FACT SHEET: HANDLING OF SECURITY COMPROMISES

Daisy Kgwale — Tue, 19 Aug 2025 09:48:16 +0000

Fact Sheet: Handling Of Security Compromises

What is a security compromise?

POPIA does not define a security compromise. In brief, a security compromise, also known as a data breach in other jurisdictions, is a compromise in the security, confidentiality, integrity or availability of personal information, leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, processing or access to personal information. This can lead to harm being suffered by data subjects.

What are some examples of security compromises?

Security compromises can occur in a variety of ways, viz.

Accidentally – viz. sending an email containing personal information of a data subject to an unintended recipient, losing paperwork or devices which contain unprotected personal information;
Deliberately – viz. cyber-security attacks, employee fraud or mischief;
Incidentally viz. theft, rioting, hijacking where personal information is not the target of the activity;
Negligently – viz. failing to use appropriate technical and organisational measures to secure personal information such as not using encryption, sharing passwords, leaving personal information unattended.

Do I have to report low risk security compromises?

Yes. POPIA does not have a threshold for reporting of security compromises. All security compromises must be reported by the responsible party irrespective of the deemed level of risk. The reporting requirement is mandatory. Responsible parties do not have a discretion regarding when or if to report a security compromise nor in respect of notifying affected data subjects.

Who should report a security compromise?

The Information Officer or Deputy Information Officer of a responsible party should report the security compromise to both the Information Regulator and to the data subject(s). If a security compromise occurs at an operator of the responsible party, then the operator must notify the responsible party, who in turn must notify the Information Regulator and the data subject(s). However, should a data subject wish to report a security compromise, a complaint should be lodged on a Form 5 and directed to the Information Regulator’s (Regulator’s) Complaints & Investigations sub-division.

What is considered a reasonable time within which to report a security compromise?

The responsible party should notify the Regulator and the data subject(s) as soon as it is reasonably sure that a security compromise has occurred. The security compromise does not have to be confirmed before it is reported. Reporting a security compromise as soon as

reasonably possible is designed to place the data subject(s) in a position to mitigate against the potential or actual harm that might ensue, as soon as possible.

While some delay is allowed for in terms of dealing with law enforcement or stabilising systems, an investigation into a security compromise does not need to be completed before it is reported. If there has been a delay, the responsible party will need to indicate what the reason was for the delay.

What should I do if a security compromise occurs?

Identify the security compromise
Notify the Information Officer and/or any Deputy Information Officers.
Take all necessary measures to mitigate the impact of the security compromise
The Information Officer and/or any Deputy Information Officers must notify the data subject(s) in writing of the security compromise. This can be by way of a letter, email, notification in the media or on the responsible party’s website or any other manner determined by the Regulator.
Notify the Regulator by logging the notification via the eServices portal on our website.
If you are an operator, you must immediately notify the responsible party of the security compromise.
Review your technical and organisational measures to ensure that any weaknesses are addressed.

What if I do not have all the information at hand when notifying the security compromise?

It is advisable to report the security compromise as soon as reasonably practicable based on the information at hand, and then to update the notification as further information comes to light.

What should I write in my notification to the data subject?

The responsible party will need to let the data subject(s) know what has occurred and when, what it plans to do to mitigate against the security compromise, what advice it has for the data subject and where known, who the personal information was exposed to or accessed by. In notifying them of the identity of the unauthorised person, the purpose is to place the data subject in a position where they can guard against any negative impact from the unlawful access to their personal information.

How long should a notice of a security compromise remain on our website?

The determination of how long such notice should remain on your website depends on how likely it is that data subjects will see such notification in the time made available, based on factors such as how often data subjects are likely to visit your website. Thirty to ninety days is a general rule of thumb.

Click Here to Download The Infographic

For further information on security compromises, please refer to our FAQs.

The Information Regulator’s portal for submitting PAIA Annual Reports will soon be open.

Daisy Kgwale — Tue, 18 Mar 2025 08:13:42 +0000

In terms of section 32 of PAIA, the Information Officer (IO) of every public body must annually submit to the Regulator a report in respect of access to information requests received and processed by the public body. Furthermore, and in accordance with section 83(4) of PAIA, the Heads of Private Bodies (HPBs) or Deputy Information Officers (DIOs) are hereby requested to submit to the Regulator, their Annual Reports about requests for access to records received and processed by the private body.

As part of our efforts to facilitate seamless compliance with PAIA, the Regulator has developed an online submission platform for Annual Reports in terms of sections 32 and 83(4) of PAIA. This functionality is available under the eServices portal at https://eservices.inforegulator.org.za.

The portal for submission of access to information Annual Reports will be accessible from 01 April 2025, and the submission period will close on 30 June 2025. Please note that you will not be able to submit the Annual Report unless the IO, HPB, and DIOs are registered with the Regulator. Step-by-step guides on how to register and submit the Annual Reports are available on the eServices portal and the Regulator’s website. If you are unable to log in to the portal or require assistance, please contact the technical support team at [email protected] or (010) 023 5200.

