Information Regulator issues data breach notification guidelines and template

In order for responsible parties to comply with their notification obligations under section 22 of the Protection of Personal Information Act (POPIA), the Information Regulator (IR) has published a set of guidelines along with a prescribed notification template which is to be used when reporting a data breach to the IR. The template and guidelines can be found on the IR’s website.

26 Aug 2022 3 min read Technology & Communications Newsletter Article

At a glance

  • The notification template for data breaches includes specific information such as details of the responsible party, breach incident, compromised personal information, number of affected data subjects, and method of communication with data subjects.
  • Responsible parties and information officers are required to sign the notification form, declaring the accuracy and truthfulness of the information provided.
  • Determining whether a data breach is notifiable under Section 22 of POPIA depends on reasonable grounds to believe that unauthorized access or acquisition of personal information has occurred, with the terms "unauthorized" and "accessed or acquired" interpreted based on the circumstances of each breach incident. Non-compliance with notification obligations can lead to investigations and penalties.

Should personal information be compromised, such that the notification obligations under section 22 are triggered, the notification template provides for specific information to be furnished to the IR including:

  • Details of the responsible party and the Information Officer;
  • Details of the breach incident, including:
    • The date of the incident;
    • The date that the incident is reported to the IR; and
    • An explanation for any delay in reporting the incident to the IR (if applicable);
  • The type of security compromise (e.g. loss, damage, destruction and / or unlawful access or processing of personal information);
  • A description of the incident;
  • The type of personal information compromised;
  • The number of data subjects affected by the incident;
  • The method of communication used to notify the affected data subjects;
  • Status of the compromise (either confirmed or alleged); and
  • Whether the notification of the data breach to the affected data subjects provides sufficient information to the data subject to allow them to implement measures against the potential consequences of the data breach.

Additionally, the template requires responsible parties and information officers to sign the notification form making a declaration that the information presented in the notification is accurate and true.

The guidelines provide an explanation on the use of the notification template and a step-by-step process to be followed when completing and submitting the notification.

The critical question to consider is,would a data breach be notifiable under section 22 of POPIA, with this section providing for the standard to be applied in making this determination. The incident must have resulted in there being “reasonable grounds” for the responsible party to believe that personal information for which it is responsible was either accessed or acquired by an unauthorised person. These terms are not specifically defined under POPIA and therefore their ordinary meanings apply. Whether personal information was accessed or acquired by a person who is ‘unauthorised’ will depend on the specific facts and circumstances of each breach incident.

Data breaches can occur in many ways including unauthorised use of or access to personal information or due to accidental loss, hacking or theft. Data breaches can also occur either by physical or electronic means and includes many instances of negligence or erroneous data processing, such as where an employee accidentally forwards an email which contains personal information to unintended recipients outside of the organisation who should not receive such data. It would also include breaches which may occur outside of South Africa, but which involve personal information protected under POPIA.

It is also worth emphasising that if a data breach is notifiable under POPIA, then the responsible party is obliged to notify all affected data subjects in accordance with the requirements set out in section 22 of POPIA.

Non-compliance with section 22 is considered an “interference with the protection of personal information” under section 73 of POPIA. As a result, this may prompt an investigation by the IR and could ultimately attract penalties or administrative fines.

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.