section 59 – Severability
- Section 60 – Form of access
- Section 61 – access to health and other records
- Sections 62 – 70 – Grounds for refusal of access to records
3. WHO MAY REQUEST INFORMATION OR RECORDS
- The POPIA provides that a person may only request information if that information is required for the exercise or protection of a right.
- The capacity in terms of which a requester requests documentation/ information will determine the category in which he/she/it falls.
- The Requester category has a bearing on the conditions of access to the information.
- Requesters are classified into 4 (four) categories:
- A personal requester/data subject requester requests information about himself/herself/itself.
- A representative requester requests information on behalf of and with the necessary authorisation of a data subject.
- A third-party requester requests information, without express authorisation of a data subject to protect a right of interest of such third Party
- A public body requests information of a data subject based on public interest
4 TYPES OF REQUESTS AND COMPLAINTS
- Requests
- Request for access to personal information/record and access to additional personal information/record
- Request for correction and or deletion of personal Information/record
- Request for a restriction on the processing of personal information/record
- Objection to the processing of personal Information
- Objection to processing of information for the purpose of direct marketing by means of unsolicited electronic communications
- Complaints
- If a Data Subject raises a complaint regarding how Mustard Seed Tree has handled his/her/its PI, such Data Subject may contact Mustard Seed Tree’s Information Officer who must investigate the matter.
- If a Data Subject is not satisfied with Mustard Seed Tree’s response or believes that Mustard Seed Tree is not processing his/her/its PI in accordance with the POPIA, such Data Subject may lodge a complaint with the Information Regulator as per Section 74 (1) or (2) of POPIA.
5 ACCESS POINT FOR REQUESTS AND COMPLAINTS
- Mustard Seed Tree’s Information Officer shall be the only entry point through which any Personal Information Request in terms of the POPIA must be channelled and processed.
- The relevant data request forms are available for download from Mustard Seed Tree’s website www.themustardseedtree.com/forms
- A requester may also make a request to Mustard Seed Tree by means of email, telephone or in person, to send him/her/it the necessary Forms.
- All requests in terms of the POPIA must therefore be addressed to:
- All requests must be emailed or sent to the Information Officer.
6. REQUEST PROCESSING PROCEDURE
- Any request in terms of the POPIA must be submitted by the Requester to Mustard Seed Tree at the address specified on the Form and set out in clause 5 above (i.e. Access Point for Requests for Information) of this Procedure, together with any other information that may be required when making a decision pertinent to the request.
- A Data Request Processing Register shall be kept.
- The Request Administrator, appointed by the Information Officer, shall immediately when a request or objection is received, log the request/objection in the Data Request Processing Register and track the progress of the processing of the request in the mentioned Register.
- The Information Officer is authorised to refer a request to any one of Mustard Seed Tree’s Deputy Information Officers for processing.
- A request which does not comply with the formalities contained in this Procedure will be referred to the requester with advice on the necessary steps for compliance and re-submission.
- Mustard Seed Tree shall not commence processing of the Data Subject Request unless:
- The Request documentation is complete.
- The Requester who lodged a request/objection provides sufficient information to enable Mustard Seed Tree:
- To properly identify the requester (i.e. submit acceptable proof of identity such as a certified copy of their Identity Document/Passport or other legal form of identification
- To properly confirm that the requester indeed has the legal authority to make the request (i.e. an explanation of the requester’s right to exercise any of the rights provided for in POPIA)
- To identify the legal basis and purpose/reasons of the specific request.
- A request shall be processed within 30 days from the date that Mustard Seed Tree has received such data request, except where Mustard Seed Tree has, prior to the expiry of the above 30 days, arranged with the requester for an extension of no longer than an additional 30 days
- Where the requester is required to pay a fee for services or information provided to him/her/it, Mustard Seed Tree:
- Must provide the requester with a written estimate of the amount payable before providing the service
- May require that the requestor pay a deposit for all or part of the fee, if any, to be charged
- Each request shall be considered on its own merits talking into account Mustard Seed Tree’s POPIA Decision- making Guidelines.
- In case of Mustard Seed Tree denying/refusing the request/objection, the written notification will include the reasons for the refusal.
- The response shall always be in writing and (as far as reasonably practicable) in the manner/format as indicated by the requester in the applicable Form.
- Mustard Seed Tree’s response to a request/objection shall always contain a statement:
- Advising the requester that in case of the requester disagreeing with Mustard Seed Tree’s response, that the requester may approach the Information Regulator as per Section 74 (1) or (2) of the POPI Act.
- Advising the requester of his/her right to request the correction of the information.
- In the case where Mustard Seed Tree may or must refuse a part of the request as per the grounds set out in the Guidelines, every other part shall still be disclosed.
- Appeal Procedure:
- There is no internal appeal procedure within Mustard Seed Tree against a decision of the Information Officer.
- The POPIA provides for the lodgement of a complaint with the Information Regulator by a Requester against:
- The fee charged, or the form of access granted;
- Refusal of the request to grant a request; and/or
- Decision to extend the 30 days’ period for granting the requested access.
