If your company has experienced a security compromise, the information officer or deputy information officer will be required to complete a pdf fillable form from the Regulator’s website. Failure to do so could mean the notification is non-compliant.
When you have experienced a security compromise, you must notify the Regulator as soon as possible using this notification form. The Regulator will then send an acknowledgement of the notification with a reference number. The responsible party is responsible for reporting any notification of security compromises as required by Section 22 of the Protection of Personal Information Act (POPIA). It is then your responsibility to notify the data subject/s unless the identity of those people cannot be established.
An operator, if applicable, will need to notify the responsible party immediately where there are reasonable grounds to believe that any unauthorised person has accessed personal information of a data subject.
Personal information collected in this notification form would be that of the responsible party, which is an individual or entity that controls, manages or directs the entity. They would require the responsible parties’ names and contact details which the Regulator will handle in accordance with the provisions of POPIA.
This information is used to consider and respond to the responsible party’s security compromise notification. The Regulator may also use it to contact the responsible party.
Part A of the form requires the details of the responsible party. Part B requires the details of the information officer unless they are the same as the responsible party, and Part C of the form requires the details of the security compromise in terms of Section 22 of POPIA, which includes:
- Notification to the data subject, details of the security compromise must be provided to the data subjects in order to allow them to take protective measures against any possible consequences;
- The date of the incident and an explanation for any delay in reporting the incident to the Information Regulator;
- A description of the incident and any additional information that the responsible party or information officer wishes to include can be provided in a separate annexure;
- The type of security compromise, for example, loss, damage, destruction or unlawful processing of personal information;
- The number of data subjects affected and the method of communication used to notify them;
- The method of notification to the data subjects must be included;
- A description of the measures that the responsible party intends to take or has taken to address the compromise;
- A recommendation regarding the measures that need to be taken to mitigate any possible adverse effects because of the security compromise;
- If known, the identity of the unauthorised person who may have accessed the personal information must be recorded.
Part D allows for a complete description of the measures the responsible party intends to take, or has taken, to address the security compromise and protect the personal information from any further unauthorised access. Part E is the declaration that the information is accurate, true and correct.
The information regulator will then use the above information obtained from the form to investigate the security compromise.
Need assistance with security compromises? Contact your nearest SEESA Consumer Protection & POPI Legal Advisor. Alternatively, leave your contact details on our website, and a SEESA representative will contact you.
About The Author:
Sage Hardiman joined SEESA as a legal assistant in September 2021 and has since been promoted to Legal Advisor for Labour and Consumer Protection. She has completed her B.com Law degree and currently completing her LLB.
Resources: