The Information Regulator (IR) has published a notification form, and accompanying guidelines, for reporting actual or potential security compromises, so that responsible parties can comply with their obligations in terms of section 22 of the Protection of Personal Information Act (Popia).
Responsible parties are required to notify both data subjects (unless their identities cannot be established) and the IR as soon as there are reasonable grounds to believe that an unauthorised party has unlawfully accessed or acquired personal information – in other words, a data breach or a security compromise.
The notification form (Form SCN1) and the “Guidelines: completing section 22 security compromise notification form” can be downloaded from https://inforegulator.org.za > Popia > Forms.
The IR will use the information obtained via the SCN1 form to investigate the security compromise.
A responsible party must use the SCN1 form to notify the IR of a data breach as soon as possible after the security compromise occurs, unless a public body responsible for the prevention, detection or investigation of offences, or the IR, determines that notification will impede a criminal investigation.
The reason for any delay in notifying the data subjects must be included in the SCN1 form.
The guidelines state that information officers or deputy information officers must use the form, and a failure to do so may result in the notification being regarded as non-compliant.
The information that must reported using the SCN1 form includes:
- The date of the incident and an explanation for any delay in reporting the incident to the IR;
- Whether the security compromise is “confirmed” or “alleged”;
- The type of incident (for example, loss, damage, destruction and/or unlawful access or processing of personal information);
- The categories of personal information potentially compromised; and
- The number of data subjects affected, and the method of communication used to notify them.
Responsible parties and their information officers must sign and declare that the notification is true, accurate and correct.
Law firm Clyde & Co made the following comments about the publication of the form and the guidelines:
- The IR is taking a tougher stance on mandatory reporting of potential or actual security compromises. The form should be completed carefully once a security compromise is identified as being reportable, and it should be updated in the course of the incident, if necessary, as more information comes to light.
- In response to several recent widely reported data breaches, the regulator has issued statements recording its dissatisfaction with the reporting of security compromises.
- Clyde & Co expects that non-compliance may attract enforcement action, particularly with the investigation capacity recently created by the formation of the Enforcement Committee.
- Non-compliance with section 22 is recognised as an interference with the protection of personal information under section 73. This may trigger regulatory intervention and investigation by the IR.
- Responsible parties should consider the level of information required to complete the SCN1 form in conjunction with their operators, to ensure that the information received by responsible parties from operators in terms of section 21(2) is sufficient to comply with section 22.
Read: Information Regulator establishes Enforcement Committee