SOUTH AFRICA: INFORMATION REGULATOR PUBLISHES A NEW PRESCRIBED FORM TO BE USED IN THE EVENT OF A SECURITY COMPROMISE
Last week the Information Regulator published a prescribed Security Compromise Notification Form (Form) in terms of section 22 of the Protection of Personal Information Act, 2013 (POPIA).
The Form was published with accompanying Guidelines on Completing the Form (Guidelines). The Guidelines indicate the process to be followed by responsible parties when notifying the Information Regulator of a security compromise and provide details on how the Form is to be completed.
According to the Guidelines, the Form is applicable with immediate effect and a failure to use it when notifying the Information Regulator of a security compromise ’may result in the notification being regarded as non-compliant’.
What is a security compromise?
Section 22 of POPIA places an obligation on responsible parties to notify both the Information Regulator and the affected data subjects (i.e. individuals and/or corporate entities), unless the identity of the data subjects cannot be established, of a security compromise.
A security compromise for purposes of POPIA takes place where there are reasonable grounds to believe that the personal information of one or more data subjects has been accessed or acquired by an unauthorised person.
Unlike the General Data Protection Regulation which does not require security compromises to be notified to the supervisory authority where there is unlikely to be any effect on the rights and freedoms of natural persons, POPIA appears to provide that security compromises of any nature (regardless of the harm or risk posed to the data subject) must, in principle, be notified to the Information Regulator and to the affected data subjects, if their identities are known.
Notification to the Information Regulator
Where a security compromise has taken place, responsible parties are now required to complete the Form and submit it to the Information Regulator via email at POPIACompliance@inforegulator.org.za.
The Form requires the responsible party to set out details of the security compromise, which include:
- the date of the security compromise and the date on which the incident is being reported to the Information Regulator;
- the type of security compromise;
- a description of the incident;
- the type of personal information that was unlawfully accessed (i.e. special personal information, personal information of children, unique identifiers or other personal information);
- the number of affected data subjects and the method of notification to the affected data subjects;
- a description of the possible consequences of the security compromise and the measures that the responsible party intends to take or has taken to address the security compromise;
- a recommendation with regards to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise;
- if known, the identity of the unauthorised person who may have accessed or acquired the personal information; and
- whether the status of the compromise is confirmed or alleged.
The notification to the Information Regulator must be made as soon as reasonably possible after the security compromise is discovered, considering the legitimate needs of law enforcement or any measures necessary to determine the scope of the security compromise and to restore the integrity of the applicable information system. Once the Form has been submitted, the Information Regulator will respond with an acknowledgment of the notification together with a reference number.
Notification to data subjects
Whilst the Form and Guidelines appear to only apply in respect of the notification to the Information Regulator, it is important to bear in mind that a responsible party is also required to notify the affected data subjects of a security compromise, provided that their identities are known.
The notification to a data subject must be made in writing and communicated by way of, for example, email, physical mail, placing it in a prominent position on the website of the responsible party, or publishing it in the media. The Information Regulator may also direct the manner in which the notification must be communicated to the affected data subjects.
The notification must provide the affected data subjects with sufficient information to allow them to take protective measures against the potential consequences of the security compromise, including:
- a description of the possible consequences of the security compromise;
- a description of the measures that the responsible party intends to take or has taken to address the security compromise.
- a recommendation of the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
- if known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information.
A copy of the Form and the Guidelines can be found here.