The Protection of Personal Information Act No. 4 of 2013 (POPI) specifically refers to instances where personal information has been compromised.
Once the POPI Act came into effect, businesses have an obligation (in terms of Section 22 of the POPI Act) to notify the Regulator and the data subject once it believes or is aware that personal information of a data subject has been compromised.
To avoid possible penalties, these notification(s) must be sent as soon as reasonably possible after discovery of the compromise, in example, loss of information and/or unauthorised access of a data subject’s personal information.
Notifying everyone affected
The business will have to notify the data subject in writing in one of the following ways:
- Mailed to the data subjects last known physical or postal address.
- Sent by e-mail to the data subject’s last known e-mail address.
- Placed in a prominent position on the website of the business.
- Published in the news media.
- Any other way as directed by the Regulator.
What’s clear from the above that a verbal notification via telephone or a quick meeting with the data subjects will not be sufficient when a data breach takes place.
Information to include in notifications
The notification would have to include certain information including the following:
- What personal information was breached.
- A description of the possible consequences of the personal information security breach.
- What the data subject could possibly do to minimize their risk due to the data breach, i.e. changing passwords etc.
- Where and how the data subjects can contact the business with regards to the queries or concerns regarding the data breach.
- What the responsible party or business is doing in order to mitigate the possible effects of the data breach.
- What the responsible party or business is doing to address the data breach and to avoid a similar situation in the future.
The purpose of the notification is to place the data subject in such a position that they will be able to protect themselves against possible adverse consequences of the data breach.
Preparation is key
It is of utmost importance that all responsible parties or business owners must plan ahead and determine a plan of action with policies and procedures, should disaster strike and a data breach of personal information of data subjects takes place. A committee may be established, who should meet regularly in order to discuss the current action plan and whether it covers all areas mentioned above.
The POPI Act forces all businesses to report and expose any and all personal information breaches, where in the past it could possibly have been swept under the rug with data subjects being none the wiser.
ABOUT THE AUTHOR
Stephanie Christensen holds BComm Law and LLB degrees. She was admitted as an Attorney of the High Court of South Africa in 2009. She has been with SEESA since 2009 and with SEESA Consumer Protection & POPI at the Cape Town office since February 2016 as a legal advisor.