South Africa: Information Regulator publishes guidelines for security compromise notifications
On 12 August 2022, the Information Regulator (“Regulator”) published the requisite form, together with guidelines, for security compromise notifications. This is in line with section 22 of the Protection of Personal Information Act 4 of 2013 (“POPIA”), which stipulates that where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party bears the onus of notifying the Regulator as soon as reasonably possible after becoming aware of the possible security compromise. The security compromise must also be communicated to the affected data subjects in writing and with sufficient information to enable them to take proactive measures in response.
The newly-published form and guidelines are to assist information officers and deputy information officers. The form requires details of the responsible party, the information officer, and specific information on the security compromise including:
- the method of notification to implicated data subjects;
- the date of the security compromise and the date on which the Information Regulator was notified;
- an explanation for the delay in notifying the Regulator, if applicable;
- the type of security compromise;
- a description of the incident;
- the type of personal information that was compromised;
- the number of data subjects affected by the compromise; and
- a description of the possible consequences of compromise.
According to the form, a security compromise may be categorised as one of the following:
- loss of personal information,
- damage to personal information,
- the unauthorised destruction of personal information,
- unlawful access to personal information, or
- the unlawful processing of personal information.
The form can be accessed here.
The guidelines can be accessed here.
Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].