Identify (ID)

Governance (ID.GV)

ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed

Risk Assessment (ID.RA-P)

ID.RA-P3: Potential problematic data actions and associated problems are identified

1. Account numbers

1.1 Does any part of your business deal with account numbers? *
1.2. Do they share account numbers with anyone outside your organisation?
1.2.1. Why do they share the account numbers?
1.2.2. Where are the people or systems receiving the account numbers located?

The definition of "Account Number" is unfortunately fairly vague. Over time the Regulator should clarify what is considered an account number.

105.(5) ‘‘Account number’’, for purposes of this section and section 106, means any
unique identifier that has been assigned—
(a) to one data subject only; or
(b) jointly to more than one data subject,
by a financial or other institution which enables the data subject, referred to in paragraph
(a), to access his, her or its own funds or to access credit facilities or which enables a
data subject, referred to in paragraph (b), to access joint funds or to access joint credit
facilities

Unlawful acts by responsible party in connection with account number

105. (1) A responsible party who contravenes the provisions of section 8 insofar as
those provisions relate to the processing of an account number of a data subject is,
subject to subsections (2) and (3), guilty of an offence.
(2) The contravention referred to in subsection (1) must—
(a) be of a serious or persistent nature; and
(b) likely cause substantial damage or distress to the data subject.
(3) The responsible party must—
(a) have known or ought to have known that—
(i) there was a risk that the contravention would occur; or
(ii) such contravention would likely cause substantial damage or distress to
the data subject; and
(b) have failed to take reasonable steps to prevent the contravention.
(4) Whenever a responsible party is charged with an offence under subsection (1), it
is a valid defence to such a charge to contend that he or she has taken all reasonable steps
to comply with the provisions of section 8.

Unlawful acts by third parties in connection with account number

106. (1) A person who knowingly or recklessly, without the consent of the responsible
party—
(a) obtains or discloses an account number of a data subject; or
(b) procures the disclosure of an account number of a data subject to another
person,
is, subject to subsection (2), guilty of an offence.
(2) Whenever a person is charged with an offence under subsection (1), it is a valid
defence to such a charge to contend that—
(a) the obtaining, disclosure or procuring of the account number was—
(i) necessary for the purpose of the prevention, detection, investigation or
proof of an offence; or
(ii) required or authorised in terms of the law or in terms of a court order;
(b) he or she acted in the reasonable belief that he or she was legally entitled to
obtain or disclose the account number or, as the case may be, to procure the
disclosure of the account number to the other person;
(c) he or she acted in the reasonable belief that he or she would have had the
consent of the responsible party if the responsible party had known of the
obtaining, disclosing or procuring and the circumstances of it; or
(d) in the particular circumstances the obtaining, disclosing or procuring was in
the public interest.
(3) A person who sells an account number which he or she has obtained in
contravention of subsection (1), is guilty of an offence.
(4) A person who offers to sell the account number of a data subject which that
person—
(a) has obtained; or
(b) subsequently obtained,
in contravention of subsection (1), is guilty of an offence.
(5) For the purposes of subsection (4), an advertisement indicating that an account
number of a data subject is or may be for sale is an offer to sell the information.

Exporting Personal Information of Children

Does any part of your organisation deal with Personal Information (PI) of children? *
A child is defined in POPIA as anyone under the age of 18 years.
Do they share the child PI with anyone outside your organisation?
Where are the people or systems receiving the child PI located?
Are they sharing the child PI under special authorisation granted by the Information Regulator?
Are they sharing the child PI under a Code of Conduct approved by the Information Regulator?

Transferring Personal Information to a "third party" may or may not include simply using a cloud system to process the information. Over time the Regulator should clarify what is considered a transfer to a third party.

According to the Children's Act, 2005 (Act 38 of 2005) a child is a person under the age of 18 years.

