Breach notification

The Protection of Personal Information Act introduces a duty on all responsible parties to notify the Information Regulator  of certain types of interferences with the protection of personal information of data subjects. These interferences are those related to confidentiality and integrity breaches of personal information

The Act requires responsible party to notify a confidentiality and integrity breach of personal information as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system. The responsible party may only delay notification of the data subject if a public body responsible for the prevention, detection or investigation of offences or the Regulator determines that notification will impede a criminal investigation by the public body concerned.

The notification must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, including—

  1. a description of the possible consequences of a security compromise;
  2. a description of the measures that the responsible party intends to take or has taken to address the security compromise;
  3. a recommendation regarding the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
  4. if known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information. Keep in mind there is an obligation to protect the personal information of this person and share it with the smallest number of people possible.

The POPIA platform automates the workflow of the breach notification process.