ACCESS TO PERSONAL INFORMATION
INFORMATION HELD OR NOT
Any person has the right to ask whether you hold any personal information about them, and where you receive a request like this, you must be able to provide the person with this information. You are not allowed to charge to confirm whether you hold personal information about a data subject or not.
As personal information must be secured and generally be kept confidential, it is important to ensure that where a request for this type of information is made, that the person who is submitting the request has the right to access the information. It is therefore essential that you are sure of the identity of the person before you release any details.
The person’s identity must be verified to confirm that they are who they say they are, and in addition to this, you will have to be sure that the person who is asking about the information, has the right to this.
In general:
- Every person has the right to access their own information
- Parents have the right to access the information of their minor children
- A person does not have an automatic right to access the information of their spouse
- Company information should be released to authorised persons only
- Close corporation information should be released to authorised persons only
- Trust information should be released to authorised persons only
There are exceptions, so it is very important to know what information may be disclosed, when it may be disclosed, to whom, when and how this may be done.
INFORMATION DETAILS & COPIES
Data subjects have the right to request a description of the personal information you hold about them as well as request copies of the actual records.
Data subjects also have the right to request the details of all third parties, or categories of third parties, who currently have, or have had, access to their personal information.
This means that you are going to have to keep a record of all the personal information you hold, records of which 3rd parties have access to what, and be able to produce copies of the information you hold.
This should be regularly brought up to date and be accessible to whoever will be dealing with data access requests.
PROVISION OF INFORMATION
In order to be able to comply with this provision, you require procedures to:
- Receive and deal with this type of request
- Be able to identify what personal information you hold
- Provide the correct information to the person requesting this information
- Assess when information should not be provided
- Access and make copies of records which have been requested and which are allowed
Your procedures must ensure that the information or records are provided to the data subject:
- within a reasonable time
- in a reasonable manner
- in a generally understandable form
REQUESTING ACCESS TO PERSONAL INFORMATION
Where requests are made to access personal information, the provisions of Promotion of Access to Information Act (“PAIA”) apply. Section 18 of PAIA applies to information requests made to public bodies and section 53 applies to information requests made to private bodies.
These provisions describe the procedure to be followed when a data subject requests access to personal information. In terms of PAIA, you should have a procedure which a person can follow when any request for information is requested, and this must be provided to the person. Your procedure should ensure the following:
Where someone requests access to their personal information, the request should be done using Annexure B Form C which is found in the PAIA regulations. The request must be sent to your address, fax number or electronic mail address.
The form of the request must require the person concerned to provide enough information to enable you to identify who the person is, as well as the record or records requested. If the request is made on behalf of someone else, there should be proof of the authority to do this provided. It should be clear which form of access is required.
The person requesting the information must specify a postal address or fax number and clearly identify the right the person is seeking to exercise or protect. He or she should provide an explanation of why the requested record is required for the exercise or protection of that right.
The person asking for the information can also let you know if there is a particular way that they want to be notified, e.g. by email.
DECISION ON REQUEST AND NOTICE
You need to decide whether to grant the request or not, and notify the person of your decision, within 30 days of receiving the request.
You can extend this initial period of 30 days by an additional 30 days, if the person requesting the information agrees to this, or if their request is for a large number of records, or a search for the records will unreasonably interfere with your business activities. An extension on the period to 60 days is also permitted when:
- You need to search for records or collect them from an office which is in a different town or city to your head office, and because of this, you are unable to comply within 30
- You need to consult within divisions within your organisation or with another private body in order to decide whether to provide the records or
Where you decide to extend the period to revert to the requester from 30 days to 60 days, you must notify the person of this, provide details of the extension as well as the reasons for it. The notification must be done as soon as possible, but no later than 30 days from receiving the first request.
If you decide to release the information to the person requesting it, when you confirm that you will provide the records, you also need to notify the person what the fee will be and what form of access will be provided.
You furthermore have to advise the person that he or she may lodge a court application if they are not happy with paying the fee, or if they are not satisfied with the form in which you will provide the information, or if they are dissatisfied with an extension in getting back t them. This notification must include the procedure to lodge the application as well as the period within which the application is allowed. This information can be found in the PAIA rules.
If you don’t get back to the person when you are supposed to, this is deemed to be a refusal to the request.
ACCESS TO HEALTH RECORDS
*Where you are not a health or medical organisation, it would be wise to consider the implications of COVID or other test results which may be applicable in this context.
Where access is requested by someone (or on their behalf) to their physical or mental health medical records, and you are concerned that disclosure may cause serious harm to their physical or mental health or well-being, you may consult with their nominated health practitioner before providing access to the records.
If the data subject is under 16 years of age, whoever has their parental responsibilities must nominate the health practitioner.
If the data subject is incapable of managing his or her affairs, a person appointed by the court to manage those affairs must nominate the health practitioner.