Processing subject to prior authorisation

57. (1) The responsible party must obtain prior authorisation from the Regulator, in
terms of section 58, prior to any processing if that responsible party plans to—
(a) process any unique identifiers of data subjects—
(i) for a purpose other than the one for which the identifier was specifically
intended at collection; and
(ii) with the aim of linking the information together with information
processed by other responsible parties;
(b) process information on criminal behaviour or on unlawful or objectionable
conduct on behalf of third parties;
(c) process information for the purposes of credit reporting; or
(d) transfer special personal information, as referred to in section 26, or the
personal information of children as referred to in section 34, to a third party in
a foreign country that does not provide an adequate level of protection for the
processing of personal information as referred to in section 72.
(2) The provisions of subsection (1) may be applied by the Regulator to other types of
information processing by law or regulation if such processing carries a particular risk
for the legitimate interests of the data subject.
(3) This section and section 58 are not applicable if a code of conduct has been issued
and has come into force in terms of Chapter 7 in a specific sector or sectors of society.
(4) A responsible party must obtain prior authorisation as referred to in subsection (1)
only once and not each time that personal information is received or processed, except
where the processing departs from that which has been authorised in accordance with
the provisions of subsection (1).

Responsible party to notify Regulator if processing is subject to prior authorisation

58. (1) Information processing as contemplated in section 57(1) must be notified as
such by the responsible party to the Regulator.
(2) Responsible parties may not carry out information processing that has been
notified to the Regulator in terms of subsection (1) until the Regulator has completed its
investigation or until they have received notice that a more detailed investigation will
not be conducted.
(3) In the case of the notification of information processing to which section 57(1) is
applicable, the Regulator must inform the responsible party in writing within four weeks
of the notification as to whether or not it will conduct a more detailed investigation.
(4) In the event that the Regulator decides to conduct a more detailed investigation, it
must indicate the period within which it plans to conduct this investigation, which
period must not exceed 13 weeks.
(5) On conclusion of the more detailed investigation referred to in subsection (4) the
Regulator must issue a statement concerning the lawfulness of the information
processing.
(6) A statement by the Regulator in terms of subsection (5), to the extent that the
information processing is not lawful, is deemed to be an enforcement notice served in
terms of section 95 of this Act.
(7) A responsible party that has suspended its processing as required by subsection
(2), and which has not received the Regulator’s decision within the time limits specified
in subsections (3) and (4), may presume a decision in its favour and continue with its
processing.

Failure to notify processing subject to prior authorisation

59. If section 58(1) or (2) is contravened, the responsible party is guilty of an offence
and liable to a penalty as set out in section 107.

Exporting Special Personal Information

Does any part of your organisation deal with information concerning religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information or criminal behaviour? *
Do they share the information with anyone outside your organisation?
Where are the people or systems they send the information to?

Transferring Special Personal Information to a "third party" may or may not include simply using a cloud system to process the information. Over time the Regulator should clarify what is considered a transfer to a third party.

[Special Personal Information is] personal information
concerning—
26.(a) the religious or philosophical beliefs, race or ethnic origin, trade union
membership, political persuasion, health or sex life or biometric information
of a data subject; or
(b) the criminal behaviour of a data subject to the extent that such information
relates to—
(i) the alleged commission by a data subject of any offence; or
(ii) any proceedings in respect of any offence allegedly committed by a data
subject or the disposal of such proceedings.

Processing subject to prior authorisation

57. (1) The responsible party must obtain prior authorisation from the Regulator, in
terms of section 58, prior to any processing if that responsible party plans to—
(a) process any unique identifiers of data subjects—
(i) for a purpose other than the one for which the identifier was specifically
intended at collection; and
(ii) with the aim of linking the information together with information
processed by other responsible parties;
(b) process information on criminal behaviour or on unlawful or objectionable
conduct on behalf of third parties;
(c) process information for the purposes of credit reporting; or
(d) transfer special personal information, as referred to in section 26, or the
personal information of children as referred to in section 34, to a third party in
a foreign country that does not provide an adequate level of protection for the
processing of personal information as referred to in section 72.
(2) The provisions of subsection (1) may be applied by the Regulator to other types of
information processing by law or regulation if such processing carries a particular risk
for the legitimate interests of the data subject.
(3) This section and section 58 are not applicable if a code of conduct has been issued
and has come into force in terms of Chapter 7 in a specific sector or sectors of society.
(4) A responsible party must obtain prior authorisation as referred to in subsection (1)
only once and not each time that personal information is received or processed, except
where the processing departs from that which has been authorised in accordance with
the provisions of subsection (1).

