Access to your own Personal Information: “Be careful what you record as you might just have to share it”

/0 Comments/in /by

Under PoPI you have the right to ask any company or entity if they hold any personal information about you and they must then in turn confirm or deny this, free of charge. Customers can request companies to provide them with the record, or a description of the personal information, held by them including information about the identity of any third parties (like their suppliers or service providers) who may have access or had access to their personal information. The company must provide this information to the customer:

  • within a reasonable time;
  • at a prescribed fee (if any);
  • in a reasonable manner and format; and
  • in a form that is generally understandable.

It would be best that companies prepare themselves in advance for this type of request by ensuring they have a formal process in place for customers to request information and to limit the amount of work involved in preparing this information. Depending on the media and location of this information, collating it from multiple sources and reducing it into an understandable format could be very time consuming. It again raises the importance of companies making an informed decision on the type and extent of personal information they collect from customers as well as ensuring they have a system in place to orchestrate the distribution of this information to other parties whilst ensuring its quality. As such it is important that each company has a kind of information register that can act as an information or data map – i.e. a single point of reference to all things related to personal information, including access permissions that may apply to this information. This data map should at all times be up to date and the company rules and policies aligned with it to ensure controls and access to information can be enforced and data not compromised. The ideal situation would be to make these rules a part of your BNS configuration so that they are not contained in a separate, static document but rather form an actual part of the daily operations. The data map, along with the concept of implementing a “single client view” is discussed further under the BNS Architecture and Implementation Guide.

Irrespective of PoPI’s requirements, care must also be taken to educate staff and/or implement processes to ensure that employees do not record subjective information or information that could be considered as discriminatory or inflammatory if shared with the customer. Always consider the implication of such records becoming available to and scrutinized by another party, including customer.

You might also like
Disclosure/Notification: “Oops … sorry to HAVE to tell you … but we’ve lost your data … again …”
Ensuring the Quality of Information: “Be careful what you ask for as you just might get it”
Safeguarding Data: Public and Private Cloud
Complaints Process: “Guilty until proven innocent”
Implementing PoPI: How the PoPI Act affects you and your business
Safeguarding Data: People
What is POPI? The Protection of Personal Information (PoPI) Act explained
Collecting and Recording of Personal Information
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply