Under PoPI you have the right to ask any company or entity if they hold any personal information about you and they must then in turn confirm or deny this, free of charge. Customers can request companies to provide them with the record, or a description of the personal information, held by them including information about the identity of any third parties (like their suppliers or service providers) who may have access or had access to their personal information. The company must provide this information to the customer:
- within a reasonable time;
- at a prescribed fee (if any);
- in a reasonable manner and format; and
- in a form that is generally understandable.
It would be best that companies prepare themselves in advance for this type of request by ensuring they have a formal process in place for customers to request information and to limit the amount of work involved in preparing this information. Depending on the media and location of this information, collating it from multiple sources and reducing it into an understandable format could be very time consuming. It again raises the importance of companies making an informed decision on the type and extent of personal information they collect from customers as well as ensuring they have a system in place to orchestrate the distribution of this information to other parties whilst ensuring its quality. As such it is important that each company has a kind of information register that can act as an information or data map – i.e. a single point of reference to all things related to personal information, including access permissions that may apply to this information. This data map should at all times be up to date and the company rules and policies aligned with it to ensure controls and access to information can be enforced and data not compromised. The ideal situation would be to make these rules a part of your BNS configuration so that they are not contained in a separate, static document but rather form an actual part of the daily operations. The data map, along with the concept of implementing a “single client view” is discussed further under the BNS Architecture and Implementation Guide.
Irrespective of PoPI’s requirements, care must also be taken to educate staff and/or implement processes to ensure that employees do not record subjective information or information that could be considered as discriminatory or inflammatory if shared with the customer. Always consider the implication of such records becoming available to and scrutinized by another party, including customer.