Personal Information Breach Policy

Table of contents

  1. Policy Context and Purpose…………………………………………………………………………………. 2
  2. Terms and Definitions…………………………………………………………………………………………. 2
  3. Scope and Applicability……………………………………………………………………………………….. 3
  4. Applicable Legislation and Regulations…………………………………………………………………. 3
  5. Policy Statement………………………………………………………………………………………………… 3
  6. Responsibilities…………………………………………………………………………………………………… 3
  7. Policy…………………………………………………………………………………………………………………. 4
  8. Policy Implementation………………………………………………………………………………………… 6
  9. Non-Compliance to the Policy……………………………………………………………………………… 6

1.    1. Policy Context and Purpose

1.1           The purpose of this policy is to provide a process to report suspected thefts involving data, data breaches or exposures (including unauthorised access, use, or disclosure) to appropriate individuals or juristic entities, and to outline the response to a confirmed theft, data breach or exposure based on the type of data involved.

1.2           This Policy lays out the general principles and actions for successfully managing the response to a data breach as well as fulfilling the obligations surrounding the notification to the Information Regulator and individuals or legal entities involved as required.

2.    2. Terms and Definitions

Term Definition
Personal information Information relating to an identifiable, living, natural person or an identifiable, existing juristic person:

a)     race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth;

b)     information relating to the education or the medical, financial, criminal or employment history;

c)     any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment;

d)     the biometric information;

e)     the personal opinions, views or preferences;

f)      correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

g)     the views or opinions of another individual about the person; and

h)     the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
Special personal information Information relating to an identifiable, living, natural person:

a)     the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or

b)     the criminal behaviour of a data subject to the extent that such information relates to—

(i)     the alleged commission by a data subject of any offence; or

(ii)   any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.
Operator A person or organisation who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.
Personal Information Breach Personal Information breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data or Juristic information transmitted, stored or otherwise processed.

3.    3. Scope and Applicability

3.1           The scope of the Personal Information Breach Policy, includes the unauthorised disclosure, access, damage, loss, theft or destruction of personal information or Juristic information.

3.2           This Policy applies to:

3.2.1       Customers, employees, prospective employees and past employees;

3.2.2       Contractors, prospective contractors and past contractors;

3.2.3       Suppliers and services providers, including international organisations or other third parties with access to our company website’s information.

4.    4. Applicable Legislation and Regulations

4.1           The following legislation apply to this policy:

  1. Companies Act (Act No. 71 of 2008);
  2. Electronic Communications and Transactions Act (Act No. 25 of 2002);
  • Protection of Personal Information Act (Act No. 4 of 2013);
  1. Promotion of Access to Information (Act No. 2 of 2000).

5.    5. Policy Statement

5.1           This policy has been published to ensure our company website can meet its obligations for the prompt identification and accurate reporting of personal data breaches to the appropriate persons. A data breach may be identified in relation to a number of activities, including the loss or theft of personal data, unauthorised disclosure to a third party, or interference with security controls leaving data subjects’ and juristic entities personal data vulnerable to unauthorised access or compromise.

6.    6. Responsibilities

6.1           All employees/staff, contractors or temporary employees/staff and third parties working for or acting on behalf of our company website (Operators) must be aware of, and follow this Policy in the event of a personal information breach.

6.2           our company website will provide appropriate IT facilities and mechanisms to facilitate compliance with this policy.

6.3           All staff are responsible for handling information in accordance with this policy and complying with relevant legislation.

7.    7. Policy

7.1           In the event of a breach of personal information, the Information Officer will assemble a team of specialists, depending on the nature of the breach. The response team may be a physical (local) or virtual (multiple locations) team which responds to any suspected/ alleged personal data breach.

7.2           The Information Officer and the team must ensure that necessary readiness for a personal information breach response exists, along with the needed resources and preparation (required review of company policies, procedures and practices).

7.3           Once a personal data breach is reported to the  Information Officer, who will communicate to the response team, they must implement the following:

  1. Validate the personal information breach;
  2. Ensure impartial investigation (including forensic investigation, if necessary) is initiated, conducted, documented, and concluded;
  • Identify remediation measures and track resolution;
  1. Report findings to the our company website Manager.

7.4           When the personal information breach or suspected information breach affects personal data that is being processed on behalf of our company website by an Operator, the Information Officer of the company acting as an Operator must report any personal data breach to our company website without undue delay.

7.4.1       This report must include the following:

  1. A description of the nature of the breach;
  2. Categories of personal data affected;
  • Approximate number of data subjects affected;
  1. Name and contact details of the Operator’s Information Officer;
  2. Consequences of the personal data breach;
  3. Measures taken to address the personal data breach;
  • Any information relating to the data breach.

7.4.2       The Information Officer will record the personal information breach into a Breach Register.

7.5           When the personal data breach or suspected data breach affects personal data that is being processed by our company website, the following actions are performed by the Information Officer:

  1. Establishing together with the team whether the personal data breach should be reported to the Information Regulator.
  2. If the personal information breach is not likely to result in a risk to the rights and freedoms of the affected data subjects, no notification is required to the Information regulator. However, the data breach should be recorded into the Information Breach Register.
  • If there is a risk to rights and freedoms of the data subject then the information regulator must be notified.

7.6           The Information Officer will send Notifications to the Information Regulator and unless there is a criminal investigation, notify the data subject/s without delay. If there is a criminal investigation, the notification to the data subject may be delayed.   The regulator will be notified of the following:

  1. A description of the nature of the breach;
  2. Categories of personal data affected;
  • Approximate number of data subjects affected;
  1. Consequences of the personal information breach;
  2. Measures taken to address the personal data breach;
  3. Any information relating to the breach.

7.7           The communication to affected data subjects should be compiled using clear and accurate statements, and should include details of any mitigating controls (e.g. encryption of the data, and any recommendations for steps the data subjects can take for themselves (e.g. change passwords, notify banks, etc). The data subject will also be notified of:

  1. A description of the nature of the breach;
  2. Consequences of the personal information breach; and
  • Measures taken by our company website to address the personal data breach.

7.8           There are three instances when reporting personal information breaches to individual data subjects is not required:

  1. The data breach is unlikely to result in high risks to the data subjects’ rights and freedoms.
  2. Effective technical and/or organisational controls will provide effective protection for the breached data (e.g. it is fully encrypted).
  • When the scale of individual data subject reporting would require disproportionate efforts, in which case public statements/ media may be used.

7.9           Following a personal information breach, the  Information Officer and Response Team must review the incident and initiate action to prevent future personal information breaches. This includes:

  1. Containing the breach (short term correction);
  2. Investigating the root cause of the breach;
  • Implementing corrective action to prevent and safeguard against future breaches;
  1. Conducting audits/ inspections to ensure the prevention plan is correctly implemented;
  2. Updating security/response plan;
  3. Considering changes to policies and procedures; and
  • Revising staff training practises.

8.    8. Policy Implementation

8.1           The Information Officer is responsible for the implementation of the Policy by ensuring awareness among all customers, employees/staff, contractors or services providers of the possible conditions that may cause or result in breach of personal information is managed.

9.    9. Non-Compliance to the Policy

9.1           Any employee found to have violated this policy may be subjected to disciplinary action in line with the HR Policy.

9.2           A violation of any national law can also result in civil and criminal liability and will be referred to the appropriate legal authorities.

 

*** END OF DOCUMENT ***