7. REQUEST FOR ACCESS TO PERSONAL INFORMATION/RECORD
- Request for Access to Personal Information/Record
- A requester, has the right to ask Mustard Seed Tree whether or not Mustard Seed Tree processes any PI concerning him/her/it (i.e. the Data Subject self) or another data subject, provided that the requester has the legal authority to make a such a request.
- Form 1 (Request for Access to PI) must be completed by the Requester to make the above Request.
- The processing of this type of requests is FREE OF CHARGE.
8. REQUEST FOR ACCESS TO ADDITIONAL INFORMATION
- Where the response to the request in clause 7 has been in the affirmative, a requester may request additional information relating to the PI that Mustard Seed Tree is processing.
- The additional information may relate to the following:
- The record or description of the PI;
- The purposes of the processing of the PI;
- The categories in which such PI falls;
- The recipient or categories of recipients of the PI;
- Whether any cross-border transfer of PI has or will occur and what safeguards to protect the PI are in force;
- How long the PI is stored (or what criteria or legal platform is used to determine the time-period that the data will be stored for);
- If the PI was not directly collected from the data subject, the disclosure of the identity of the source of the PI, i.e. PI collected from a third-party source;
- Whether the PI is and/or will be subjected to any automated processing and/or profiling and any potential consequences involved.
- Form 1 (Request for Access to Personal Information) must be completed by the Requester to make this request. This form is used for both a request for confirmation and additional information).
- A REASONABLE FEE in respect of the provisioning of the above information (or where a fee has been prescribed by regulation, the prescribed fee) may be levied by Mustard Seed Tree:
- Mustard Seed Tree will provide the requester with a written estimate of the fee before providing the above information;
- Mustard Seed Tree may require the requester to pay a deposit for all or part of the fee before processing the request.
9. REQUEST TO CORRECT OR DELETE PERSONAL INFORMATION/RECORD
- A requester may submit a request to correct and or delete Personal Information/record that Mustard Seed Tree has under its control.
- The grounds on which such a request may be made are that the Personal Information is:
- Inaccurate;
- Irrelevant;
- Excessive;
- Out of date;
- Misleading;
- Obtained unlawfully; or
- In case of a request for the destruction or deletion of Personal Information, that Mustard Seed Tree is no longer authorised to retain the personal information/record, i.e. the retention of the personal information is no longer necessary to achieve the purpose for which the Personal Information was originally collected.
- Form 2 (Request for Correction or Deletion of Personal Information) must be fully completed by the Requester to make the above Request.
- The Requester must provide Mustard Seed Tree with the necessary information to process such a request, i.e.:
- In case of a request to correct personal information, accurate information regarding the personal information to be corrected; or
- in case of a request to delete personal information, a full explanation of the grounds on which the request to delete is based.
- Mustard Seed Tree must, as far as reasonably practicable, ensure that the information provided by the requester is correct, before changing and/or deleting the Personal Information/record.
- After consideration of the request AND in the case where Mustard Seed Tree agrees to the correction or deletion, Mustard Seed Tree shall:
- Correct the information;
- Destroy or delete the information; and/or
- Provide the requester with credible evidence in support of the actions taken by Mustard Seed Tree in writing.
- In the case where Mustard Seed Tree DOES NOT AGREE with the request to correct or delete the information AND Mustard Seed Tree has endeavoured to reach agreement with the requester BUT has failed to reach agreement with the Requester, AND the requester so requests, Mustard Seed Tree shall take such reasonable practicable steps to attach to the Personal Information a note, (which must at all times be able to be read with the Personal Information), that a request for correction and/or deletion has been made, but not granted.
- In case where Personal Information has been changed and the change impacts on decisions that have or will be taken regarding the data subject, Mustard Seed Tree must (if reasonably practicable) inform each person or body (company) to whom the information has been disclosed, of the steps that Mustard Seed Tree has taken.
10. REQUEST TO RESTRICT PROCESSING OF PERSONAL INFORMATION/RECORD
- A requester may request a restriction/limitation of the processing of Personal Information in one of the following circumstances1:
- The data subject contests the accuracy of the processed personal information/record –
- Mustard Seed Tree must restrict processing until the accuracy of information has been verified.
- The data subject is of the view that the processing is unlawful;
- The data subject is of the view that Mustard Seed Tree does not need the information for the original purpose for which it was processed or further processed, BUT the information must be retained/maintained for purposes of proof;
* 1 Section 14(6) - The processing is unlawful BUT the data subject opposes the destruction or deletion of information/record and requests the restriction of its use instead;
- The data subject requests to transmit the personal information into another automated processing system; or
- Processing must be restricted pending a decision regarding an objection to processing.
- The data subject contests the accuracy of the processed personal information/record –
- Form 3 (Request for restriction of processing of personal information) must be completed by the Requester to make the above request.
