Data Commissioner ruling on the right to access personal data: An in-depth examination of your rights over collected data
The right of access to personal data has been a subject of discussion globally with the General Data Protection Regulation (GDPR) devoting an entire article to outlining this concept. It is nonetheless crucial to define personal data as follows:
- The GDPR defines personal data as any information relating to an identified or identifiable natural person (‘data subject’); the data subjects are identifiable if they can be directly or indirectly identified, especially by reference to an identifier such as a name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons.
These definitions are what guide the Data Protection Act (DPA) which borrows heavily from the GDPR.
The data subject then automatically becomes the ‘identified or identifiable natural person who is the subject of personal data’; the data processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the data controller who is then defined as the ‘natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data’.
Article 15 of the GDPR states that a data subject has the right to be informed of the purpose for the collection of their personal data, the period in which the data will be processed and used or stored, and any third-party sharing that may be done during the processing. The data subject also has the right to access this information during and after processing. The DPA states, in Section 26, that the data subject has the right to be informed of the use to which their personal data is to be put and to access their personal data in the custody of the data controller or data processor. This is well-backed by Regulation 9 (1)(e), (3) of the Data Protection (General) Regulations, 2021.
In a recent Kenyan case, Harrison Kisaka v Faulu Microfinance Bank Limited (ODPC Complaint No. 0586 of 2023), the Office of the Data Protection Commissioner ruled that the Respondent had infringed on the Complainant’s right to access his personal data which he consented to give during his job interview. After processing his data, the processor concluded that the information worked against the data subject’s chances of getting his job due to an ongoing criminal matter. The data subject requested this information from the processor and also the source so as to follow up for resolution. This request was denied and a complaint was lodged with the ODPC. The ODPC concluded that the Data Processor had indeed violated the Data Subject’s rights.
The processing of the personal data done in this matter is questionable considering the Respondent claims that the criminal case, which is ongoing, is public knowledge and therefore there was no physical report to give. However, the concept of pseudonymization ought to be in play in this matter. This is ‘the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person’.
An individual is entitled to a copy of their personal data and other supplementary information. The method of delivering the information is also essential in that if an individual makes a request electronically, then, the information should be delivered in a commonly used electronic format, unless the individual requests otherwise.
The mode of delivery is decided based on both the circumstances of the particular request and whether the individual has the ability to access the data you provide in that format. It is good practice to establish the individual’s preferred format prior to fulfilling their request. Alternatives can also include allowing the individual to access their data remotely and download a copy in an appropriate format.
All in all, data subjects must be made aware of their rights when it comes to their personal information. These include but are not limited to:
- Right to be informed: The right to information allows individuals to know what personal data is collected about them, why, who is collecting data, how long it will be kept, how they can file a complaint, and with whom they will share the data;
- Right of access: Data subjects have a right to submit subject access requests and attain information from the organisation about whether their personal information is being processed;
- Right to rectification: This allows the individuals to ask the organisation to update any inaccurate or incomplete data they have on them;
- Right to be forgotten: also known as the right to erasure. This right allows individuals to ask for their personal data to be deleted if:
- Personal data is no longer necessary;
- An individual withdraws consent;
iii. The personal data has been unlawfully processed;
- Individual objects to the processing, and the data controller has no reason to continue processing;
- Data erasure is necessary for compliance with a legal obligation.
However, there are situations where organisations can decline the request, for instance, due to public interest or compliance with legal obligations. If a data subject exercises their right to erasure, the organisation has to notify any third parties with whom the data was shared and request the erasure of data. The organisation has to comply unless it can prove that the request would require a disproportionate effort or if it is impossible to comply.
- Right to restrict processing: Individuals can request that an organisation limit the way it uses their personal data. The organisation is not automatically obligated to delete the data.
- Right to data portability: This is one of the novelties among data subject rights. It allows individuals to obtain personal data they have previously provided to the organisation in a structured, commonly used, and machine-readable format. Individuals can also request for their data to be transferred directly to another organisation.
- Right to object to processing: This allows individuals to object to the processing of personal data at any time, in certain situations, and it will depend on the purpose of processing and the lawful base for processing. Individuals can stop the processing of their personal data for direct marketing purposes, as this is their absolute right. However, they can also object to the processing of data on the grounds of legitimate interest or the tasks in the public interest.
- Rights in relation to automated decision-making and profiling: This may include evaluating certain personal aspects relating to an individual that analyse or predict aspects of behaviour like performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, or location. The data subjects now have the right not to be subject to automated decision-making if it is producing a legal effect that significantly affects them. However, it will not apply if the processing is necessary for the performance of a contract, if it is authorized by the law, or if the processing is based on explicit consent.