Responsible party to notify Regulator if processing is subject to prior authorisation

58. (1) Information processing as contemplated in section 57(1) must be notified as
such by the responsible party to the Regulator.
(2) Responsible parties may not carry out information processing that has been
notified to the Regulator in terms of subsection (1) until the Regulator has completed its
investigation or until they have received notice that a more detailed investigation will
not be conducted.
(3) In the case of the notification of information processing to which section 57(1) is
applicable, the Regulator must inform the responsible party in writing within four weeks
of the notification as to whether or not it will conduct a more detailed investigation.
(4) In the event that the Regulator decides to conduct a more detailed investigation, it
must indicate the period within which it plans to conduct this investigation, which
period must not exceed 13 weeks.
(5) On conclusion of the more detailed investigation referred to in subsection (4) the
Regulator must issue a statement concerning the lawfulness of the information
processing.
(6) A statement by the Regulator in terms of subsection (5), to the extent that the
information processing is not lawful, is deemed to be an enforcement notice served in
terms of section 95 of this Act.
(7) A responsible party that has suspended its processing as required by subsection
(2), and which has not received the Regulator’s decision within the time limits specified
in subsections (3) and (4), may presume a decision in its favour and continue with its
processing.

Failure to notify processing subject to prior authorisation

59. If section 58(1) or (2) is contravened, the responsible party is guilty of an offence
and liable to a penalty as set out in section 107.

Linking information using unique identifiers

Does any part of your organisation obtain information from a third party, and then link that information with information they already have, using a unique identifier of the data subject? *
Augmenting a sales prospect database with a purchased list of contacts is a common example. PowerBI could also be used in this way.
Was the unique identifier they use gathered for the specific purpose of the linking described above? *

Criminal, unlawful or objectionable conduct

Does any part of your organisation process information about criminal behaviour? *
Does any part of your organisation process information about objectionable or unlawful conduct? *
Is the processing of criminal, unlawful or objectionable conduct done on behalf of a third party? *

Special Personal Information - religious or philosophical beliefs

Does any part of your organisation process information about religious or philosophical beliefs? *
On what legal basis do you process religious or philosophical beliefs?

Watch out for catering requirements when managing events because dietary preferences can denote religious beliefs, this type of data should be deleted once the event is over. Caterers and other third parties should be given dietary preferences that are entirely de-identified. If they must have names, ensure that they delete the data once the event is over.

Sometimes greeting cards are sent out for religious holidays and festivals, if these can be sent to specific contacts then it is personal information.

Authorisation concerning data subject’s religious or philosophical beliefs

28. (1) The prohibition on processing personal information concerning a data
subject’s religious or philosophical beliefs, as referred to in section 26, does not apply if
the processing is carried out by—
(a) spiritual or religious organisations, or independent sections of those
organisations if—
(i) the information concerns data subjects belonging to those organisations;
or
(ii) it is necessary to achieve their aims and principles;
(b) institutions founded on religious or philosophical principles with respect to
their members or employees or other persons belonging to the institution, if it
is necessary to achieve their aims and principles; or
(c) other institutions: Provided that the processing is necessary to protect the
spiritual welfare of the data subjects, unless they have indicated that they
object to the processing.
(2) In the cases referred to in subsection (1)(a), the prohibition does not apply to
processing of personal information concerning the religion or philosophy of life of
family members of the data subjects, if—
(a) the association concerned maintains regular contact with those family
members in connection with its aims; and
(b) the family members have not objected in writing to the processing.
(3) In the cases referred to in subsections (1) and (2), personal information concerning
a data subject’s religious or philosophical beliefs may not be supplied to third parties
without the consent of the data subject.

Special Personal Information - race or ethnic origin

Does any part of your organisation, besides HR / Talent Management, process information about race or ethnic origin? *
B-BBEE legislation is a common legal justification for managing ethnic origin, but only for your HR department.
On what legal basis do you process information about race or ethnic origin?

Special Personal Information - trade union membership

Does any part of your organisation process information about trade union membership? *
On what legal basis do you process information about trade union membership?

B-BBEE legislation is a common legal justification for managing ethnic origin, but only for your HR department.

Watch out for HR information that is shared with a third party or is accessible to other parts of the organisation that do not have a legal justification for having that data.

Authorisation concerning data subject’s trade union membership

30. (1) The prohibition on processing personal information concerning a data
subject’s trade union membership, as referred to in section 26, does not apply to the
processing by the trade union to which the data subject belongs or the trade union
federation to which that trade union belongs, if such processing is necessary to achieve
the aims of the trade union or trade union federation.
(2) In the cases referred to under subsection (1), no personal information may be
supplied to third parties without the consent of the data subject.

