Section 22 of the Protection of Personal Information Act (POPIA) deals with the reporting of security compromises.
Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify the Information Regulator and the data subject to investigate.
If your responsible party believes that there has been a data breach, they must report the breach using the online SCN1 Form:
- A standard form template titled “Form SCN1 – Security Compromises Notification” (SCN1 form); and
- An accompanying guidance document titled “Guidelines: completing section 22 security compromise notification form” (Guidelines).
Responsible parties use the SCN1 form to report an actual or potential security compromise as soon as reasonably possible. The Guidelines state that information officers or deputy information officers must use this form. Failure to do so may result in the notification being non-compliant.
They complete the online form by providing specific information, including:
- The date of the incident and an explanation for any delay in reporting the incident to the Regulator.
- Whether the security compromise is “confirmed” or “alleged”.
- The type of incident (e.g., loss, damage, destruction and/or unlawful access or processing of personal information);
- The categories of personal information potentially compromised.
- The number of data subjects impacted and the method of communication used to notify any affected data subjects.
The Information Regulator will notify the responsible party that it has received the notification and assign a reference number, and investigate the security compromise.
Non-compliance with section 22 may trigger regulatory intervention and investigation by the Regulator.