Where the nominated health practitioner is of the opinion that the disclosure of the record to the relevant person would be likely to cause serious harm to his or her physical or mental health, or well-being, you may only give access to the record if you are satisfied that adequate provision is made for counselling or arrangements which are reasonably practicable before, during or after the disclosure of the record to limit, alleviate or avoid such harm to the relevant person.
Before access to the record is so given to the requester, the person responsible for the counselling or arrangements must be given access to the record.
RECORDS THAT CAN’T BE FOUND OR DON’T EXIST
If all reasonable steps have been taken to find a record that has been requested, but you either can’t find it or you don’t have it, you will have to notify the requester that you can’t give them access to the record by way of affidavit or affirmation.
The affidavit or affirmation must give full details of all steps taken to find the record in question or determine whether it exists, and must include all communications with every person who conducted the search on your behalf.
This notification will then be treated as a refusal to give access to the record.
If you find subsequently find the record, you will have to decide whether to provide access or not and either produce the record or give the person the reasons for denying access.
REFUSING ACCESS TO RECORDS
There are instances where you may legally refuse to disclose information to a person who request this. There are also situations where you have to refuse access to certain records.
These are set out in PAIA, Part 3 Chapter 4. As there are some exceptions, it is important that the Information officer gain a good working knowledge of PAIA to ensure compliance.
The responsibility for refusing access to records lies with the head of your organisation.
Where, in terms of PAIA, you are entitled to refuse access to certain sections of records, or parts of records or information you hold, you will still have to disclose the balance.
MANDATORY PROTECTION OF PRIVACY OF THIRD PARTY WHO IS NATURAL PERSON
You must refuse any unreasonable disclosure of personal information about a third party, including information about a deceased individual.
You must, however, provide access to these records if this is required to reveal evidence of a substantial contravention of, or failure to comply with, the law; or imminent and serious public safety or environmental risk; and the public interest in the disclosure of the record clearly outweighs the harm contemplated in the provision in question.
You are not allowed to refuse access to information or records you hold about a 3rd party in the following instances:
- Where the 3rd party has consented in writing
- Where the information or record is already publicly available
- Where the information was provided to you by the individual to whom it relates, and the individual was informed by you, before the person provided it to you, that the information belongs to a class of information that would or might be made available to the public
You must provide records or information about an individual’s physical or mental health or well-being, where the person whose information is being requested is under the care of the requester and is:
- under the age of 18 years or
- incapable of understanding the nature of the request and if giving access would be in the individual’s best
Where a request is made about an individual who is deceased and the requester is:
- the individual’s next of kin; or
- making the request with the written consent of the individual’s next of kin then you must provide this
You must provide information which relates to the position or functions about an individual who is or was an employee of your organisation to anyone who requests this. The information includes:
- the fact that the person is or was an employee
- their title, work address, work phone number and other similar particulars
- the classification, salary scale or remuneration and responsibilities of the position held or services performed
- the person’s name, on a record prepared by them, in the course of employment
MANDATORY PROTECTION OF COMMERCIAL INFORMATION OF THIRD PARTY
The head of your organisation must refuse access to any records that contain the following information of a 3rd party, unless you have consent from the 3rd party, in writing, to release the information:
- trade secrets
- financial, commercial, scientific or technical information, other than trade secrets, where this disclosure would be likely to cause harm to the commercial or financial interests of the 3rd party
- information supplied in confidence by the 3rd party, where the disclosure of this could reasonably be expected to put the third party at a disadvantage in contractual or other negotiations or prejudice them in commercial competition
You must, however, provide access to these records if this is required to reveal evidence of a substantial contravention of, or failure to comply with, the law; or imminent and serious public safety or environmental risk; and the public interest in the disclosure of the record clearly outweighs the harm contemplated in the provision in question.
You may not refuse to disclose the results of any product or environmental testing or other investigation supplied by a third party, or the results of any testing or investigation carried out by or on behalf of a third party where this disclosure would reveal a serious public safety or environmental risk. This does not include preliminary testing or other investigation conducted for the purpose of developing methods of testing or other investigation.
MANDATORY PROTECTION OF CERTAIN CONFIDENTIAL INFORMATION OF THIRD PARTY
The head of your organisation must refuse a request for access to a record where the disclosure would constitute an action for breach of confidence in respect of a contract.
You must, however, provide access to these records if this is required to reveal evidence of a substantial contravention of, or failure to comply with, the law; or imminent and serious public safety or environmental risk; and the public interest in the disclosure of the record clearly outweighs the harm contemplated in the provision in question.
MANDATORY PROTECTION OF SAFETY OF INDIVIDUALS, AND PROTECTION OF PROPERTY
You must refuse access to a record where disclosure could reasonably be expected to endanger the life or physical safety of an individual.
You are allowed to refuse to disclose records where disclosure would be likely to prejudice or impair the security of:
- a building, structure or system, including, but not limited to, a computer or communication system
- a means of transport
- any other property
You are allowed to refuse access to records where the disclosure would be likely to prejudice or impair the security of methods, systems, plans or procedures for the protection of:
- individuals in witness protection schemes
- the safety of the public or the security of property
You must, however, provide access to these records if this is required to reveal evidence of a substantial contravention of, or failure to comply with, the law; or imminent and serious public safety or environmental risk; and the public interest in the disclosure of the record clearly outweighs the harm contemplated in the provision in question.
