A data breach happens when the personal information for which your organisation is responsible suffers a security incident resulting in a breach of confidentiality, availability, or integrity, such as where personal information is lost, destroyed, corrupted, or illegitimately disclosed. This includes, for example, situations where someone accesses personal data or passes them on without proper authorisation or where personal data is rendered unavailable through encryption by ransomware, or accidental loss or destruction.

Some personal data breaches – for example, misaddressed letters and emails – can disclose personal data to third parties who had no intention or expectation of receiving it. Unintended recipients of emails, documents or files may decide to retain these for their own purposes and malicious people may threaten to disclose data or use it in unlawful ways.

You may also come into accidental possession of personal data which you have no right to, and in such instance you should take immediate steps to identify the rightful responsible person and remedy the breach in a way that involves the minimum of intrusion or exposure.

You must keep a record of all data breaches.

As part of your compliance framework, you should ensure you have robust breach detection, investigation and internal reporting procedures in place. You need to know how to recognize a breach and assess the potential damage. A breach can have a range of adverse effects including emotional distress, physical and material and financial damage.

Some breaches will only result in a possible inconvenience to those who need the information to do their job, but a breach can also have significant repercussions for persons whose data has been compromised. You will have to assess this on a case-by-case basis.

It is critical that you have a response plan to address a data breach. Sufficient resources should be allocated to managing the breach in order to limit the damage as much as possible.

Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, you are required to notify:

  • the Information Regulator and
  • the Responsible party (where you are an operator) and
  • the data subject, unless the identity of the data subject cannot be established
  • contractual disclosure

The method of notifying the Information Regulator has not been specified. The notification must be done as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of our organisation’s information system.

Notification of the data subject may only be delayed if the Information Regulator or a law-enforcing body determines that notifying the data subject will impede a criminal investigation.

Non-compliance with the obligation to notify is a breach of POPI and may lead to a fine, imprisonment or both.