The Protection of Personal Information Act 4 of 2013 (“POPIA”) requires all businesses to secure the integrity and confidentiality of personal information in their possession. It is important to remember that POPIA is in effect from 01 July 2020, with the exception of certain provisions coming into force on 30 June 2021, and that businesses have until 01 July 2021 to become POPIA compliant, before sanctions and penalties apply.
POPIA focusses on the processing of personal information, and sets new rules for regulating this. Since POPIA requires businesses to secure the integrity and confidentiality of personal information in their possession, a data breach does fall within the ambit of the legal framework established by POPIA and businesses have certain obligations in this regard.
POPIA does not define data breaches, but it is clear that a data breach has occurred when there are reasonable grounds to believe that any unauthorised person has accessed or acquired personal information under the control of a business, or if data has been intentionally or accidently lost, shared or destroyed. Data breaches may occur in different ways, including but not limited to hacking, theft, accidental loss and unauthorised use of personal information. Remember that a data breach can take place through either physical or electronic means. This means that the theft of a laptop containing potentially personal information of your clients, will constitute a data breach in terms of POPIA.
In the event that a data breach occurs, POPIA requires that businesses inform the Information Regulator, as well as the person or persons whose data has been compromised (“data subjects”) as soon as reasonably possible after the breach has been discovered. Businesses must also conduct their own investigations in order to determine the nature and scope of the breach and the potential impact thereof, as well as take steps to mitigate any adverse consequences.
This notification must be confirmed in writing and should contain sufficient information to allow data subjects to take protective measures against the potential adverse consequences flowing from the data breach. Such notification must include the possible consequences of the data breach, a description of the measures taken by the business (as the responsible party) or intends to take to address the data breach, recommendations for the measures which the data subject can take to mitigate possible effects of the data breach, and the identity of the person who gained unauthorised access (if known).
The notice must be communicated to the data subject concerned in any one of the following ways:
• By post to the last known physical or postal address of the data subject.
• By email to the last known e-mail address of the data subject.
• Placed in a prominent position on the website of the responsible party.
• Published in the news media.
• Communicated in any other manner as directed by the Information Regulator.
In your situation therefore, your business is required to consider its options to limit the potential adverse consequences of the breach. Should you be able to remotely wipe the laptop, or track such or enable encryption, such options should be considered.
You will also be required to inform all the data subjects whose data has been compromised (unless the identity if such data subjects cannot be established), as well as the Information Regulator, as soon as reasonably possible after you become aware of the data breach. The communication of information in the notice must be in accordance with the procedures as set out above.
If your business does not yet have a policy in place that deals with data breaches, it may be advisable to enlist the help of a POPIA or data security specialist to help you put in the place the correct processes and procedures to both protect and deal with any potential future data breaches.