- A data subject, having provided adequate proof of identity, has the right to—
- request a responsible party to confirm, free of charge, whether or not the responsible party holds personal information about the data subject; and
- request from a responsible party the record or a description of the personal information about the data subject held by the responsible party, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information—
- within a reasonable time;
- at a prescribed fee, if any;
- in a reasonable manner and format; and
- in a form that is generally understandable.
- If, in response to a request in terms of subsection (1), personal information is communicated to a data subject, the data subject must be advised of the right in terms of section 24 to request the correction of information.
- If a data subject is required by a responsible party to pay a fee for services provided to the data subject in terms of subsection (1)(b) to enable the responsible party to respond to a request, the responsible party—
- must give the applicant a written estimate of the fee before providing the services; and
- may require the applicant to pay a deposit for all or part of the fee.
- A responsible party may or must refuse, as the case may be, to disclose any information requested in terms of subsection (1) to which the grounds for refusal of access to records set out in the applicable sections of Chapter 4 of Part 2 and Chapter 4 of Part 3 of the Promotion of Access to Information Act apply.
- The provisions of sections 30 and 61 of the Promotion of Access to Information Act are applicable in respect of access to health or other records.
- If a request for access to personal information is made to a responsible party and part of that information may or must be refused in terms of subsection (4)(a), every other part must be disclosed.
Section 24
Correction of personal information
- A data subject may, in the prescribed manner, request a responsible party to—
- correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or
- destroy or delete a record of personal information about the data subject that the responsible party is no longer authorised to retain in terms of section 14.
- On receipt of a request in terms of subsection (1) a responsible party must, as soon as reasonably practicable—
- correct the information;
- destroy or delete the information;
- provide the data subject, to his or her satisfaction, with credible evidence in support of the information; or
- where agreement cannot be reached between the responsible party and the data subject, and if the data subject so requests, take such steps as are reasonable in the circumstances, to attach to the information in such a manner that it will always be read with the information, an indication that a correction of the information has been requested but has not been made.
- If the responsible party has taken steps under subsection (2) that result in a change to the information and the changed information has an impact on decisions that have been or will be taken in respect of the data subject in question, the responsible party must, if reasonably practicable, inform each person or body or responsible party to whom the personal information has been disclosed of those steps.
- The responsible party must notify a data subject, who has made a request in terms of subsection (1), of the action taken as a result of the request.
Section 25
Manner of access
The provisions of sections 18 and 53 of the Promotion of Access to Information Act apply to requests made in terms of section 23 of this Act.