As of 1 April, South African organisations must report any breaches of personal information via the Information Regulator’s online eServices portal, rather than by email.
This change, introduced by the Regulator, is part of an effort to streamline how security compromises are reported and improve its oversight of incidents affecting personal data.
Section 22(1) of the Protection of Personal Information Act (POPIA) stipulates that when there are reasonable grounds to believe a data subject’s personal information has been accessed or acquired by an unauthorised party, the responsible organisation must inform both the Information Regulator and the affected individual – unless the individual cannot be identified.
Over the past year, a number of data breaches reported in the media have highlighted how widespread such incidents have become, affecting public and private sector organisations. These cases also demonstrate why accurate and timeous reporting is important – not only to meet legal obligations, but also to help affected individuals take steps to protect themselves.
In February 2024, the Companies and Intellectual Property Commission (CIPC) confirmed a security breach that resulted in unauthorised access to personal information of clients and employees. The data exposed included names, addresses, and possibly credit card details. The CIPC advised clients to change their passwords and monitor financial activity as a precaution.
Read: Hackers access CIPC’s client and employee records
In March this year, real estate firm Pam Golding Properties reported a cyber incident involving unauthorised access to its customer relationship management system. Although financial data was not compromised, client contact details were exposed. According to BusinessDay, the company notified affected clients, informed the Regulator, and initiated an investigation with the South African Police Service.
Incidents such as these highlight the importance of transparency in responding to data breaches. When individuals are informed promptly, they can take practical steps – such as resetting passwords or alerting their banks – to reduce the risk of misuse.
The new Security Compromises Reporting functionality is now live on the eServices portal at https://eservices.inforegulator.org.za.
The Information Regulator has also made step-by-step guides available to help organisations register their Information Officers and submit reports correctly.
Organisations are encouraged to familiarise themselves with the updated reporting process and ensure that those responsible for compliance are registered on the eServices portal.
For queries related to the reporting process or POPIA compliance, the Regulator’s officials can be contacted directly.
Dirk Aspeling, senior security compromise officer: legal, can be reached at DAspeling@inforegulator.org.za, and Joy Alexander, senior manager for security compromise, at JAlexander@inforegulator.org.za.
Technical assistance is available via the helpdesk at helpdesk@inforegulator.org.za or by calling 010 023 5200.
