Recent developments relevant to data protection issues offer some guidance for businesses, including in the event of data breaches and M&A transactions.
It has been 10 months since the commencement of the Protection of Personal Information Act, 2013 (POPIA). We have taken stock of recent data protection developments and have set out some key learnings to guide you in your POPIA compliance journey.
The matric results debacle - the parameters of compliance when publishing personal information.
At the start of 2022, the Department of Basic Education (DBE) decided not to publish the 2021 matric results on public platforms, as it has traditionally done at the start of each year. The Information Regulator issued a statement following this decision, in which it said that the DBE "has a duty to ensure that matriculants receive their results", but that this must be done in a manner which complies with POPIA. The Information Regulator emphasised the following (non-exhaustive) requirements in her statement:
There should be an agreement between the DBE and the platform publishing the results, including a specific requirement for the platform to safeguard the matriculants' personal information.
The DBE must inform matriculants of (i) the intention to publish their personal information; and (ii) their right to object.
If a matriculant (or an adult on their behalf) objects to their personal information being processed, the DBE and dissemination platform must delete it
One matriculant challenged the DBE's decision in the High Court, seeking an order compelling the DBE to publish her results on public platforms. This learner stated that the results could be published without reflecting the learners' names and surnames. The court granted the order as the matter was unopposed, but did not provide any reasons for its decision.
The matter emphasises that the right to privacy must be balanced with the right to access information. This relationship can be complicated, and many factors need to be considered in assessing each particular set of circumstances to strike the right balance. Future judgments should provide further guidance on this dynamic.
Learnings from the TransUnion data breach
In March 2022, credit bureau TransUnion announced that it had suffered a data breach. The Information Regulator has expressed its views regarding the handling of this data breach, indicating that the notification by TransUnion was
"inadequate, unsatisfactory and falls short of what is required" by POPIA. The Information Regulator's concerns centred around the lack of detail provided to the Information Regulator, indicating that less is not always more when demonstrating to the Information Regulator that a data breach has been managed appropriately.
There are three important takeaways from the Information Regulator's statement on this data breach:
What does the Information Regulator say?
Why does this matter?
Notifying data subjects
|Detailed information must be provided to affected data subjects, as early as possible, to enable them to take the necessary steps against the wrongful use of their personal information.
Notification must be made on multiple platforms (e.g. all radio stations, newspapers and social media platforms).
Notification must be made in all official languages.
|An organisation may incur significant direct costs to ensure widespread notification.
The reputational consequences will be significant.
Security used for safeguarding personal information
|The Information Regulator stated that, due to the severity and extent of the data breach, as well as the content of the notification, it will conduct an independent assessment of the suitability of TransUnion's security measures. ||You should give careful consideration to the methods used to secure personal information. If you do experience a data breach, you will need to satisfy the Information Regulator that you took reasonable and appropriate measures to secure personal information. You will need to explain these measures in your notification to the Information Regulator.
If these measures are not satisfactory, the assessment conducted by the Information Regulator could result in an enforcement notice being issued. Failure to comply with an enforcement notice is an offence.
Data breaches which are cybercrimes ||The Information Regulator expressed "grave concern" that TransUnion's data breach could result in personal information being used for "further malicious actions".
The Information Regulator therefore asked TransUnion to satisfy it that a criminal case has been opened with the police, and if not, to explain the reason for the delay in doing so.
|If the data breach is classified as a cybercrime, as defined in the Cybercrimes Act, 2020, certain reporting obligations will arise under that Act, in addition to POPIA, once the relevant provisions become effective in the Cybercrimes Act.
Organisations must be mindful of when and how to report.
M&A and POPIA
Every business processes personal information about its employees, customers, suppliers, contractors and other stakeholders. A particularly vexing question is how to comply with POPIA when selling a business to a third party. This question must be considered at each stage of the transaction, including post-transaction, when systems are being integrated.
Companies often grapple with determining whether employee consent is needed to transfer employee personal information to an acquirer. If the acquirer is located outside South Africa, the seller must consider how to lawfully transfer personal information to the offshore acquiring party, given POPIA's specific requirements. The Information Regulator has not yet provided a guidance note on this particular issue. In the interim, overseas guidance may prove useful, including the Data Sharing Code of Practice published by the Information Commissioner’s Office (ICO) in the UK.
Ensuring POPIA compliance during an M&A transaction may require some upfront planning, and we recommend involving a privacy lawyer at an early stage of the transaction to avoid falling foul of any regulatory requirements.
We include some links to guidance notes published by the Information Regulator:
Our team of expert privacy lawyers are available to help you with any POPIA related issues. We have some unique offerings to assist you on your POPIA compliance journey, including an
online alert tool to guide you with a data breach and a POPIA startup kit for those businesses that need to kickstart their POPIA journey. Please contact
Karl Blom or
Christof Pienaar for assistance.