A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Local data protection regulations have required data controllers to report such breaches in certain circumstances.
In cases where there’s reason to believe that an employee’s (or other data subject’s) personal information has been accessed or acquired by someone without authorization, employers must notify South Africa’s Information Regulator (The Protection of Personal Information Act, 2013, Sec. 22(1))(POPIA). Impacted individuals must also be informed as soon as reasonably possible unless the identity of the individual whose information has been compromised can’t be established.
Notification to impacted individuals may be legitimately delayed if required by law enforcement, a public body, or the Information Regulator conducting a criminal investigation. Employees whose personal data has been compromised must be notified by writing through:
The notice must include information to allow the individual to take measures to protect themselves against the risks associated with the breach, including: