Section 22 Notification of security compromises

Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify—
1. the Regulator; and
2. subject to subsection (3), the data subject, unless the identity of such data subject cannot be established.
The notification referred to in subsection (1) must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system.
The responsible party may only delay notification of the data subject if a public body responsible for the prevention, detection or investigation of offences or the Regulator determines that notification will impede a criminal investigation by the public body concerned.
The notification to a data subject referred to in subsection (1) must be in writing and communicated to the data subject in at least one of the following ways:
1. Mailed to the data subject’s last known physical or postal address;
2. sent by e-mail to the data subject’s last known e-mail address;
3. placed in a prominent position on the website of the responsible party;
4. published in the news media; or
5. as may be directed by the Regulator.
The notification referred to in subsection (1) must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, including—
1. a description of the possible consequences of the security compromise;
2. a description of the measures that the responsible party intends to take or has taken to address the security compromise;
3. a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
4. if known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information.
The Regulator may direct a responsible party to publicise, in any manner specified, the fact of any compromise to the integrity or confidentiality of personal information, if the Regulator has reasonable grounds to believe that such publicity would protect a data subject who may be affected by the compromise.

Please follow and like us:

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Section 22 Notification of security compromises

Quick Access

POPIA

ACT Summary and Preamble

Chapter 1 Definitions and Purpose

Chapter 2 Application Provisions

Chapter 3 Conditions for Lawful Processing

Part A Processing of personal information in general

Condition 1 Accountability

Condition 2 Processing limitation

Condition 3 Purpose specification

Condition 4 Further processing limitation

Condition 5 Information quality

Condition 6 Openness

Condition 7 Security safeguards

Condition 8 Data subject participation

Part B Processing of special personal information

Part C Processing of personal information of children

Chapter 4 Exemption from Conditions for Processing of Personal Information

Chapter 5 Supervision

Part A Information Regulator

Part B Information Officer

Chapter 6 Prior Authorisation

Chapter 7 Codes of Conduct

Chapter 8 Rights of Data Subjects Regarding Direct Marketing by Means of Unsolicited Electronic Communications, Directories and Automated Decision Making

Chapter 9 Transborder Information Flows

Chapter 10 Enforcement

Chapter 11 Offences, Penalties and Administrative Fines

Chapter 12 General Provisions

PAIA

Part 1 | Introductory provisions

Chapter 1 | Definitions and interpretation

Section 1 Definitions

Section 2 Interpretation of Act

Chapter 2 | General application provisions

Section 3 Act applies to record whenever it came into existence

Section 4 Records held by official or independent contractor of public or private body

Section 5 Application of other legislation prohibiting or restricting disclosure

Section 6 Application of other legislation providing for access

Section 7 Act not applying to records requested for criminal or civil proceedings after commencement of proceedings

Section 8 Part applicable when performing functions as public or private body

Chapter 3 | General introductory provisions

Part 2 | Access to records of public bodies

Chapter 1 | Right of access, and specific application provisions

Section 11 Right of access to records of public bodies

Section 12 Act not applying to certain public bodies or officials thereof

Section 13 Body determined to be part of another public body

Chapter 2 | Publication and availability of certain [public] records

Section 14 Manual on functions of, and index of records held by, public body

Section 15 Voluntary disclosure and automatic availability of certain records

Section 16 Information in telephone directory

Chapter 3 | Manner of access [to public body records]

Part 3 | Access to records of private bodies

Chapter 1 | Right of access

Section 50 Right of access to records of private bodies

Chapter 2 | Publication and availability of certain [private] records

Section 51 Manual

Section 52 Voluntary disclosure and automatic availability of certain records

Section 52A Recording, preservation and disclosure of records on private funding of political parties

Chapter 3 | Manner of access [to private body records]

Part 4 | Appeals against decisions

Chapter 1 | Internal appeals against decisions of information officers of certain public bodies

Section 74 Right of internal appeal to relevant authority

Section 75 Manner of internal appeal, and appeal fees

Section 76 Notice to and representations by other interested parties

Section 77 Decision on internal appeal and notice thereof

Chapter 1A | Complaints to regulator

Section 77A Complaints

Section 77B Modes of complaints to Regulator

Section 77C Action on receipt of complaint

Section 77D Regulator may decide to take no action on complaint

Section 77E Pre-investigation proceedings of Regulator

Section 77F Settlement of complaints

Section 77G Investigation proceedings of Regulator

Section 77H Assessment

Section 77I Information Notice

Section 77J Enforcement Notice

Section 77K Non-compliance with Enforcement Notice

Chapter 2 | Applications to court

Part 5 | Information regulator