I recently applied for vehicle finance as well as applying for a visa to visit the UK. In the process I had to disclose a LOT of sensitive personal information, from bank statements to details of my loved ones- definitely sufficient information to allow a criminal to commit identity theft, to stalk me and worse. Do I sound a bit neurotic? Well, the last time I applied for a UK visa, my information was leaked to a hacker and I was contacted several times with demands I pay them in cryptocurrency along with unsavoury allegations about me accessing porn. As you can imagine I was not amused, and although I ignored the demands and reported the leak to the Information Regulators here and in the UK, neither of whom responded to me, it was an unnerving experience I don’t want to repeat.
With the advent of the Protection of Personal Information Act (“POPI”) which became effective three years ago, we have the right to demand that our personal information be deleted by a “responsible party” i.e. any public or private body or person who has our personal information.
Personal information is defined in POPI to include information relating to your race, gender, marital status, nationality, age, health, language; your educational, criminal, employment and financial history, your ID, contact details, addresses, location information, biometric information, and much much more.
Section 24 of POPI says that one can request a responsible party to delete personal information about you if they are no longer authorised to retain it, or if its inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.
How do you do that practically? Well, here’s the form: https://inforegulator.org.za/wp-content/uploads/2020/07/FORM-2-REQUEST-FOR-CORRECTION-OR-DELETION-OF-PERSONAL-INFORMATION-OR.pdf Complete it and hand it in at the responsible party- I’d recommend you keep a copy with their acknowledgement of receipt and the date for your records.
Section 24(4) says the responsible party must inform you of the action taken as a result of your request. If they don’t respond, you can report them to the Information Regulator using this form: https://inforegulator.org.za/wp-content/uploads/2020/07/FORM-5-COMPLAINT-REGARDING-INTERFERENCE-WITH-THE-PROTECTION-OF-AN-ADJUDICATOR.pdf You will have to attach your deletion request form and an affidavit setting out the details of your complaint. The Information Regulator has geared up significantly since my complaint to them in 2018, so you’re more likely to receive joy. During July 2023 they handed out a R5 million fine to the Department of Justice in connection with a cyber attack in 2021.