An essential aspect of complying with the Protection of Personal Information Act 4 of 2013 (hereinafter ‘the Act”) is informing Data Subjects of security compromises/data breaches. This appears to be amplified by the digital era, where companies store most of their data on digital platforms, thus opening themselves to possible data breaches.
In terms of Section 22 of the Act, a responsible party, any public or private body who process information on paper or electronically within South Africa, has the responsibility to notify any person whose information they believe to be comprised. This notification must be provided in writing as soon as reasonable to the person being affected and the Information Regulator.
The notification must be communicated to the Data Subject in at least one of the following ways:
- Mailed to the Data Subjects last known address;
- Send by email to the Data Subjects last known email address;
- Placed in a prominent position on the website of the responsible party;
- Published in the news media; or
- As directed by the Regulator.
And must furthermore include the following:
- A description of the consequences of such security compromise;
- A description of the measures a responsible party intends to take to address such security compromise;
- A recommendation regarding the measures to be taken by the Data Subject to mitigate the adverse effects of the security compromise; and
- The identity of the unauthorised person who may had access or requited the information of the responsible party.
Practically this entails that the responsible party must explain to the Data Subject at least the effect that a data breach has occurred and the possible consequences thereof. Because of the potential reputational risk regarding such notice being provided, especially if the Information Regulator or if circumstances require it to be provided in a very public sphere, it is important that such notice be provided in a way that the responsible party’s reputation is not adversely influenced.
We are often tasked with assisting our clients in dealing with the aforementioned notification procedures. We do our best to ensure that our clients receive the correct advice in dealing with such data breaches. This ensures that our clients face as little as possible reputational damage in the circumstances.
Should you require more information or assistance regarding the protection of personal information, don’t hesitate to get in touch with your SEESA Consumer Protection & POPI legal advisor. Alternatively, “SMS” the word “SEESA” to 45776 and we will contact you.
About the Author
Jano Fourie started his career at SEESA 2011 and is currently a Consumer Protection & POPI Legal Advisor. He obtained his BA Law and LLB degrees from the University of Stellenbosch. He also obtained a Master’s Degree in Tax Law from Unisa.
Resources
- Section 22 – The Protection of Personal Information Act 4 of 2013