POPIA Data Breaches

The Protection of Personal Information Act 4 of 2013 (“POPIA”) deals with security compromises and provides guidance on when and how to report them. It also provides some guidance on what constitutes a security compromise. Given the broad definition, there are many situations that will constitute a security compromise.

Section 22 of POPIA states that where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by an unauthorised person, the Responsible Party must report this to the Information Regulator, and to the data subject. POPIA does not define what exactly constitutes a security compromise therefore, it seems section 22 is wide enough to include data breaches from a malicious hacker hacking into your company systems to steal information and or including innocent acts of negligence or mistakes such as an employee of a business inadvertently sending personal information to an unauthorised third party. Consequently, section 22(1) of POPIA envisions a situation where a person lacking official permission acquires or is provided with the opportunity to see or use another person’s personal information.

Both acts fall within the meaning of a data breach within the South African context as they involve a person lacking official permission gaining access or being given the opportunity to see or use another person’s personal information.

As a natural consequence, organisations have no choice but to manage these risks by, inter alia, implementing appropriate, reasonable technical and organisation measures to secure the integrity and confidentiality of personal information under its possession. Furthermore, when – and not if – a security compromise occurs, organisations must understand their obligation to notify such security compromise to the Information Regulator and affected data subjects in line with section 22 of POPIA.

Organisations need to understand their notification obligations to the Information Regulator, in the first instance, and affected data subjects, in the second instance, in the event of there being reasonable grounds to believe that personal information of a data subject has been accessed or acquired by an unauthorised person.

So, therefore, to the extent that the threshold of the requirement of reasonable grounds is satisfied, the Information Regulator and affected data subjects must be notified. This is an absolute, non-negotiable requirement. Furthermore, POPIA prescribes that notifications to effected data subjects must be in writing and may be by way of either:

  • physical mail to the data subject’s last known physical or postal address;
  • email to the data subject’s email address;
  • placing a notice in a prominent position on the website of the organisation;
  • publishing a notice in the news media; or
  • as may be directed by the Information Regulator.

     

Considering the above, organisations should take steps, plan, prepare and safeguard themselves from potential security compromises and cyber attacks, especially given the notion of not “if”, but “when” a security compromise may occur. In this way, organisations will be able to manage such risk effectively and foster customer trust and confidence which are foundational pillars of success for any organisation.[5]