The Protection of Personal Information Act (POPIA) imposes important obligations on Organisations in the event of a data breach involving personal information of a data subject.
Section 22 of POPIA (which should be easy to remember in 2022) compels Organisations to notify the Information Regulator if the Organisation has reasonable grounds to be believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.
Notifying the Information Regulator
POPIA provides that the Information Regulator must be notified as soon as reasonably possible after the discovery of the compromise, taking into account permissible factors. POPIA does not define the phrase accessed or acquired by any unauthorised person, but is clear that the obligation kicks in even if the personal information of one data subject has been accessed by an unauthorised person. This could, for example, include the theft of a cellphone containing the personal information of one of the Organisation’s data subjects.
The Information Regulator recently published the prescribed form (FORM SCN1: Notification of a Security Compromise) that must be completed and submitted in the event of a compromise. The notification includes:
a) The type of security compromise;
b) A description of the incident;
c) The number of data subjects affected;
d) The method of notification to affected data subjects; and
e) The measures the organisation has or intend to take to address the security compromise and the protect personal information from further unauthorised access or use.
The Information Regulator also published Guidelines to complete the notification form.
Notifying the Data Subject
The Organisation must also notify the data subject in writing and must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, including:
a) a description of the possible consequences of the security compromise;
b) recommended measures the data subject can take to mitigate the potential negative effects of the security compromise; and
c) the identity of the unauthorised person who may have accessed or acquired the personal information, if known to the organisation.
Organisations should ensure that all board members, staff members, volunteers and independent contractors are aware of the obligation to report security compromises and what steps must be taken to minimise the negative effects of such an incident. The Organisation, in turn, must ensure that the obligations under section 22 are complied with.
Important Note: The information contained in this article is general in nature and should not be interpreted or relied upon as legal advice. The information may not be applicable to specific circumstances. Professional assistance should be obtained before acting on any of the information provided in this article.
Source: NPO Legal Issues August , Vol 60 Special 2