- Where a processing restriction is in place, the personal Information may indeed be stored but not processed without the data subject’s consent, except
- Where processing may continue for legal reasons -in which case the data subject must be informed.
- Third parties who process Personal Information on behalf of Mustard Seed Tree must also be informed of any restrictions.
- Where a processing restriction is in place, the personal Information may indeed be stored but not processed without the data subject’s consent, except
11 OBJECTION TO PROCESSING OF PERSONAL INFORMATION/RECORD
- A data subject has the right to object to the processing of personal information/record, on reasonable grounds relating to his/her particular situation, on the grounds set out in 11.2 below, unless legislation provides for such processing2.
- The grounds for objection to processing are:
- The data subject disputes the basis of Mustard Seed Tree’s authority to process the Personal Information, i.e. Mustard Seed Tree’s basis for processing is:
- The protection of the legitimate interests of the data subject; or
- It is necessary for the proper performance of a public law duty by a public body; or
- It is necessary for pursuing the legitimate interests of Mustard Seed Tree or of a third party to whom the information is supplied.
- The data subject may also object to the processing of his/her personal information for the purpose of direct marketing other than direct marketing by means of unsolicited electronic communications.
* Section11(1)(d)- (f) and 11(3)(a) and (b)
- The data subject disputes the basis of Mustard Seed Tree’s authority to process the Personal Information, i.e. Mustard Seed Tree’s basis for processing is:
- Form 4 (Objection to the processing of personal information) must be completed by the requester to make the above Request.
- During the time that Mustard Seed Tree is considering the objection the processing of the personal information in question must be restricted or Mustard Seed Tree must be able to justify the reasons for the continued processing.
- During a restriction on processing of personal information, information may be stored but not processed without the data subject’s consent, except where processing may continue for legal reasons, in which case the data subject must be informed.
- Third parties who process data on behalf of Mustard Seed Tree must also be informed in writing of any restrictions pertinent to the processing of the specific Personal Information, or where an objection to the processing of Personal Information has been successful, such third parties must be notified in writing of the termination of processing of the personal information.
12. OWNERSHIP AND REVISION
- Mustard Seed Tree’s Information Officer owns this procedure and shall revise this procedure as and when necessary.
13. ANNEXURE A – REQUEST PROCEDURE FLOWCHART
Notes on flowchart above
Note 1 Request received from Requester.
- A request may be received via email; from our web site; a telephonic enquiry.
- Forms for the different type of requests/objection are available for this purpose to assist the requester.
- The request should be directed to the Information Officer.
- In the instance where a request/objection is received by any department of Mustard Seed Tree such request should immediately be directed to the Information Officer or appointed representative.
Note 2 Enter the request into the Request/Objection Register (log).
- All requests received to be logged in the Request/Objection Register with the date of the request.
- Entries to be made by Request Administrator under supervision of the Information Officer.
Note 3 Confirm identity and authority of requester/data subject.
- If the requester’s identity and/or authority cannot be confirmed the request is rejected.
- Only official forms or methods of identification are accepted.
- If the request is denied/rejected, due to failure to confirm identity and/or authority, the rejection and the reason must be communicated to the requester/data subject.
- The Request Administrator is responsible for identity and authority confirmation.
Note 4 Ascertain the lawfulness/validity of the request.
- If the request is considered/adjudged to be unlawful, or without any basis in fact, it is to be rejected and the grounds for rejection are to be communicated to the requester.
- The rights of the requester must also be communicated in writing, including their right to lay a complaint with the Regulator.
- If the request is considered/adjudged to be lawful and reasonable, it must be decided whether a charge will be levied or not.
- These charges and the time periods required to complete the request must be communicated to the requester.
- The Information Officer (and the Request Administrator) must be part of the decision and further communication.
Note 5 Levying a charge for the request.
- Section 54 of the POPI Act entitles a Mustard Seed Tree (a private body) to levy a prescribed request fee to a Requester before further processing the request.
- The fees that may be charged have been published by the Minister of Justice and Constitutional Development and are available on request.
- According to POPI a Responsible Party is entitled to levy a prescribed fee for the provision of Personal Information about the Data Subject in its possession at R3.50 per page.
Note 6 Preparing the requested information.
- 30 (thirty) days is allowed to comply with the request.
- If more time is required by Mustard Seed Tree because of planning and other time constraints, this fact and the reasons for the delay and extension must be communicated to the requester.
- This communication must take place within the first thirty (30) days of the request being received.
- No more than a further 2 (two) months is permissible.
- The Information Officer (and the Request Administrator) must communicate with the data owner and together must be part of the decision and further communication.
Note 7 Provide the requested information or taking of action
- The requested information is provided to the requester in the format requested.
- Actions such as corrections or deletions are taken, if necessary.
- Limitation or objection to processing are implemented.
- Any one of the above is refused/denied.
- The above to be communicated to the Requester by the Request Administrator or Information Officer.
Note 8 Close out the request.
- Update the request register/log with relevant actions taken and date of compliance with the request.
- Request Administrator signs off on the completion of the request and updating of the register/log.