Skip to main content

Notifying the Information Regulator

The Protection of Personal Information Act (POPIA) imposes important obligations on Organisations in the event of a data breach involving personal information of a data subject.

Section 22 of POPIA (which should be easy to remember in 2022) compels Organisations to notify the Information Regulator if the Organisation has reasonable grounds to be believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.

Notifying the Information Regulator

POPIA provides that the Information Regulator must be notified as soon as reasonably possible after the discovery of the compromise, taking into account permissible factors. POPIA does not define the phrase accessed or acquired by any unauthorised person, but is clear that the obligation kicks in even if the personal information of one data subject has been accessed by an unauthorised person. This could, for example, include the theft of a cellphone containing the personal information of one of the Organisation’s data subjects.

The Information Regulator recently published the prescribed form (FORM SCN1: Notification of a Security Compromise) that must be completed and submitted in the event of a compromise. The notification includes:

a) The type of security compromise;
b) A description of the incident;
c) The number of data subjects affected;
d) The method of notification to affected data subjects; and
e) The measures the organisation has or intend to take to address the security compromise and the protect personal information from further unauthorised access or use.

The Information Regulator also published Guidelines to complete the notification form.

Notifying the Data Subject

The Organisation must also notify the data subject in writing and must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, including:

a) a description of the possible consequences of the security compromise;
b) recommended measures the data subject can take to mitigate the potential negative effects of the security compromise; and
c) the identity of the unauthorised person who may have accessed or acquired the personal information, if known to the organisation.

Organisations should ensure that all board members, staff members, volunteers and independent contractors are aware of the obligation to report security compromises and what steps must be taken to minimise the negative effects of such an incident. The Organisation, in turn, must ensure that the obligations under section 22 are complied with.

Important Note: The information contained in this article is general in nature and should not be interpreted or relied upon as legal advice. The information may not be applicable to specific circumstances. Professional assistance should be obtained before acting on any of the information provided in this article.

Source: NPO Legal Issues August , Vol 60 Special 2

Ricardo Wyngaard | The NPO Lawyer

The NPO Lawyer | Ricardo Wyngaard Attorneys

Ricardo Wyngaard is passionate about the non-profit sector and has been focusing on non-profit law since 1999. He is a lawyer by profession who has obtained his LLB degree at the University of the Western Cape in South Africa and his LLM degree at the University of Illinois in the USA. He has authored a number of articles and booklets on non-profit law and governance.

Related articles

POPIA Compliance update: Resources and options
Nicole Copley | NGO Law
The ‘D’ day for POPIA compliance has come and gone. Some of us have it all sussed and sorted, some had good intentions but have been diverted by other dramas, and some are still wondering whether t...
Indemnity forms and NPOs
Ricardo Wyngaard | The NPO Lawyer
Many NPOs make use of indemnity forms with the aim of reducing the potential for liability. This article explores the value of indemnity forms. Generally, it is possible for parties to contract ou...
[Watch] Can we do Commission based Fundraising?
Ricardo Wyngaard | The NPO Lawyer
This video deals with two provisions in the Income Tax Act, which are relevant to commission-based fundraising.