Last week the Information Regulator published a prescribed Security Compromise Notification Form (Form) in terms of section 22 of the Protection of Personal Information Act, 2013 (POPIA).
The Form was published with accompanying Guidelines on Completing the Form (Guidelines). The Guidelines indicate the process to be followed by responsible parties when notifying the Information Regulator of a security compromise and provide details on how the Form is to be completed.
According to the Guidelines, the Form is applicable with immediate effect and a failure to use it when notifying the Information Regulator of a security compromise ’may result in the notification being regarded as non-compliant’.
Section 22 of POPIA places an obligation on responsible parties to notify both the Information Regulator and the affected data subjects (i.e. individuals and/or corporate entities), unless the identity of the data subjects cannot be established, of a security compromise.
A security compromise for purposes of POPIA takes place where there are reasonable grounds to believe that the personal information of one or more data subjects has been accessed or acquired by an unauthorised person.
Unlike the General Data Protection Regulation which does not require security compromises to be notified to the supervisory authority where there is unlikely to be any effect on the rights and freedoms of natural persons, POPIA appears to provide that security compromises of any nature (regardless of the harm or risk posed to the data subject) must, in principle, be notified to the Information Regulator and to the affected data subjects, if their identities are known.
Where a security compromise has taken place, responsible parties are now required to complete the Form and submit it to the Information Regulator via email at POPIACompliance@inforegulator.org.za.
The Form requires the responsible party to set out details of the security compromise, which include:
The notification to the Information Regulator must be made as soon as reasonably possible after the security compromise is discovered, considering the legitimate needs of law enforcement or any measures necessary to determine the scope of the security compromise and to restore the integrity of the applicable information system. Once the Form has been submitted, the Information Regulator will respond with an acknowledgment of the notification together with a reference number.
Whilst the Form and Guidelines appear to only apply in respect of the notification to the Information Regulator, it is important to bear in mind that a responsible party is also required to notify the affected data subjects of a security compromise, provided that their identities are known.
The notification to a data subject must be made in writing and communicated by way of, for example, email, physical mail, placing it in a prominent position on the website of the responsible party, or publishing it in the media. The Information Regulator may also direct the manner in which the notification must be communicated to the affected data subjects.
The notification must provide the affected data subjects with sufficient information to allow them to take protective measures against the potential consequences of the security compromise, including:
A copy of the Form and the Guidelines can be found here.
--
Read the original publication at Bowmans.