Reproduced by Sabinet Online in terms of Government Printer’s Copyright Authority No. 10505 dated 02 February 1998
34
No. 37067
GOVERNMENT GAZETTE, 26 November 2013
Act No. 4 of 2013
Protection of Personal Information Act, 2013
34
Information processed by operator or person acting under authority
20. An operator or anyone processing personal information on behalf of a responsible
party or an operator, must—
(a) process such information only with the knowledge or authorisation of the
responsible party; and
(b) treat personal information which comes to their knowledge as confidential and
must not disclose it,
unless required by law or in the course of the proper performance of their duties.
5
Security measures regarding information processed by operator
21. (1) A responsible party must, in terms of a written contract between the 10
responsible party and the operator, ensure that the operator which processes personal
information for the responsible party establishes and maintains the security measures
referred to in section 19.
(2) The operator must notify the responsible party immediately where there are
reasonable grounds to believe that the personal information of a data subject has been 15
accessed or acquired by any unauthorised person.
Notification of security compromises
22. (1) Where there are reasonable grounds to believe that the personal information of
a data subject has been accessed or acquired by any unauthorised person, the responsible
party must notify—
(a) the Regulator; and
(b) subject to subsection (3), the data subject, unless the identity of such data
subject cannot be established.
(2) The notification referred to in subsection (1) must be made as soon as reasonably
possible after the discovery of the compromise, taking into account the legitimate needs
of law enforcement or any measures reasonably necessary to determine the scope of the
compromise and to restore the integrity of the responsible party’s information system.
(3) The responsible party may only delay notification of the data subject if a public
body responsible for the prevention, detection or investigation of offences or the
Regulator determines that notification will impede a criminal investigation by the public
body concerned.
(4) The notification to a data subject referred to in subsection (1) must be in writing
and communicated to the data subject in at least one of the following ways:
(a) Mailed to the data subject’s last known physical or postal address;
(b) sent by e-mail to the data subject’s last known e-mail address;
(c) placed in a prominent position on the website of the responsible party;
(d) published in the news media; or
(e) as may be directed by the Regulator.
(5) The notification referred to in subsection (1) must provide sufficient information
to allow the data subject to take protective measures against the potential consequences
of the compromise, including—
(a) a description of the possible consequences of the security compromise;
(b) a description of the measures that the responsible party intends to take or has
taken to address the security compromise;
(c) a recommendation with regard to the measures to be taken by the data subject
to mitigate the possible adverse effects of the security compromise; and
(d) if known to the responsible party, the identity of the unauthorised person who
may have accessed or acquired the personal information.
(6) The Regulator may direct a responsible party to publicise, in any manner
specified, the fact of any compromise to the integrity or confidentiality of personal
20
25
30
35
40
45
50