Special Personal Information - political persuasion

Does any part of your organisation process information about political persuasion? *
On what legal basis do you process information about political persuasion?

watch out for...

Authorisation concerning data subject’s political persuasion

31. (1) The prohibition on processing personal information concerning a data
subject’s political persuasion, as referred to in section 26, does not apply to processing
by or for an institution, founded on political principles, of the personal information of—
(a) its members or employees or other persons belonging to the institution, if such
processing is necessary to achieve the aims or principles of the institution; or
(b) a data subject if such processing is necessary for the purposes of—
(i) forming a political party;
(ii) participating in the activities of, or engaging in the recruitment of
members for or canvassing supporters or voters for, a political party with
the view to—
(aa) an election of the National Assembly or the provincial legislature as
regulated in terms of the Electoral Act, 1998 (Act No. 73 of 1998);
(bb) municipal elections as regulated in terms of the Local Government:
Municipal Electoral Act, 2000 (Act No. 27 of 2000); or
(cc) a referendum as regulated in terms of the Referendums Act, 1983
(Act No. 108 of 1983); or
(iii) campaigning for a political party or cause.
(2) In the cases referred to under subsection (1), no personal information may be
supplied to third parties without the consent of the data subject.

Special Personal Information - health or sex life

Does any part of your organisation process information about anyone's health or sex life? *
On what legal basis do you process information about health or sex life?

watch out for...

Authorisation concerning data subject’s health or sex life

32. (1) The prohibition on processing personal information concerning a data
subject’s health or sex life, as referred to in section 26, does not apply to the processing
by—
(a) medical professionals, healthcare institutions or facilities or social services, if
such processing is necessary for the proper treatment and care of the data
subject, or for the administration of the institution or professional practice
concerned;
(b) insurance companies, medical schemes, medical scheme administrators and
managed healthcare organisations, if such processing is necessary for—
(i) assessing the risk to be insured by the insurance company or covered by
the medical scheme and the data subject has not objected to the
processing;
(ii) the performance of an insurance or medical scheme agreement; or
(iii) the enforcement of any contractual rights and obligations;
(c) schools, if such processing is necessary to provide special support for pupils
or making special arrangements in connection with their health or sex life;
(d) any public or private body managing the care of a child if such processing is
necessary for the performance of their lawful duties;
(e) any public body, if such processing is necessary in connection with the
implementation of prison sentences or detention measures; or
(f) administrative bodies, pension funds, employers or institutions working for
them, if such processing is necessary for—
(i) the implementation of the provisions of laws, pension regulations or
collective agreements which create rights dependent on the health or sex
life of the data subject; or
(ii) the reintegration of or support for workers or persons entitled to benefit
in connection with sickness or work incapacity.
(2) In the cases referred to under subsection (1), the information may only be
processed by responsible parties subject to an obligation of confidentiality by virtue of
office, employment, profession or legal provision, or established by a written agreement
between the responsible party and the data subject.
(3) A responsible party that is permitted to process information concerning a data
subject’s health or sex life in terms of this section and is not subject to an obligation of
confidentiality by virtue of office, profession or legal provision, must treat the
information as confidential, unless the responsible party is required by law or in
connection with their duties to communicate the information to other parties who are
authorised to process such information in accordance with subsection (1).
(4) The prohibition on processing any of the categories of personal information
referred to in section 26, does not apply if it is necessary to supplement the processing
of personal information concerning a data subject’s health, as referred to under
subsection (1)(a), with a view to the proper treatment or care of the data subject.
(5) Personal information concerning inherited characteristics may not be processed in
respect of a data subject from whom the information concerned has been obtained,
unless—
(a) a serious medical interest prevails; or
(b) the processing is necessary for historical, statistical or research activity.
(6) More detailed rules may be prescribed concerning the application of subsection
(1)(b) and (f).

COVID Guidelines

The Information Regulator has provided Guidelines for managing health information related to the COVID-19 requirements. You can read about it here:

https://clearwood.co.za/how-does-covid-19-impact-on-privacy/.

Special Personal Information - criminal behaviour or biometric information

Does any part of your organisation process information about criminal behaviour or biometric information? *
On what legal basis do you process information about criminal behaviour or biometric information?

watch out for...

