Responding to a POPIA Data Subject Access Request: A Step-by-Step Guide for Information Officers
If you have recently been appointed as your organisation's Information Officer, one of the tasks you may encounter early on is handling a data subject access request (DSAR). POPIA section 23 gives individuals the right to ask whether you hold their personal information and, if so, to request a copy of it. Handling that request correctly matters — both for the person asking and for your organisation's standing with the Information Regulator.
> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation, consult a qualified attorney.
---
What is a Data Subject Access Request?
A data subject access request — commonly called a DSAR — is a formal request from an individual (the "data subject") exercising their right under POPIA section 23. That right allows them to:
- Confirm whether your organisation holds personal information about them.
- Request a description of the personal information held.
- Request the identity or categories of third parties who have had, or currently have, access to that information.
Requests can arrive in many forms: a formal letter, an email, a completed copy of the Information Regulator's prescribed form (Form 2 under the PAIA / POPIA framework), or even a plain-English message. The channel does not determine whether it is valid — the intent does.
---
Step 1 — Identify and Log the Request
As soon as you receive something that looks like a DSAR, log it immediately with the date received. Time starts running from the date of receipt, so an unlogged request is a compliance risk from the moment it arrives.
Record: - The data subject's name and contact details. - The date and channel of receipt (email, post, web form, etc.). - A brief description of what they are asking for.
Khanyitas's compliance dashboard includes a DSAR register that time-stamps entries automatically — but a simple spreadsheet works too, as long as you use it consistently.
---
Step 2 — Verify the Identity of the Requestor
Before you share any personal information, confirm that the person making the request is who they say they are. This is not obstruction — it is responsible processing under POPIA's security safeguard obligations (section 19). A fraudster could use a DSAR to extract someone else's data.
Reasonable verification methods include: - Asking for a copy of a government-issued ID (handled confidentially and not retained longer than necessary). - Matching the request against contact details already on file. - Sending a one-time verification link to the email address held in your system.
Do not set verification hurdles that are disproportionately burdensome. The Information Regulator's guidance emphasises that the right of access should be practically realisable.
---
Step 3 — Acknowledge in Writing
Send an acknowledgement to the data subject promptly — ideally within a few business days of receipt. The acknowledgement should:
- Confirm you have received their request.
- Give them a reference number.
- State the timeframe within which you aim to respond.
POPIA does not prescribe a response deadline in the same explicit way that GDPR does, but the Information Regulator expects requests to be handled within a reasonable period. Many practitioners treat 30 calendar days as the de facto benchmark, consistent with the spirit of PAIA (the Promotion of Access to Information Act), which governs related access rights.
---
Step 4 — Conduct an Internal Information Search
Work with whoever manages your systems — CRM, HR platform, email archives, physical files — to locate all personal information held about the requestor. Common locations include:
- Customer relationship management (CRM) systems.
- Accounting and invoicing software.
- Email servers and archived correspondence.
- HR or payroll platforms (for employee requests).
- Physical files, if applicable.
Document where you searched, what you found, and what you determined was in scope. This paper trail demonstrates due diligence if the Regulator ever asks.
---
Step 5 — Review for Exemptions Before Disclosing
Not everything you find must be shared. POPIA and PAIA recognise that access may be limited where disclosure would:
- Reveal personal information about a third party who has not consented.
- Prejudice a legitimate legal proceeding or ongoing investigation.
- Conflict with another statutory obligation.
Review your findings carefully, and if exemptions apply, note them in your response with enough explanation that the data subject can understand why certain information is withheld. Do not simply refuse without reason — that approach is likely to generate a complaint to the Information Regulator.
If you are uncertain whether an exemption applies, this is a good moment to consult your legal counsel.
---
Step 6 — Compile and Send the Response
Your response should be clear, structured, and in plain language. It should:
- Confirm what personal information you hold (or confirm that you hold none).
- Provide a copy or description of that information in an accessible format.
- Identify any third parties to whom the information was disclosed, where required.
- Explain clearly any information that is being withheld and the reason why.
Deliver the response securely. Email with a password-protected attachment is a common approach; do not send sensitive personal information in an unencrypted email to a generic inbox.
---
Step 7 — Record the Outcome
Update your DSAR register with: - The date the response was sent. - A summary of what was provided or withheld. - Any exemptions applied, with brief reasons.
Retain this record. If the data subject escalates to the Information Regulator, your documented process is your primary evidence of compliance.
---
What Happens If You Miss the Deadline or Get It Wrong?
A data subject who is unhappy with your response — or receives no response — may lodge a complaint with the Information Regulator at inforegulator.org.za. The Regulator can investigate, issue enforcement notices, and in serious cases refer matters for prosecution. Information Officers have personal duties under POPIA section 55, which means the consequences can extend beyond the organisation itself.
The practical lesson: a prompt, well-documented response — even an imperfect one — is almost always better than silence.
---
A Quick Reference Checklist
- [ ] Request logged with date received
- [ ] Requestor identity verified
- [ ] Acknowledgement sent
- [ ] Internal information search completed and documented
- [ ] Exemptions reviewed
- [ ] Response compiled in plain language
- [ ] Response delivered securely
- [ ] DSAR register updated
---
> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation — particularly where exemptions or disputed requests are involved — consult a qualified attorney.
*Primary source: Protection of Personal Information Act 4 of 2013, available at gov.za. Information Regulator guidance at inforegulator.org.za.*