Not sure how to report a data breach? South Africa’s Information Regulator publishes guidance

In a welcome development on Friday, 12 August 2022, the Information Regulator published a notification template and guidance to facilitate the reporting of security compromises in terms of section 22 of the Protection of Personal Information Act (POPIA).

The new reporting form is effective immediately. In this article, we discuss what a section 22 notification entails, and how this new guidance affects reporting in compliance with POPIA.

Section 22 of POPIA – A quick recap

Responsible parties are required to notify both data subjects and the Information Regulator as soon as there are reasonable grounds to believe that an unauthorised party has unlawfully accessed or acquired personal information. This is referred to as a ‘data breach’ or a ‘security compromise’, which the Information Regulator is empowered to investigate.

The Information Regulator has published two documents aimed at streamlining the process of notification:

1. A standard form template titled “Form SCN1 – Security Compromises Notification” ​ (SCN1 form); and
2. An accompanying guidance document titled “Guidelines: completing section 22 security compromise notification form” (Guidelines).

How does this development impact reporting under POPIA?  

Previously, there was no official guidance on the reporting of security compromises to the Information Regulator. This meant there was little uniformity in approach when responsible parties and their representatives notified the Regulator of a security compromise.

The SCN1 template is a fillable online form which requires specific information to be reported, including:

1. The date of the incident and an explanation for any delay in reporting the incident to the Regulator;
2. Whether the security compromise is “confirmed” or “alleged”;
3. The type of incident (e.g. loss, damage, destruction and/or unlawful access or processing of personal information);
4. The categories of personal information potentially compromised;
5. The number of data subjects impacted and the method of communication used to notify any affected data subjects.

Responsible parties and their information officers must sign and declare that the notification is true, accurate and correct.

The accompanying Guidelines are helpful in explaining the forms and how organisations should go about completing them.

The process to be followed when reporting a security compromise is as follows:

1. Responsible parties must use the SCN1 form to report an actual or potential security compromise as soon as reasonably possible. The Guidelines states that information officers, or their deputy information officers, must use this form. Failure to do so may result in the notification being non-compliant.
2. The Information Regulator will notify the responsible party that it has received the notification and assign a reference number.
3. The Information Regulator will use the information obtained via the SCN1 form to investigate the security compromise.

Key takeaways

• The Information Regulator is taking a tougher stance on mandatory reporting of potential or actual security compromises. The form should be completed carefully once a security compromise is identified as being reportable, and updated in the course of the incident, if necessary, as more information comes to light.
• In response to several recent widely-reported security compromises and data breaches, the Information Regulator has issued statements recording dissatisfaction with the reporting of security compromises.
• Whilst this clearer guidance from the Regulator and a specific reporting template is welcome, we expect that non-compliance may attract enforcement action, especially with the investigation capacity recently created by the formation of the Enforcement Committee.
• Non-compliance with section 22 is recognised as an interference with the protection of personal information under section 73 of POPIA. This may trigger regulatory intervention and investigation by the Regulator.
• Responsible parties should consider the level of information required to complete the prescribed SCN1 form in conjunction with their operators, to ensure that the information received by responsible parties from operators in terms of section 21(2) of POPIA is sufficient to comply with section 22 of POPIA.

Clyde & Co’s Cyber team specialises in all aspects of cyber risk, data protection, insurance and claims. Our end-to-end One cyber solution is designed to boost cyber resilience and is built around pre-incident planning, effective incident response and post-incident recovery.

Our Corporate and Regulatory team has extensive experience advising responsible parties and operators on suitable terms for inclusion in agreements, and in advising more broadly on compliance with South Africa’s data privacy legislation.

Please reach out to our team should you require advice on how and when to undertake reporting of a security compromise in compliance with POPIA.