Authorisation concerning data subject’s criminal behaviour or biometric information

33. (1) The prohibition on processing personal information concerning a data
subject’s criminal behaviour or biometric information, as referred to in section 26, does
not apply if the processing is carried out by bodies charged by law with applying
criminal law or by responsible parties who have obtained that information in accordance
with the law.
(2) The processing of information concerning personnel in the service of the
responsible party must take place in accordance with the rules established in compliance
with labour legislation.
(3) The prohibition on processing any of the categories of personal information
referred to in section 26 does not apply if such processing is necessary to supplement the
processing of information on criminal behaviour or biometric information permitted by
this section.

Personal Information of children

Does any part of your organisation process personal information of children? *
POPIA defines a child as anyone under the age of 18 but legislations in other countries define a "child" differently. If you are using a tool to manage privacy or are relying on guidance notes written outside of South Africa, be sure to double check that you have applied the definition of a child correctly as anyone under 18 years old.

General authorisation concerning personal information of children

35. (1) The prohibition on processing personal information of children, as referred to
in section 34, does not apply if the processing is—
(a) carried out with the prior consent of a competent person;
(b) necessary for the establishment, exercise or defence of a right or obligation in
law;
(c) necessary to comply with an obligation of international public law;
(d) for historical, statistical or research purposes to the extent that—
(i) the purpose serves a public interest and the processing is necessary for
the purpose concerned; or
(ii) it appears to be impossible or would involve a disproportionate effort to
ask for consent,
and sufficient guarantees are provided for to ensure that the processing does
not adversely affect the individual privacy of the child to a disproportionate
extent; or
(e) of personal information which has deliberately been made public by the child
with the consent of a competent person.
(2) The Regulator may, notwithstanding the prohibition referred to in section 34, but
subject to subsection (3), upon application by a responsible party and by notice in the
Gazette, authorise a responsible party to process the personal information of children if
the processing is in the public interest and appropriate safeguards have been put in place
to protect the personal information of the child.
(3) The Regulator may impose reasonable conditions in respect of any authorisation
granted under subsection (2), including conditions with regard to how a responsible
party must—
(a) upon request of a competent person provide a reasonable means for that
person to—
(i) review the personal information processed; and
(ii) refuse to permit its further processing;
(b) provide notice—
(i) regarding the nature of the personal information of children that is
processed;
(ii) how such information is processed; and
(iii) regarding any further processing practices;
(c) refrain from any action that is intended to encourage or persuade a child to
disclose more personal information about him- or herself than is reasonably
necessary given the purpose for which it is intended; and
(d) establish and maintain reasonable procedures to protect the integrity and
confidentiality of the personal information collected from children.

Direct Marketing

Does any part of your organisation perform direct marketing? *
Direct Marketing may not be what you expect, please read the notes provided in the tabs below.
Do you market to to people, companies or CCs who are not your clients?
Do you market to to people outside SA?
Do you have consent for the direct marketing that fulfills the requirement of Regulation 6, FORM 4?

Consider all your communications against the definition of Direct Marketing.

Direct Marketing is defined very broadly under POPIA (see the full definition under the "Law" tab in this section. If you are "directly or indirectly" promoting anything, then it is direct marketing. It does not only apply to "mass mailers"; one-on-one communication can qualify as direct marketing, including requests to "make a donation of any kind". If the communication is sent using "electronic means" and is "unsolicited" then Section 69 applies. Remember that POPIA applies to juristic persons, so promotional communication sent to a company could also fall under the requirements of section 69.

Do you really have consent?

Section 69 has set a very high standard for what is considered adequate consent under POPIA. If the contact is your customer but you are promoting someone else's products or services; or if the contact is not your customer,  you probably don't have adequate consent. Customers are bit more tricky. Can you prove that, at the time of the sale, your customer was told they would be receiving the direct marketing and that they were given the chance to object at that point? If not, then assume you do not have adequate consent.

Defintion POPI Section 1

‘direct marketing means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of – (a) Promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or (b) Requesting the data subject to make a donation of any kind for any reason.'

