Notifying the Information Regulator

The Protection of Personal Information Act (POPIA) imposes important obligations on Organisations in the event of a data breach involving personal information of a data subject.

Section 22 of POPIA (which should be easy to remember in 2022) compels Organisations to notify the Information Regulator if the Organisation has reasonable grounds to be believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.

Notifying the Information Regulator

POPIA provides that the Information Regulator must be notified as soon as reasonably possible after the discovery of the compromise, taking into account permissible factors. POPIA does not define the phrase accessed or acquired by any unauthorised person, but is clear that the obligation kicks in even if the personal information of one data subject has been accessed by an unauthorised person. This could, for example, include the theft of a cellphone containing the personal information of one of the Organisation’s data subjects.

The Information Regulator recently published the prescribed form (FORM SCN1: Notification of a Security Compromise) that must be completed and submitted in the event of a compromise. The notification includes:

a) The type of security compromise;
b) A description of the incident;
c) The number of data subjects affected;
d) The method of notification to affected data subjects; and
e) The measures the organisation has or intend to take to address the security compromise and the protect personal information from further unauthorised access or use.

The Information Regulator also published Guidelines to complete the notification form.

Notifying the Data Subject

The Organisation must also notify the data subject in writing and must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, including:

a) a description of the possible consequences of the security compromise;
b) recommended measures the data subject can take to mitigate the potential negative effects of the security compromise; and
c) the identity of the unauthorised person who may have accessed or acquired the personal information, if known to the organisation.

Organisations should ensure that all board members, staff members, volunteers and independent contractors are aware of the obligation to report security compromises and what steps must be taken to minimise the negative effects of such an incident. The Organisation, in turn, must ensure that the obligations under section 22 are complied with.

Important Note: The information contained in this article is general in nature and should not be interpreted or relied upon as legal advice. The information may not be applicable to specific circumstances. Professional assistance should be obtained before acting on any of the information provided in this article.

Source: NPO Legal Issues August , Vol 60 Special 2

Ricardo Wyngaard | The NPO Lawyer

The NPO Lawyer | Ricardo Wyngaard Attorneys

Ricardo Wyngaard is passionate about the non-profit sector and has been focusing on non-profit law since 1999. He is a lawyer by profession who has obtained his LLB degree at the University of the Western Cape in South Africa and his LLM degree at the University of Illinois in the USA. He has authored a number of articles and booklets on non-profit law and governance.

Related articles


POPIA and fundraising
Ricardo Wyngaard | The NPO Lawyer
The word ‘donation’ is contained once within the Protection of Personal Information Act (POPIA). This will likely change the fundraising game for NPOs in South Africa. Section 1 of POPIA defines ‘...
Can we leave our unused trust dormant?
Nicole Copley | NGO Law
The functioning of the various Masters of the High Court being what they are (and the comparative speed and ease of use of CIPC being markedly better) we are quite often asked by clients who have d...
[Watch] Should the Executive Director have a vote on the Board?
Ricardo Wyngaard | The NPO Lawyer
Should the Executive Director have a vote on the Governing Board? In this video we discuss some issues to consider.


© All rights reserved. 

About | Contact

Hashtag Nonprofit NPC is a registered nonprofit company: NPC 2022/647320/08

Back to Top