The Information Regulator published Guidelines on 12 August 2022 regarding security compromise notifications in terms of the Protection of Personal Information Act, 2013 (POPIA).
POPIA governs data breaches by ‘responsible parties’ who, alone or in conjunction with others, collect and process personal information for purposes and by means determined by them. They are under an obligation to ensure that the lawful conditions of processing personal information are complied with and that no security compromise occurs. This does not apply, for instance, to processing done for personal or household activities.
Under POPIA any unauthorised access or acquisition of personal information (of an individual or corporate entity) constitutes a security compromise that must be notified to the Regulator. Unlike other countries with data privacy laws, South Africa has no materiality threshold for notification to the Regulator and affected data subjects. This means that even a single incidence of unauthorised access (for example, copying the wrong person on an email containing private information) triggers notification obligations for the responsible party, even if there is no risk of harm to the data subject.
It was hoped therefore that the Regulator’s Guidelines would set a threshold so that only security compromises where there is a risk of harm to a data subject need be notified (as is the case under GDPR, in the UK or under Kenyan law as examples). The Guidelines however focus only on the requirements of the contents of the notification and provide a template that must be used for all notifications made after 12 August 2022.
Under Section 22 of POPIA, notification to both the Regulator and the affected data subject must be made as soon as reasonably possible after having become aware of the security compromise. Whilst POPIA does give responsible parties direction as to what must be contained in the notification to affected persons, POPIA and the Regulator have been silent on the contents of the notification to them, until now.
Here are seven things you need to know about these guidelines:
- The use of the form is effective immediately. Any failure to use the template will make a notification non-compliant. Responsible parties who already have template notifications to the Regulator in place need to update their data breach response plan to ensure that, in the event of a security compromise, they are using the most up-to-date forms. Given that it has been just over a year since POPIA has come into full effect, this is an ideal time for responsible parties to run a fire drill to check the effectiveness and readiness for data breach response plans and teams. If you don’t have a data breach response plan you need one – the Regulator will ask for it in its investigations.
- The Regulator will send an acknowledgement when they have received a notification, together with a reference number.
- Section 18 of POPIA requires responsible parties to notify data subjects about how they receive personal information, what they do with it and with whom they will share it, amongst other things. The Regulator has issued its own notice regarding their processing of personal information it receives from responsible parties, including considering responses to security compromises and contacting responsible parties.
- The Regulator requires responsible parties to specify the date on which the security compromise occurred, the date on which the notification is being made, together with a reason for the delay, if any, in notifying the Regulator. This represents one of the most significant changes as responsible parties must provide a reasonable explanation as to why there has been any delay in notifying the Regulator. There is no guidance on what reasons for a delay would be acceptable, nor what constitutes a ‘reasonable time’ and these questions would need to be evaluated on a case-by-case basis.
- Responsible parties are required to specify the type of security compromise that has occurred; but there is no explanation of how to classify security compromises, leaving responsible parties to categorise this according to their own standards.
- The Regulator requires a more detailed notification, which must include:
- The type of personal information which was unlawfully accessed;
- The number of affected data subjects; and
- The method of notification to affected data subjects.
- Information officers are required to sign a declaration that the contents of the notification are true, correct and accurate. Information officers are therefore under a duty to ensure that the notification does not mislead the Regulator as to the true nature of the security compromise. This last requirement creates a lot of challenges – especially when one is managing a global incident – the nature of these investigations is that the information unfolds as the investigation does. It is not possible (usually) at the beginning of an incident response to know with any certainty the nature of the personal information or number of affected data subjects.
It is unfortunate that the Regulator has not taken this opportunity to provide more guidance to responsible parties and to limit the type of incidents to be reported to those that actually may impact data subjects negatively. Now that the Regulator has indicated its requirements for notifications, responsible parties will have less room to craft their own notifications and must adhere to these guidelines to avoid being found non-compliant and incurring administrative fines.