The new form every business in South Africa needs to know about
South Africa’s information regulator has published a new form that every business needs to fill out when experiencing a security or data breach.
The form has been issued in terms of section 22 of the Protection of Personal Information Act (POPIA), and is part of the process businesses must follow when notifying the regulator of a security compromise.
According to the regulator’s guidelines, the form is applicable with immediate effect and a failure to use it when notifying the regulator of a security compromise may result in the notification being regarded as non-compliant.
Legal experts at law firm Bowmans said that section 22 of POPIA places an obligation on responsible parties to notify both the Information Regulator and the affected people and companies, unless the identity of the data subjects cannot be established, of a security compromise.
“A security compromise for purposes of POPIA takes place where there are reasonable grounds to believe that the personal information of one or more data subjects has been accessed or acquired by an unauthorised person,” the firm said.
Unlike the General Data Protection Regulation which does not require security compromises to be notified to the supervisory authority where there is unlikely to be any effect on the rights and freedoms of natural persons, POPIA appears to provide that security compromises of any nature – regardless of the harm or risk posed to the data subject – must, in principle, be notified to the Information Regulator and to the affected data subjects, if their identities are known, Bowmans said.
Where a security compromise has taken place, responsible parties are now required to complete the Form and submit it to the Information Regulator via email at [email protected].
The Form requires the responsible party to set out details of the security compromise, which include:
- The date of the security compromise and the date on which the incident is being reported to the Information Regulator;
- The type of security compromise;
- A description of the incident;
- The type of personal information that was unlawfully accessed (i.e. special personal information, personal information of children, unique identifiers or other personal information);
- The number of affected data subjects and the method of notification to the affected data subjects;
- A description of the possible consequences of the security compromise and the measures that the responsible party intends to take or has taken to address the security compromise;
- A recommendation with regards to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise;
- If known, the identity of the unauthorised person who may have accessed or acquired the personal information; and
- Whether the status of the compromise is confirmed or alleged.
“The notification to the Information Regulator must be made as soon as reasonably possible after the security compromise is discovered, considering the legitimate needs of law enforcement or any measures necessary to determine the scope of the security compromise and to restore the integrity of the applicable information system,” Bowmans said.
“Once the form has been submitted, the Information Regulator will respond with an acknowledgement of the notification together with a reference number.”
Victims
While the form and guidelines appear to only apply in respect of the notification to the Information Regulator, a responsible party is also required to notify the affected data subjects of a security compromise, provided that their identities are known, Bowmans said.
“The notification to a data subject must be made in writing and communicated by way of, for example, email, physical mail, placing it in a prominent position on the website of the responsible party, or publishing it in the media.
“The Information Regulator may also direct the manner in which the notification must be communicated to the affected data subjects,” the firm said.
The notification must provide the affected data subjects with sufficient information to allow them to take protective measures against the potential consequences of the security compromise, including:
- A description of the possible consequences of the security compromise;
- A description of the measures that the responsible party intends to take or has taken to address the security compromise.
- A recommendation of the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
- If known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information.
A copy of the form is embedded below. The full guidelines can be found on the Information Regulator’s website.
- By Nadine Mather, partner specialising in data protection and employment law at Bowmans
Read: Proposed changes to finance laws could cause massive headaches for businesses in South Africa