The form has been issued in terms of section 22 of the Protection of Personal Information Act , and is part of the process businesses must follow when notifying the regulator of a security compromise.
“A security compromise for purposes of POPIA takes place where there are reasonable grounds to believe that the personal information of one or more data subjects has been accessed or acquired by an unauthorised person,” the firm said. The date of the security compromise and the date on which the incident is being reported to the Information Regulator;The type of personal information that was unlawfully accessed ;A description of the possible consequences of the security compromise and the measures that the responsible party intends to take or has taken to address the security compromise;
“Once the form has been submitted, the Information Regulator will respond with an acknowledgement of the notification together with a reference number.”While the form and guidelines appear to only apply in respect of the notification to the Information Regulator, a responsible party is also required to notify the affected data subjects of a security compromise, provided that their identities are known, Bowmans said.