POPIA Section 69 Direct marketing by means of unsolicited electronic communications

S69(1) The processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail is prohibited unless the data subject— (a) has given his, her or its consent to the processing; or (b) is, subject to subsection (3), a customer of the responsible party. S69(2) (a) A responsible party may approach a data subject— (i) whose consent is required in terms of subsection (1)(a); and (ii) who has not previously withheld such consent, only once in order to request the consent of that data subject. (b) The data subject’s consent must be requested in the prescribed manner and form. S69 (3) A responsible party may only process the personal information of a data subject who is a customer of the responsible party in terms of subsection (1)(b)— (a) if the responsible party has obtained the contact details of the data subject in the context of the sale of a product or service; (b) for the purpose of direct marketing of the responsible party’s own similar products or services; and (c) if the data subject has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details— (i) at the time when the information was collected; and (ii) on the occasion of each communication with the data subject for the purpose of marketing if the data subject has not initially refused such use. S69 (4) Any communication for the purpose of direct marketing must contain— (a) details of the identity of the sender or the person on whose behalf the communication has been sent; and (b) an address or other contact details to which the recipient may send a request that such communications cease. S69(5) ‘‘Automatic calling machine’’, for purposes of subsection (1), means a machine that is able to do automated calls without human intervention.  

Regulation 6 Request for data subject's consent to process personal information

A responsible party who wishes to process personal information of a data subject for the purpose of direct marketing by electronic communication must in terms of section 69(2) of the Act submit a request for written consent to that data subject on Form 4. (FORM 4 is defined in the Regulation)

Automated decision making

Do you make any decisions which result in legal or substantial consequences for a data subject, which is based solely on the basis of the automated processing of personal information intended to provide a profile of such person including his or her performance at work, or his, her or its credit worthiness, reliability, location, health, personal preferences or conduct? *
On what legal basis do you make the decisions?

Do you conduct any automated profiling?

Section 71 is concerned about profiling data subjects based on performance at work, credit worthiness, reliability, location, health, personal preferences or conduct. An example would be profiling customers based on bad debt.

You need to check whether you profile data subjects (i.e. people or organisations) and then make decisions that impact on them without any human intervention or manual check points.

Do your systems make decisions that lead to consequences for people or organisations?

Automated decisions can hold substantial consequences for the Data Subject. Substantial consequences could include things like negatively impacting a person's credit worthiness, job performance, remuneration, etc.

You may only make automated decisions that have substantial consequences if you are doing it in terms a law, a code of conduct, or a contract.

If you rely on a contract, is the contract compliant?

If you are unsure whether the following requirements are met, then set your legal basis to "Not sure".

The automated decision must be taken in connection with the conclusion or execution of a contract, that has satisfied a request of the data subject. If that is not the case then you must take appropriate measures to protect the data subject’s legitimate interests.

The contract must provide a mechanism for the data subject to make representations and reveal the underlying logic of the automated decision i.e. they should be aware of the automated decision, and be able to ask you to explain how the decision was made. You need to be able to unpack the logic for them.

Automated decision making

71. (1) Subject to subsection (2), a data subject may not be subject to a decision which
results in legal consequences for him, her or it, or which affects him, her or it to a substantial degree, which is based solely on the basis of the automated processing of
personal information intended to provide a profile of such person including his or her performance at work, or his, her or its credit worthiness, reliability, location, health, personal preferences or conduct.
(2) The provisions of subsection (1) do not apply if the decision—
(a) has been taken in connection with the conclusion or execution of a contract,
and—
(i) the request of the data subject in terms of the contract has been met; or
(ii) appropriate measures have been taken to protect the data subject’s
legitimate interests; or
(b) is governed by a law or code of conduct in which appropriate measures are specified for protecting the legitimate interests of data subjects.
(3) The appropriate measures, referred to in subsection (2)(a)(ii), must—
(a) provide an opportunity for a data subject to make representations about a decision referred to in subsection (1); and
(b) require a responsible party to provide a data subject with sufficient information about the underlying logic of the automated processing of the information relating to him or her to enable him or her to make representations in terms of paragraph (a).

Accountability

Have you identified your organisation's Information Officer? *
Has your Information Officer been registered with the Information Regulator?

watch out for...

Processing limitation

Do you keep any Personal Information indefinitely or without having a defined, documented retention period? *

watch out for...

Purpose specification

Do you collect any Personal Information without having a defined, documented purpose? *

watch out for...

Further processing

Do you ever re-purpose Personal Information for a new purpose that was no declared at collection? *

watch out for...

Information quality

Do you have documented mechanisms to update all the information you store? *

watch out for...

Openness

Do you have documented mechanisms to update all the information you store? *

watch out for...

Security safeguards

Do you have documented mechanisms to update all the information you store? *

watch out for...