MANDATORY PROTECTION OF RECORDS PRIVILEGED FROM PRODUCTION IN LEGAL PROCEEDINGS
You must refuse a request for access to a record if the record is legally privileged unless the person has waived their entitlement to privilege.
You must, however, provide access to these records if this is required to reveal evidence of a substantial contravention of, or failure to comply with, the law; or imminent and serious public safety or environmental risk; and the public interest in the disclosure of the record clearly outweighs the harm contemplated in the provision in question.
YOUR COMMERCIAL INFORMATION
You are permitted to refuse access to any of your business records that contain;
- your trade secrets
- financial, commercial, scientific or technical information, other than trade secrets, where this disclosure would be likely to cause harm to your commercial or financial interests
- information, where the disclosure of this could reasonably be expected to put you at a disadvantage in contractual or other negotiations or prejudice you in commercial competition
You may also refuse access to any computer program you own, except where this is required to provide access to information or a record it contains.
You must, however, provide access to these records if this is required to reveal evidence of a substantial contravention of, or failure to comply with, the law; or imminent and serious public safety or environmental risk; and the public interest in the disclosure of the record clearly outweighs the harm contemplated in the provision in question.
You may not refuse to disclose the results of any product or environmental testing or other investigation, or the results of any testing or investigation where this disclosure would reveal a serious public safety or environmental risk.
This does not include preliminary testing or other investigation conducted for the purpose of developing methods of testing or other investigation.
MANDATORY PROTECTION OF RESEARCH INFORMATION
You must refuse access to records of research which is being carried out, or which is going to be carried out, by or on behalf of a third party, where disclosure would be likely to expose:
- the third party;
- a person that is or will be carrying out the research on behalf of the third party
- the subject matter of the research to serious
Where you are carrying out research, or are going to carry out research, you may refuse access to records which would expose you, any person doing the research, or the subject of the research, to serious disadvantage.
You must, however, provide access to these records if this is required to reveal evidence of a substantial contravention of, or failure to comply with, the law; or imminent and serious public safety or environmental risk; and the public interest in the disclosure of the record clearly outweighs the harm contemplated in the provision in question.
3RD PARTY NOTIFICATION & PROCEDURE
Where you have been requested to provide access to a record that contains the details of a 3rd party, you need to notify the 3rd party of this by the fastest means reasonably possible, but no later than 21 days after receiving the request. You can notify the 3rd party orally, but you will have to follow this up in writing.
Your notification to the 3rd party must:
- state that you are considering a request for access to a record that might be a record referred to in PAIA in the following sections, and describe the provisions:
- 63(1)[3rd party who is a natural person]
- 64(1)[releasing commercial information]
- 65 [certain confidential information] or
- 69(1) [research information]
- Disclose who is asking for these records
- Note whether you think you will have to make the disclosure in terms of Section 70 of PAIA [mandatory disclosure in the public interest] and the reasons why you think this will apply
- State that the third party may make written or oral representations to the head of your organisation, why the request for access should be refused, or give written consent to disclose the information, within 21 days after they receive your notification.
Once the 3rd party receives your notification, they have 21 days to provide you with written representation why they believe you should not be releasing the information, or give you written consent to release the information. You should not release the information to the person requesting it until you know what the response is and have considered this.
Where a 3rd party becomes aware of a request other than by way of your notifying them, they also have the 21 day period within which to respond to you.
You have 30 days after notifying every affected 3rd party of the request for information which contains their details, to decide whether you will grant the requester access to the information or not. Where you have not been able to notify an affected third party, your decision must take this into consideration.
You must notify the person who is requesting the information, as well as the 3rd party, what your decision is and the reasons for this. The 3rd party must also be notified of their right to contest your decision in court or complain to the Information Regulator within 30 days of being given notice of your decision.
The person requesting access must be informed that they will be provided access to the records after the 30 day period given to the 3rd party to contest your decision, unless there is a complaint or court action initiated to prevent you granting the access.
Where the 3rd party does not object and contest the access to the records in court or complain to the Information Regulator, you must provide the records to the person after the expiry of the 30 day period.
RIGHT TO HAVE INFORMATION CORRECTED
Where you provide access to any personal information to a person who requests it, you must advise the person of their right to have the information corrected if it is wrong.
FEES FOR PROVIDING COPIES OR DETAILS OF INFORMATION
You may charge a fee for providing the details of the personal information you hold about a data subject, or copies of records requested. This fee must be disclosed to the person requesting access to the records at the time they make the request. You are also permitted to request a deposit in certain instances.
The fee you are allowed to charge, as well as the permitted deposit, is regulated in terms of PAIA, so it is important that you know what you may charge, and do not exceed this.
It is recommended that this be included in your PAIA framework.