IconAccounting & Tax
IconAppraisers & Valuers
IconArbitration Services
IconAssessors & Loss Adjusters
IconAssist and Lifestyle Benefits
IconAssociations & Institutes
IconBBBEE Consulting and Verification Agencies
IconBroker Acquisition Financing
IconBrokers for Brokers
IconBusiness Process Management
IconBusiness Process Outsourcing
IconCall Centre Outsourcing & Sales
IconCompany Secretarial Services
IconConsumer Protection
IconCorporate Governance
IconCredit Bureaus
IconDebit Order Collection Facilities
IconDefensive Driver Training
IconEducation and Training
IconEmergency Medical Rescue
IconFire, Storm, Flood Damage Specialists
IconHuman Resources
IconIndustrial Cleaners
IconInformation Technology and Software Partners
IconInsurance Companies
IconLightning Damage & Surge Protection Specialists
IconNiche Insurance Products
IconOutbound Sales
IconOutsourcing Companies
IconPolicy Administration
IconPremium Financing
IconPublic Loss Adjustors
IconRating Agencies
IconReference Books & Material
IconRegulatory Authorities
IconRisk Finance
IconRisk Management
IconRisk Surveyors
IconSalvage Operators
IconSpecialized Claims Investigations & Assessing
IconSurveys and Research
IconTraining Courses & Workshops
IconUnderwriting Managers
IconVehicle Accident Management
IconVehicle and Household Risk Inspection Services
IconVehicle Tracking
IconWellness Programs
IconWholesale Brokers
  Subscribe To »

The notification of data breaches in South Africa will soon be required by law






By Darryl Bernstein, partner in Baker McKenzie's Disputes and ITC Practice Groups in Johannesburg
According to the Gemalto Breach Level Index, released in March 2017, South Africa experienced nine reported security breaches in 2016. Across Africa, 45.2 million records were stolen in 2016, compared with 38.5 million in 2015. Africa had 17 data breaches in total, compared with six in 2015.
It was not the rise in security breaches that caused the most alarm, however. Gemalto noted in the survey that the delay in disclosing or identifying security breaches was the most concerning factor. In March 2017 Ster-Kinekor in South Africa announced that its website had been hacked a year prior, in 2016 exposing personal information in over 6-million accounts.
Legislation around data protection and privacy in South Africa is currently awaiting implementation. The Protection of Personal Information Act, 2013 (POPIA) was enacted in 2013. Once implemented, it is expected to change the way businesses approach the protection of customer and employee data and how they will have to report on data security breaches. POPIA seeks to bring South Africa in line with international data protection laws by regulating the processing of the information of natural and juristic persons and placing more onerous obligations on “responsible parties” that process such information. However, only certain sections of the Act have commenced. These sections relate specifically to the establishment of the Information Regulator, who was appointed in December 2016.
The enactment of the Act itself, largely based on similar EU data protection legislation, is the most significant development in the South African privacy landscape. The timeline for the commencement of the entire Act is, however, still unclear. Given the limited transitional period of one year provided for compliance, coupled with potentially severe penalties, businesses in South Africa have already commenced implementing initiatives to comply with the prescriptive principles under the Act.
The notification of security compromises is governed by POPIA, where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party will have to notify the Information Regulator, as well as the data subject, unless that person’s identify cannot be established.
The notification will have to be made as soon as reasonably possible after the discovery of the compromise, considering the needs of law enforcement or any measures necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system. The responsible party may only delay notification of the data subject if a public body responsible for the prevention, detection or investigation of offences or the Information Regulator determines it will impede a criminal investigation.
The notification must be in writing and must be communicated either via email or posted to the data subject’s last known address. The notification could also be placed in a prominent position on the website of the responsible party, published in the media; or as directed by the Information Regulator.
The notification must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise. This includes providing a description of the possible consequences of the data breach and how they will affect the data subject. It should also include a description of the measures taken by the responsible party intends to address the security breach, as well as a recommendation on what measures the data subject should take to mitigate the possible adverse effects of the breach. If known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information must also be divulged to the data subject.
In addition, the Information Regulator may direct a responsible party to publicise, in any manner specified, the fact of any compromise to the integrity or confidentiality of personal information, if the she has reasonable grounds to believe that such publicity would protect a data subject affected by the compromise.
An organisation that is involved in a data breach situation may also be subject to an administrative fine, penalty or sanction, or civil actions and/or class actions.
In addition, the revised Cybercrimes and Cybersecurity Bill, which was tabled in the South African National Assembly in February 2017 notes the further obligations of electronic communications service providers and financial institutions when they become aware that their computer systems have involved in a cyber security breach as defined by the Bill. They must, according to the Bill, report such offences to the South African Police Service and preserve any information which may be of assistance in the investigation. Non-compliance with the clause is a criminal offence.
Whether or not compulsory reporting of this nature is a good thing is certainly up for debate. One thing is certain however, in a world where security breaches are a matter of when, not if, the treatment and security of personal information ought to be a matter of top priority for all institutions.
Bernstein and his team recently contributed the South African chapter of the Baker McKenzie Global Privacy Handbook 2017 which outlines privacy and information protection legislation in 58 jurisdictions around the world. More information on the protection of personal information and the processes involved can be found in this guide.
Source: Baker McKenzie
« Back to previous page Print this page » |

Breaking News »

The client’s right to know

Last week, we reported on the Phoshera judgment by the FSB Appeal Board where it concurred with the view of the FAIS Ombud that the rejection of a claim was warranted on the basis that the vehicle did not comply ...
Read More »


Too many eggs in one basket?

“Catch-22 is any paradoxical, circular reasoning that catches its victim in its illogic and serves those who have made the law. ” One of the options in the Merriam-Webster dictionary reads: “A ...
Read More »


Use of WhatsApp violating data privacy laws without the consent of every address book contact? (Germany)

By Sven Jacobs (DE) and Thorben Schläfer Norton Rose Fulbright The use of WhatsApp without the declaration of consent from every person in the user’s address book directory is deemed to be inadmissible ...
Read More »


Aggregation of claims for related transactions (UK)

    Patrick Bracher, Director Norton Rose Fulbright South Africa Inc.     Where a policy aggregated claims for ‘similar acts or omissions in a series of ...
Read More »


More News »


Healthcare »


Investment »


Life »


Retirement »

Advertise Here

From The Glossary »


Sector allocation:

Investment of certain proportions of a portfolio in certain sectors.
More Definitions »

By using this website you agree to the Terms of Use.
Copyright © Stoker Risk & ICT (Pty) Ltd 2004 - 2017.
All Rights Reserved.





Contact IG


Media Pack


RSS Feeds