The Protection of Personal Information Act, 4 of 2013 (“POPIA”) regulates every step of how Personal Information must be handled by a responsible party from the moment it is collected until the moment it is destroyed, with the primary aim of protecting the privacy rights of data subjects.
The right to privacy is a constitutional right that is protected in South Africa’s Bill of Rights, and POPIA ultimately empowers data subject by protecting them from abuses of their personal information and empowering them with a degree of control in relation to how their Personal Information is used and handled.
As outlined in one of or previous article, “POPIA Compliance: More than just the 8 conditions for the lawful processing of personal information[NJ1] ”, POPIA identifies three main parties, the data subject, responsible party and the operator. In addition to setting out the 8 conditions for lawful processing of personal information and a number of additional rights and obligations [NJ2] that are important to be aware of for the purposes of POPIA compliance, POPIA also regulates the actions that must be taken by responsible parties and operators, when experiencing a data breach.
Data breaches are primarily regulated by Section 22 of POPIA (Notification of Security Compromises), which provides that where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify the Information Regulator and the data subject, unless the identity of such data subject cannot be established. The notification must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system.
- What constitutes a Data Breach under POPIA
In terms of the wording of Section 22 of POPIA, a data breach is considered to be any compromise (and for the purposes of this article referred to as “security compromise” in line with POPIA) where there are reasonable grounds to believe that the personal information of a data subject has either been accessed or acquired by any unauthorised person.
The wording of Section 22 of POPIA does not only apply technological incidents, such as hacking, phishing, ransomware attacks or similar, which are commonly synonymous with the term “data breach” or “security compromise”, but includes any event or incident where there are reasonable grounds to believe that a data subjects personal information has either been i) accessed or ii) acquired by any person who is no authorised to have that personal information in their possession or under their control.
Security compromises could arise in many different ways including incidents such as theft or loss of files, laptops, cellular phones, external hard drives and USB devices, improper destruction of personal information through, for example, not shredding hard copies of documents containing personal information or not wiping electronic devices clean before sale or disposal, and even human error incidents such as where personal information is accessed or acquired through leaving computer devices unlocked or through sending emails containing personal information to an incorrect recipient.
Due to the words “reasonable grounds to believe” in Section 22 of POPIA, an incident can also be considered a security compromise under POPIA even if it cannot be definitively confirmed that the personal information has been accessed or acquired by an unauthorised person. Accordingly, if there are grounds to believe, on a reasonable basis, that as a result of the incident an unauthorised person could have access to the personal information concerned, or could have acquired the personal information concerned, the incident will be considered a security compromise under POPIA and will become reportable.
Unlike certain other data protection laws around the world, POPIA does not include a limit or threshold for when a security compromise becomes reportable, meaning that all security compromises, no matter the size or the potential impact to affected data subjects, are reportable under POPIA.
- Reporting of Data Breaches
Section 22 of POPIA places an obligation on the responsible party to notify both the Information Regulator and the data subjects affected by the security compromise (unless the identity of the affected data subject(s) cannot be established) in writing as soon as reasonably possible after it has been discovered, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the security compromise and to restore the integrity of the responsible party’s information system.
It is recommended that affected data subjects be notified first, as the Information Regulator will require the responsible party to confirm (in its notification to the Information Regulator) that the affected data subjects have been notified.
Notifying affected data subjects
Notification to affected data subjects must be in writing and must be done in at least one of the following ways:
- By mail to the data subjects last know physical or postal address;
- By email to the data subjects last known email address;
- By placing the notification in a prominent position on the responsible party’s website;
- By publishing the notification in the news or media; or
- As otherwise directed by the Information Regulator. The Information Regulator is entitled to direct that the security compromise be publicized in any manner specified by the Information Regulator, if it believes that publicizing the security compromise would protect data subjects affected by the security compromise.
When notifying affected data subjects, the notification must contain enough information to allow the data subject to take protective measures against the potential consequences of the security compromise. The notification must include (as a minimum):
- A description of the possible consequences of the security compromise;
- A description of the measures that the responsible party has taken or intends to take to address the security compromise;
- A recommendation on the measures that affected data subjects can take to mitigate the potential adverse effects of the security compromise; and
- The identity of the unauthorised person that may have accessed or acquired the personal information, if known to the responsible party.
