Responding to Access and Correction Requests

Track Your Course Progress
You are currently studying as a guest. Your course progress and quiz results will not be saved unless you login to your EduCourse account. Login to track your progress and qualify for your certificate.

How to Handle Access and Correction Requests Properly

Responding to Access and Correction Requests is an important part of protecting personal data under South African privacy laws. When a person wants to see the information an organisation holds about them, or asks to fix mistakes in their data, the organisation must respond correctly and quickly.

Access requests, also called data subject access requests, give individuals the right to know what personal information is collected, stored, or shared by an organisation. Correction requests allow people to ask for their data to be updated or fixed if it is inaccurate, incomplete, or out of date.

It is important to have a clear process in place for handling these requests. This helps build trust and shows respect for people’s privacy rights. The Protection of Personal Information Act (POPIA) says organisations must respond without unreasonable delay, usually within 30 days.

Steps for Handling Access and Correction Requests

  1. Receive and confirm the request – Make sure the request is clear. Confirm who is asking and what information they want to access or correct.
  2. Verify the requester’s identity – Check that the person requesting the data is the data subject or is authorised to act for them. Protect personal data by not sharing it with strangers.
  3. Search for the data – Find all the information the organisation holds about the person. This includes records, databases, emails, and backups.
  4. Check for legal reasons to refuse – Some data may be withheld for legal or security reasons, such as protecting other people’s privacy or company secrets.
  5. Send the data or corrected data – Provide the information in a clear, understandable form. For corrections, update the data and confirm the changes with the data subject.
  6. Keep records of the request – Document the request, response, and dates for compliance and audit purposes.

Responding on time is essential. If you need more time due to complexity, inform the requester and explain the delay.

When correcting data, take care to verify the new information before making changes. Inform all other systems or partners who hold the same data to keep records consistent.

Training staff to recognise and handle access and correction requests is also important. Clear guidelines help prevent mistakes and protect personal data.

In summary, responding to access and correction requests shows respect for individual privacy rights and helps comply with POPIA. Organisations must act quickly and carefully, ensuring data is accurate and only shared with the right people.

Live Scenario • Active Situation

You are a Data Privacy Officer at a South African financial firm.

There is no single perfect answer. Choose what you would do in this situation.