Tutorial: Citizen-side DSAR

Generating compliant Data Subject Access Request letters under NDPA, POPIA, Kenya DPA, and Ghana DPA - with cryptographic provenance the receiving DPO can verify offline.

Why this matters

African citizens have rights under NDPA-2023 (Nigeria), POPIA (South Africa), Kenya DPA (2019), and Ghana DPA (2012) that today are practically unexercisable. The bureaucracy is the barrier: a citizen who wants to exercise their right of access must:

1. Identify which organizations hold their data.
2. Find each organization's DPO contact.
3. Draft a request that cites the correct statute sections.
4. Send the request via approved channels.
5. Track responses.
6. Escalate to the regulator if ignored.

Each step is manual. Most citizens never exercise these rights.

arche.workflow.DSARWorkflow automates steps 3 and 4 (plus signed provenance the DPO can verify). The citizen reviews and dispatches in Stage 1; autonomous dispatch is Stage 4 with explicit consent mechanisms.

The workflow

from arche.workflow import DSARWorkflow, DSARRequestor, DSAROrganization
from arche.sign import generate_keypair

# Citizen-held key - generate once, store locally
citizen_key = generate_keypair()

workflow = DSARWorkflow(
    jurisdiction="NG",                       # auto-resolves NDPA-2023
    requestor=DSARRequestor(
        name="Adesola Okonkwo",
        identifier_label="NIN",
        identifier_value="12345678901",
        email="adesola@example.com",
        phone="+234 803 555 7890",
    ),
    request_type="access",                   # see request types below
    targets=[
        DSAROrganization(name="Sterling Bank Limited",
                         dpo_email="dpo@sterlingbank.ng"),
        DSAROrganization(name="MTN Nigeria Communications",
                         dpo_email="dpo@mtn.ng"),
    ],
)

result = workflow.run(citizen_key)

for draft in result.drafts:
    print(draft.letter_text)            # ready to email
    print(draft.signed_envelope)        # JWS for DPO verification

Request types

The five request types align with the GDPR / POPIA / NDPA / Kenya DPA / Ghana DPA common right-of-data-subject vocabulary:

Request type	What it asks for
access	A copy of all personal data held about the requestor
rectification	Correction of inaccurate or incomplete data
erasure	Deletion of personal data ("right to be forgotten")
portability	Personal data in a structured, machine-readable format
objection	Cessation of processing for specified purposes

Per-jurisdiction citations

The workflow picks the correct statute section automatically:

Jurisdiction	Statute	Right of access citation
Nigeria	NDPA-2023	s.34 (Right of Access)
South Africa	POPIA	s.23 (Access to personal information)
Kenya	Kenya DPA	s.26(a) (Right of Access)
Ghana	Ghana DPA	s.35 (Access to personal data)

Similar mappings exist for rectification, erasure, portability, and objection - each citation chosen per the locked statute YAML in arche.policy.statutes/.

Per-jurisdiction deadlines

Jurisdiction	Statute deadline (days)
NDPA-2023	30
POPIA	30
Kenya DPA	30
Ghana DPA	21

The workflow uses the statute's default unless the citizen overrides:

DSARWorkflow(
    jurisdiction="NG",
    deadline_days=14,                  # override the 30-day NDPA default
    # ...
)

What each draft looks like

2026-06-09

Data Protection Officer
Sterling Bank Limited
[Address on file]

Subject: Data Subject Access Request under Nigeria Data Protection Act 2023 (NDPA-2023)

Dear Data Protection Officer,

I, Adesola Okonkwo, identified by NIN (12345678901), hereby exercise my right under NDPA-2023 s.34 (Right of Access) to access to all personal data that you hold concerning me.

Identity verification details:
  Full name:     Adesola Okonkwo
  NIN:           12345678901
  Email:         adesola@example.com
  Phone:         +234 803 555 7890

You are required to respond to this request within 30 days of receipt, as provided by Nigeria Data Protection Act 2023 (NDPA-2023). Please confirm receipt within 7 working days and provide an estimated response date.

If you fail to respond within the statutory window, or if I am not satisfied with your response, I reserve the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC).

Yours faithfully,

Adesola Okonkwo
adesola@example.com

---
This letter was generated by arche-core v0.2.0a1...

Each draft is accompanied by a JWS-signed envelope. The receiving DPO can verify offline:

from arche.sign import VerifyExtractWorkflow

verified = VerifyExtractWorkflow(
    require_purpose=f"dsar_{result.request_type}",
    require_jurisdiction=result.jurisdiction,
).process(result.drafts[0].signed_envelope)

print(verified.signature_valid)        # True
print(verified.issuer_did)              # citizen's did:key
print(verified.envelope.expires_at)     # the statutory deadline

The DPO knows:

• The request came from the holder of citizen_key.
• The signing happened at a specific timestamp.
• The intent (purpose) matches the request type.
• The deadline is computed from the statute.
• Any modification of the letter or metadata would break the signature.

Stage 1 dispatch mode

dispatch_mode="draft_only" is the only mode supported in Stage 1. The workflow drafts the letter; the citizen reviews and emails it manually. This is a deliberate conservatism - auto-dispatching legal letters at scale could create real harm if the workflow miscites a statute or mis-identifies a target.

Autonomous dispatch lands in Stage 4 with explicit consent mechanisms and a separate audit trail.

What's next

• Sign-share-extract tutorial - the primitives this workflow builds on.
• API overview - the public workflow surface.