-
Quick Access
-
POPIA
-
-
-
- Section 26 Prohibition on processing of special personal information
- Section 27 General authorisation concerning special personal information
- Section 28 Authorisation concerning data subject’s religious or philosophical beliefs
- Section 29 Authorisation concerning data subject’s race or ethnic origin
- Section 30 Authorisation concerning data subject’s trade union membership
- Section 31 Authorisation concerning data subject’s political persuasion
- Section 32 Authorisation concerning data subject’s health or sex life
- Section 33 Authorisation concerning data subject’s criminal behaviour or biometric information
-
-
-
- Section 39 Establishment of Information Regulator
- Section 40 Powers, duties and functions of Regulator
- Section 41 Appointment, term of office and removal of members of Regulator
- Section 42 Vacancies
- Section 43 Powers, duties and functions of Chairperson and other members
- Section 44 Regulator to have regard to certain matters
- Section 45 Conflict of interest
- Section 46 Remuneration, allowances, benefits and privileges of members
- Section 47 Staff
- Section 48 Powers, duties and functions of chief executive officer
- Section 49 Committees of Regulator
- Section 50 Establishment of Enforcement Committee
- Section 51 Meetings of Regulator
- Section 52 Funds
- Section 53 Protection of Regulator
- Section 54 Duty of confidentiality
- Show all articles ( 1 ) Collapse Articles
-
-
- Section 60 Issuing of codes of conduct
- Section 61 Process for issuing codes of conduct
- Section 62 Notification, availability and commencement of code of conduct
- Section 63 Procedure for dealing with complaints
- Section 64 Amendment and revocation of codes of conduct
- Section 65 Guidelines about codes of conduct
- Section 66 Register of approved codes of conduct
- Section 67 Review of operation of approved code of conduct
- Section 68 Effect of failure to comply with code of conduct
-
- Section 73 Interference with protection of personal information of data subject
- Section 74 Complaints
- Section 75 Mode of complaints to Regulator
- Section 76 Action on receipt of complaint
- Section 77 Regulator may decide to take no action on complaint
- Section 78 Referral of complaint to regulatory body
- Section 79 Pre-investigation proceedings of Regulator
- Section 80 Settlement of complaints
- Section 81 Investigation proceedings of Regulator
- Section 82 Issue of warrants
- Section 83 Requirements for issuing of warrant
- Section 84 Execution of warrants
- Section 85 Matters exempt from search and seizure
- Section 86 Communication between legal adviser and client exempt
- Section 87 Objection to search and seizure
- Section 88 Return of warrants
- Section 89 Assessment
- Section 90 Information notice
- Section 91 Parties to be informed of result of assessment
- Section 92 Matters referred to Enforcement Committee
- Section 93 Functions of Enforcement Committee
- Section 94 Parties to be informed of developments during and result of investigation
- Section 95 Enforcement notice
- Section 96 Cancellation of enforcement notice
- Section 97 Right of appeal
- Section 98 Consideration of appeal
- Section 99 Civil remedies
- Show all articles ( 12 ) Collapse Articles
-
- Section 100 Obstruction of Regulator
- Section 101 Breach of confidentiality
- Section 102 Obstruction of execution of warrant
- Section 103 Failure to comply with enforcement or information notices
- Section 104 Offences by witnesses
- Section 105 Unlawful acts by responsible party in connection with account number
- Section 106 Unlawful acts by third parties in connection with account number
- Section 107 Penalties
- Section 108 Magistrate’s Court jurisdiction to impose penalties
- Section 109 Administrative fines
-
PAIA
-
Print
Section 22 Notification of security compromises
- Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify—
- the Regulator; and
- subject to subsection (3), the data subject, unless the identity of such data subject cannot be established.
- The notification referred to in subsection (1) must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system.
- The responsible party may only delay notification of the data subject if a public body responsible for the prevention, detection or investigation of offences or the Regulator determines that notification will impede a criminal investigation by the public body concerned.
- The notification to a data subject referred to in subsection (1) must be in writing and communicated to the data subject in at least one of the following ways:
- Mailed to the data subject’s last known physical or postal address;
- sent by e-mail to the data subject’s last known e-mail address;
- placed in a prominent position on the website of the responsible party;
- published in the news media; or
- as may be directed by the Regulator.
- The notification referred to in subsection (1) must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, including—
- a description of the possible consequences of the security compromise;
- a description of the measures that the responsible party intends to take or has taken to address the security compromise;
- a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
- if known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information.
- The Regulator may direct a responsible party to publicise, in any manner specified, the fact of any compromise to the integrity or confidentiality of personal information, if the Regulator has reasonable grounds to believe that such publicity would protect a data subject who may be affected by the compromise.