IconAppraisers and Valuers
IconAssociations and Institutes
IconBBBEE Consulting and Verification Agencies
IconConsumer Protection
IconCorporate Governance
IconCredit Bureaus
IconDefensive Driver Training
IconEmergency Medical Rescue
IconForensic Investigation Services
IconInsurance Brokers - Alphabetical Listing
IconInsurance Brokers by Type of Product or Service Needed
IconInsurance Companies
IconInsurance Consultants
IconLightning Damage & Surge Protection Specialists
IconOnline Quotes and Cover
IconPremium Financing
IconPublic Loss Adjustors
IconRating Agencies
IconRegulatory Authorities
IconRisk Finance
IconRisk Management
IconRisk Surveyors
IconSalvage Operators
IconTelephone Quotes
IconVehicle Accident Management
IconVehicle and Household Risk Inspection Services
IconVehicle Tracking
IconWellness Programs
  Subscribe To »

The notification of data breaches in South Africa will soon be required by law






By Darryl Bernstein, partner in Baker McKenzie's Disputes and ITC Practice Groups in Johannesburg
According to the Gemalto Breach Level Index, released in March 2017, South Africa experienced nine reported security breaches in 2016. Across Africa, 45.2 million records were stolen in 2016, compared with 38.5 million in 2015. Africa had 17 data breaches in total, compared with six in 2015.
It was not the rise in security breaches that caused the most alarm, however. Gemalto noted in the survey that the delay in disclosing or identifying security breaches was the most concerning factor. In March 2017 Ster-Kinekor in South Africa announced that its website had been hacked a year prior, in 2016 exposing personal information in over 6-million accounts.
Legislation around data protection and privacy in South Africa is currently awaiting implementation. The Protection of Personal Information Act, 2013 (POPIA) was enacted in 2013. Once implemented, it is expected to change the way businesses approach the protection of customer and employee data and how they will have to report on data security breaches. POPIA seeks to bring South Africa in line with international data protection laws by regulating the processing of the information of natural and juristic persons and placing more onerous obligations on “responsible parties” that process such information. However, only certain sections of the Act have commenced. These sections relate specifically to the establishment of the Information Regulator, who was appointed in December 2016.
The enactment of the Act itself, largely based on similar EU data protection legislation, is the most significant development in the South African privacy landscape. The timeline for the commencement of the entire Act is, however, still unclear. Given the limited transitional period of one year provided for compliance, coupled with potentially severe penalties, businesses in South Africa have already commenced implementing initiatives to comply with the prescriptive principles under the Act.
The notification of security compromises is governed by POPIA, where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party will have to notify the Information Regulator, as well as the data subject, unless that person’s identify cannot be established.
The notification will have to be made as soon as reasonably possible after the discovery of the compromise, considering the needs of law enforcement or any measures necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system. The responsible party may only delay notification of the data subject if a public body responsible for the prevention, detection or investigation of offences or the Information Regulator determines it will impede a criminal investigation.
The notification must be in writing and must be communicated either via email or posted to the data subject’s last known address. The notification could also be placed in a prominent position on the website of the responsible party, published in the media; or as directed by the Information Regulator.
The notification must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise. This includes providing a description of the possible consequences of the data breach and how they will affect the data subject. It should also include a description of the measures taken by the responsible party intends to address the security breach, as well as a recommendation on what measures the data subject should take to mitigate the possible adverse effects of the breach. If known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information must also be divulged to the data subject.
In addition, the Information Regulator may direct a responsible party to publicise, in any manner specified, the fact of any compromise to the integrity or confidentiality of personal information, if the she has reasonable grounds to believe that such publicity would protect a data subject affected by the compromise.
An organisation that is involved in a data breach situation may also be subject to an administrative fine, penalty or sanction, or civil actions and/or class actions.
In addition, the revised Cybercrimes and Cybersecurity Bill, which was tabled in the South African National Assembly in February 2017 notes the further obligations of electronic communications service providers and financial institutions when they become aware that their computer systems have involved in a cyber security breach as defined by the Bill. They must, according to the Bill, report such offences to the South African Police Service and preserve any information which may be of assistance in the investigation. Non-compliance with the clause is a criminal offence.
Whether or not compulsory reporting of this nature is a good thing is certainly up for debate. One thing is certain however, in a world where security breaches are a matter of when, not if, the treatment and security of personal information ought to be a matter of top priority for all institutions.
Bernstein and his team recently contributed the South African chapter of the Baker McKenzie Global Privacy Handbook 2017 which outlines privacy and information protection legislation in 58 jurisdictions around the world. More information on the protection of personal information and the processes involved can be found in this guide.
Source: Baker McKenzie
« Back to previous page Print this page » |

Breaking News »

Reskilling Revolution Needed for the Millions of Jobs at Risk Due to Technological Disruption

A new report, Towards a Reskilling Revolution: A Future of Jobs for All, finds that, with 1. 4 million US jobs alone expected to disrupted by technology and other factors between now and 2026, of which 57% belong ...
Read More »


South Africa's new International Arbitration Act commenced in December 2017

By Rebecca Browning, Associate, Dispute Resolution Practice Baker McKenzie Johannesburg The South African International Arbitration Act No. 15 of 2017 sailed through the National Council of Provinces in November ...
Read More »


Watercraft owners advised to manage their risks this summer

          Lynda Brown, Regional Manager: Kwa-Zulu Natal at MUA             With summer in full swing, many South ...
Read More »


Software in Africa: 4 enterprise trends to expect in 2018

By Pieter Bensch Executive Vice President, Africa & Middle East: Sage   Don’t be distracted by cool gadgets. The real technology innovation is happening in software architecture. African ...
Read More »


More News »


Healthcare »


Investment »


Life »


Retirement »

Advertise Here

From The Glossary »


Time value of money:

The idea that a rand today is worth more than a rand in the future, because the rand received today can earn interest up until the time the future rand is received.
More Definitions »

By using this website you agree to the Terms of Use.
Copyright © Stoker Risk & ICT (Pty) Ltd 2004 - 2018.
All Rights Reserved.





Contact IG


Media Pack


RSS Feeds