A responsible party is only permitted to delay the notification to the affected data subjects if a public body responsible for the prevention, detection or investigation of offences, or the Information Regulator, determines that the notification will impede a criminal investigation.
It is important to keep detailed records of how and when affected data subjects were notified of the security compromise, and copies of the notification and how it was sent as proof of notification, should this information be requested by the Information Regulator at a later stage.
Notifying the Information Regulator
The Information Regulator has published a prescribed form that must be completed by the responsible party and sent to the Information Regulator to notify it of the security compromise. The prescribed form (Form SCN1) can be found on the Information Regulators website (https://inforegulator.org.za/popia-forms/) and is accompanied by a guideline document for completing the form.
All notifications of security compromises must be submitted on this prescribed form. If not, the notification may be regarded as being non-compliant by the Information Regulator.
Part C and Part D of the form requires a description of the security compromise (Part C) and a description of the measures that the responsible party has taken and/or intends to take to address the security compromise and protect the affected data subjects personal information from further unauthorised access or use. If the space in the prescribed form at Part C or D is insufficient, the Information Regulator will permit additional information on these 2 topics to be included as a separate annexure with the submission of the prescribed form.
Once the prescribed form has been completed, it must be signed and sent to the Information Regulator. The Information Regulator should then send an acknowledgement of the notification, together with a reference number, after registering the notification.
Other steps that should be taken by the responsible party
Notification of the incident alone is insufficient. In addition to the notification obligations under POPIA, responsible parties should (as a minimum) also be taking the necessary steps to:
- Fully investigate and assess the scope of the security compromise and take immediate measures to contain the compromise as quickly as possible; and
- Once the compromise is contained, remediation measures must be considered and put into place to prevent the same or similar occurrence from happening again.
If your organisation does not have a data breach response plan that can be used to guide your organisation through the process of identifying, investigating, reporting, and remediating the security compromise, this should also be put in place, to ensure that if a security compromise does occur, your organisation already has a mapped out plan in place to react and respond to the compromise quickly and efficiently.
- Data Breaches in the hands of Operators
In terms of POPIA, under the condition of “Accountability”, a responsible party is responsible and accountable for the personal information it collects and processes, even if that personal information is then passed on to a third party (i.e. an operator) to process for or on its behalf. Responsible parties therefore have a duty to ensure that their operators are processing that personal information in compliance with POPIA as they remain accountable under POPIA for that personal information.
In terms of Section 21(2) of POPIA, where a security compromise arises in the hands of an operator, (defined in POPIA as any person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the authority of the responsible party), the operator must notify the responsible party immediately.
The obligation to notify the responsible party arises as soon as the operator has reasonable grounds to believe that the personal information of a data subject (that the responsible party is responsible for protecting), has been either accessed or has been acquired by an unauthorised person.
POPIA requires that the operator notifies the responsible party of the security compromise immediately. Once the responsible party is then notified, the responsible party have a duty to report the security compromise to the affected data subjects and to the Information Regulator in the same manner has we have discussed above.
In conclusion, the notification and reporting of data breaches is a crucial obligation under POPIA. Failing to notify the Information Regulator and affected data subjects of a security compromise as soon as reasonably possible after the compromise has been discovered, amounts to a non-compliance with the provisions of POPIA, which could lead to fines or penalties being imposed by the Information Regulator.
Depending on the nature and severity of the security compromise experienced, organisations may also need technical IT assistance to identify the full extent of the security compromise and to put effective measures in place to mitigate the effects of the compromise as quickly as possible. Public relations assistance may also be required where the notification to affected data subjects is extensive and needs to be managed from a public relations perspective and legal assistance may also be required to guide the organisation through the reporting process. It is therefore important for organisations to plan ahead and be ready to respond to security compromises. This is achieved putting an effective data breach response plan in place. A well-developed data breach response plan will assist in ensuring that should a security compromise arise, the organisation is well placed to respond to the security compromise quickly, effectively and in compliance with the requirements of POPIA.
Article written by Natasha Jansen, Data Privacy and Corporate Commercial Attorney, for Tuffias Sandberg
Share this article