Timeline for the 2024/25 PAIA Annual Reporting

April 1, 2025: The submission portal for PAIA Annual Reports opens.
June 30, 2025: Deadline for submission of PAIA Annual Reports.

Preparation Checklist

Register the Accounting Officer: Ensure that your Information Officers, Heads of Private Bodies, and Deputy Information Officers are registered with the Regulator.
- Example: Verify that all officers have completed the registration process on the eServices portal.
Gather necessary information: Collect all information regarding access to information requests received and processed during the reporting period.
Review submission guidelines: Familiarise yourself with the step-by-step guides available.
Test portal access: Log in to the eServices portal in advance to ensure you can access the submission platform without issues.
- Example: Attempt to log in and navigate the portal to confirm your access.
Prepare early: Start preparing your report early to avoid last-minute technical issues or information discrepancies.
- Example: Gather all necessary documentation well before the submission deadline.

Common reporting mistakes to avoid

Incomplete information: Ensure all sections of the report are fully completed with accurate information.
Late submission: Submit your report well before the deadline to avoid any last-minute technical issues.
Incorrect registration: Verify that all officers are correctly registered with the Regulator before attempting to submit the report.
Ignoring guidelines: Follow the submission guidelines closely to ensure your report meets all requirements.
Lack of review: Double-check your report for any errors or omissions before submission.

Importance of Registration and Reporting

Registration and timely reporting are crucial for ensuring compliance with PAIA. By registering your officers and submitting accurate Annual Reports, you help maintain transparency and accountability in the management of access to information requests. This not only fulfills legal obligations but also promotes trust and confidence in your organisation’s commitment to upholding the principles of PAIA.

For any general enquiries relating to the requirement for compliance with sections 32 and 83(4) of PAIA, kindly contact Ms. Sewela Seshoeni at [email protected], Senior Compliance and Monitoring Officer. You can also contact the Acting Executive responsible for Promotion of Access to Information, Adv. Makhwedi Makgopa-Madisa at [email protected].

International Data Privacy Day

Daisy Kgwale — Fri, 02 Feb 2024 08:00:42 +0000

Addressing issues of Mis- and Disinformation during the election period in commemoration of International Data Privacy Day.

Joining other Data Privacy Authorities and data protection civil organisations throughout the globe, the Regulator observed International Data Privacy Day 2024 with a focus on empowering data subjects about data protection and engaging responsible parties on the importance of compliance with data privacy laws.

The Regulator organised a series of events to create momentum around International Data Privacy Day and spread awareness on the Protection of Personal Information Act (POPIA).An interesting topic was the centre of discussion which sought to tackle and address the phenomenon of Mis- and Disinformation during the election period.

As we officially close Data Protection week, we reflect on the milestones we have achieved from the webinars, public activation, media interaction to training sessions.

A webinar focusing on Misinformation and Disinformation during the election period

A webinar was held on 29 January 2024 in partnership with Media Monitoring Africa (MMA) and the Independent Electoral Commission (IEC) which held robust discussions to come up with potential solutions to address the issue of Misinformation and Disinformation and the need for political parties to process personal information lawfully during the election period.

Misinformation and disinformation undermine the free flow of credible and reliable information. With technological advancements and heightened use of Artificial Intelligence, misinformation and disinformation thrive, and personal information is easily altered to perpetuate false information, which is quickly distributed on digital and social platforms.

The Regulator, as a custodian of information rights, has expressed grave concerns about the growth of misinformation and disinformation, particularly during the election period. It has the potential to greatly interfere with the rights to privacy and access to information. The Regulator has joined hands with other institutions to tackle the pandemic in a collaborative manner.

Chairperson’s Address to the National Party Liaison Committee

The Information Regulator Chairperson Adv. Pansy Tlakula during a stakeholder engagement addressed the National Party Liaison Committee, stressing the need to safeguard personal information by political parties, but also for them to be party to finding solutions toward tackling the issue of misinformation and disinformation during the elections period.

To ensure compliance with POPIA, she agreed to the need for multi-sector collaboration in educating the public and eliminating the spread of misleading information during elections. She also urged political parties to adhere to the Guidance Note on Processing Personal Information of Voters during the election period, which the Regulator developed.

Empowering Government Officials

The Regulator also facilitated a training session on POPIA at the Mpumalanga Premier’s office, training all Information Officers of the entire Mpumalanga Provincial Government administration.

The training session unpacked the conditions for lawful processing of personal information and outlined the POPIA Regulations which Information Officers must adhere to in order to ensure compliance with the Act in their respective departments. The session was rich with discussions that lead to the participants being skilled on how to safeguard personal information they process.

POPIA Public Awareness

A POPIA public awareness activation was held to educate the members of the public in Ekurhuleni the east rand of the Gauteng province on the importance of playing their part in the protection of their personal information and exercise their right to privacy. The public was encouraged to utilise the services of the Information Regulators and lodge complaints should their feel there was a violation of their human right.