This principle illustrates the link between the right to privacy and the right of access to information. Both these rights are granted equal protection in the Constitution and attempts have been made to give effect to these rights in terms of separate pieces of legislation. The Promotion of Access to Information Act 2 of 2000 (PAIA) gives effect to the right of access to information and the Bill attempts to do the same for the right to privacy.
The right of access to information is sometimes misleadingly described as being in opposition to the right to privacy. However, the requirements of Principle 8 as contained in clauses 22, 23 and 24 of the Bill show that in order for individuals to fully realise their right to privacy, they must be allowed to access any personal information that organisations hold about them.
Principle 8 also highlights the need for an integrated approach to compliance by making specific reference to other information protection legislation such as PAIA. The difference between the Bill and PAIA is that the Bill only deals with an individual’s right to access her/his own personal information whereas the provisions of PAIA are much broader. PAIA deals with the rights of individuals to access general information (including non-personal information) as well as the personal information of third parties.
Accessing personal information
In terms of clause 22, an individual may make two types of requests, namely:
- confirmation of whether an organisation holds any personal information about them; or
- a description of the personal information held about them, including details of any third parties that may have access to that information.
In the case of either request, the individual must provide “adequate proof of identity”. It will be up to the organisation to decide what would constitute “adequate proof”. However it is suggested that organisations adopt the same standard for adequacy that would be required to deal with access requests in terms of PAIA. It must be noted that if copies of identity documents are required and retained by the organisation, these would constitute personal information and would have to be adequately safeguarded in terms of the Bill.
If an individual merely requests confirmation of whether the organisation holds any personal information about them, this must be provided free of charge. If, on the other hand, the individual requires a description of the information (including details of third parties), the organisation may charge a fee that is not “excessive”. It is likely that in future, as was the case with PAIA, a framework of fees that are not considered excessive will be prescribed through Regulations. In the meantime, the fees that have been prescribed in the Regulations to PAIA should be used as a guide.
The organisation must respond to the request for information:
- within a reasonable period of time;
- in a reasonable manner and format; and
- in a way that is easily understandable.
Clause 24 stipulates that the manner for accessing personal information must be aligned with the requirements contained in sections 18 and 53 of PAIA. Thus a good starting point for organisations to ensure compliance with Principle 8 would be to undertake an immediate review of their PAIA compliance arrangements, in particular the adequacy of their access to information manuals. In terms of PAIA all organisations are required to compile and publish such a manual which contains details on how individuals may go about requesting information from the organisation.
In terms of clause 22, an organisation may refuse access to certain portions of records based on the grounds for refusal of access as contained in Chapter 4 of PAIA. Some examples of these grounds for refusal include:
- Mandatory protection of the privacy of third parties
- Mandatory protection of certain SARS information
- Mandatory protection of commercial information of third parties
- Mandatory protection of certain confidential information
- Mandatory protection of police dockets in bail proceedings and protection of law enforcement
- Mandatory protection of records privileged from production in legal proceedings
- Mandatory protection of information for national interests
The organisation must disclose any portion of the information that is not covered by any of the grounds for refusal contained in PAIA, as per the request of the individual.
Correcting personal information
When responding to a request for personal information, the organisation must inform the individual of the additional right to request the following:
- correction or deletion of information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; and
- destruction or deletion of a record containing personal information that the organisation is no longer authorised to keep or that is no longer necessary for the purpose for which the information was obtained.
In terms of clause 23 the organisation must provide credible proof to the individual of the action that has been taken in response to the request. If any changes to the personal information will have an impact on any decisions to be made about the individual, the organisation must inform all third parties to whom the information has been disclosed of such changes. It is therefore going to be critical for organisations to implement proper information management and (perhaps) central tracking systems to ensure that changes to information are properly communicated to all relevant stakeholders as per the requirements of Principle 8.
The entitlement of individuals to request the correction and deletion of their personal information as described above must be read in conjunction with the previous discussion under Principle 5 which set out the responsibility of organisations to ensure and maintain the quality of the personal information that they process. That discussion also provided some practical recommendations on how organisations could enable individuals to access and/or update their personal information. It is also clear that in order to attain future compliance with the access requirements of Principle 8, organisations will have to review and align their compliance requirements in terms of current information protection legislation such as PAIA. Accordingly, in order to effectively comply with the Bill, organisations will be wise to consider all of the principles that have been discussed in their totality as well as to factor in their current obligations in terms of existing legislation.
Applying Principle 8 to your organisation
Below are a few questions that can assist in determining how ready your organisation is to begin dealing with the implications of Principle 8:
- Does your organisation have systems in place through which individuals can access and amend their personal information? Eg. Electronic log-in system, change of particulars forms?
- Does your organisation have an access to information manual/policy in terms of the Promotion of Access to Information Act?
- Does your organisation have an Information Officer/s to deal with requests relating to personal information?
- Does your organisation notify individuals (employees and customers) about the manner in which they may access and/or update their personal information?
- What is the form and manner in which individuals may request access to information?
- Does your organisation charge any fees for accessing personal information?
- If yes, are these fees in line with those set in terms of the Promotion of Access to Information Act?
- How does your organisation verify the identity of individuals who request access to personal information?
- Does your organisation have a system to track requests for access to personal information?
- Does your organisation have a verification procedure to ensure accuracy and completeness of personal information?
- How often does your organisation communicate with its employees and customers about updating their personal information?
- Does your organisation conduct periodic reviews on the accuracy and validity of personal information held by it?
- Does your organisation have a formal system in place for dealing with requests for correction of personal information?
- Does your organisation have a system to notify third parties of updates, corrections or deletion of personal information?