Is every data compromise notifiable under the Protection of Personal Information Act?
In South Africa, the Protection of Personal Information Act 4 of 2013 (“POPIA”) regulates the protection of personal data. In particular, Section 22 of POPIA requires your organisation to notify the relevant authorities and affected individuals “as soon as reasonably possible” after the discovery of a compromise of personal data ‘processed’ by your organisation. On the face of it, this notification obligation appears reasonable. However, one will notice that the scope of what constitutes a ‘compromise’ under POPIA is particularly broad.
WHAT IS A ‘COMPROMISE’ OR ‘DATA BREACH’?
A data breach is any incident which gives rise to a risk of unauthorised disclosure, loss, destruction or alteration of data held by your organisation (as the Responsible Party) in any format. Typical incidents include:
(1) disclosure of data to unauthorised individuals (i.e. emails containing confidential, Personal or Sensitive Information sent in error to the wrong recipient);
(2) loss/theft of items or equipment on which data is stored (i.e. lost mobile phones and laptops); or
(3) records altered or deleted without authorisation.
WHAT IS NOTIFIABLE UNDER THE GDPR?
The GDPR (applicable to the European Union) applies a risk-based approach to notification. Put simply, only those data breaches likely to result in a risk to the rights and freedoms of the affected individuals are notifiable to the Information Regulator whereas breaches likely to result in a high risk are notifiable to the Regulator as well as the affected individuals.
This means that risk is used as a trigger for notification.
WHAT IS NOTIFIABLE UNDER POPIA?
In contrast to the GDPR, if consideration is given to the plain and ordinary meaning of the language itself, almost every compromise is notifiable to the Regulator and affected individuals under POPIA.
Section 22 of POPIA:
“22. (1) Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify:
(a) the Regulator; and
(b) subject to subsection (3), the data subject, unless the identity of such data subject cannot be established.
(2) The notification referred to in subsection (1) must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system.
“(3) The responsible party may only delay notification of the data subject if a public body responsible forthe prevention, detection orinvestigation of offences or the Regulator determines that notification will impede a criminal investigation…”
Risk is not identified as a trigger for notification. Potentially even those compromises that pose a low risk or no risk to the organisation and the rights of affected individuals. The consideration of the “legitimate needs of law enforcement” might be wide enough to read-in a risk-based approach, however, this consideration seems applicable specifically to the time period within notification must take place rather than the scope of the compromise requiring notification. Unfortunately, the final draft regulations issued under POPIA also remain unhelpful in clarifying the scope of the notification obligation.
Therefore, POPIA appears to be silent on the GDPR’s risk-based approach. Nevertheless, it may seem impractical to notify and overburden the SA Regulator with ‘low or no risk’ compromises.
Granted, the GDPR authorities issued a formal guideline in relation to notification obligation, however one could make the following submission in circumstances where the SA Regulator fails to do so timeously.
(See GDPR Guidelines on personal data breach notification)
If consideration is given to the language of Section 22 of POPIA, read in context and having regard to the purpose of the provision and the background to the preparation of POPIA, it may be plausible that following a risk-based approach similar to that currently prescribed by the GDPR Guidelines could suffice for compliance under POPIA, at least until any formal guidelines are set by the SA Regulator.
*POPI has recently been declared operational with the commencement date being proclaimed by the President of the Republic of South Africa.
**The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any subject matter. You should not act or refrain from acting on the basis of any content included in this article without seeking legal or other professional advice