Sidumisile Mabena
Judith Phiri [email protected]
THE Postal and Telecommunications Regulatory Authority (POTRAZ) has called on Data Protection Officers (DPOs) to liase with the regulatory when dealing with complex data subject requests to ensure compliance with the Cyber and Data Protection Act, secure data handling and the protection of data subjects’ rights.
A data subject request is a formal request made by a data subject to the data controller to exercise their rights over their personal data under the Cyber and Data Protection Act [Chapter 12:07]. These requests are rooted in the rights of data subjects such as: the right to access, withdraw, complain, correction and deletion.
Speaking at the recent 3rd National Data Privacy Symposium Masterclass in Bulawayo, POTRAZ Advocacy and Compliance Deputy Director, Ms Zvichanzii Mugota called on DPOs to be the point of contact for data subject requests.
“Key features of a data subject request is that it can be made in writing, by telephone, in person or through any other means that the data subject may choose. It is made to any organisation which a data subject believes is controlling their data. Data controllers are mandated to respond to the data subject request,” she said.
“DPOs are the point of Contact for data subject requests, they should also train staff on data subject request management, advise on the handling complex requests, while also liaising with the regulator for the complex requests to ensure compliance with the Cyber and Data Protection Act.”
She said a data subject request strengthen data processing principles and were a core pillar of accountability in Section 24 of the Cyber and Data Protection Act.
The section focuses on the accountability of data controllers, while it mandates that data controllers must take all necessary technical and organisational measures to comply with the data protection principles, ensuring security, integrity and confidentiality of data.
Ms Mugota added: “A data subject request entrenches lawfulness, fairness and transparency according to Sections 13, 15,16 of the Cyber and Data Protection Act, while it checks data accuracy as required by Section 7. It also ensures that data is processed only for the purposes for which it was collected according to Section 13.”
She said the types of data subject requests include access requests (most common), correction/rectification, deletion/erasure, objection to processing and complaints/escalations.
Ms Mugota said the data subject request lifecycle (operational workflow) step-by-step framework includes receipt of request, logging and tracking (Data Subject Access Request (DSAR) register) andc identity verification.
“Other steps include assessment (scope + legal basis), data retrieval (ROPA link), redaction (third-party data), response preparation, delivery within timelines and record keeping.”
She said the common practical challenges include vague or broad requests (“give me all my data”), which are requests that lack specific parameters or a clear scope, making them difficult to fulfill.
Ms Mugota said the other challenge was data spread across systems as information is often stored in multiple, disconnected platforms and departments.
“As DPOs you may be faced with legacy systems/poor record management as outdated technology and disorganised records hinder efficient data retrieval. While third-party data conflicts may arise as balancing the privacy rights of multiple individuals involved in the requested data can be a challenge,” she said.
“There will also be repeat or vexatious requests as managing burdensome or repetitive inquiries from the same source, often without valid reason can arise. You may face tight timelines as there will be pressure to respond to requests within strict regulatory deadlines, often with limited resources.”
She said grounds for refusal or limitation would result in legal privilege, third-party confidentiality, national security or law enforcement and manifestly unfounded or excessive requests.
Online Reporter