Accidental data leaks are still PoPIA violations

The Central Johannesburg Tvet College (the College) was placed under administration to address governance failures, including undisclosed criminal records and conflicts of interest among staff. As part of this process, employees' personal information was collected to verify their academic qualifications and criminal records. This was done by a service provider preparing personal credential verification reports.
Image source: weerapat kiatdumrong –
Image source: weerapat kiatdumrong – 123RF.com

The Central Johannesburg Tvet College (the College) was placed under administration to address governance failures, including undisclosed criminal records and conflicts of interest among staff.

As part of this process, employees' personal information was collected to verify their academic qualifications and criminal records. This was done by a service provider preparing personal credential verification reports.

The acting-chief financial officer erroneously included the complainants’ verification reports in a folder of finance policies, which was then emailed to unauthorised employees. The email was recalled and a follow-up was sent alerting staff to the error.

An investigation was launched and corrective action was taken against staff who forwarded the document. Last month, South Africa’s Information Regulator served an enforcement notice on the Central Johannesburg Tvet College.

Setting the precedent

The enforcement notice sets a significant precedent that even accidental, purely internal disclosures of personal information to unauthorised parties constitute a "security compromise" under the Protection of Personal Information Act 4 of 2013 (PoPIA), triggering formal breach notification obligations.

The Information Regulator identified three categories of PoPIA violations:
i. The College had failed to register an information officer or designate deputy information officers, breaching POPIA's accountability condition.
ii. Distribution of the verification reports to staff uninvolved in the governance restoration exercise, constituted further processing of information which was incompatible with the original collection purpose.
iii. The College’s failure to maintain separate files for verification reports and finance policies, coupled with its failure to register an information officer, revealed an absence of organisational controls to prevent unlawful access or processing.

The Regulator found that the accidental internal disclosure triggered PoPIA's data breach notification obligations under section 22, which the College had failed to discharge.

The Regulator directed the College to: register an information officer and deputy information officers, formally notify the Regulator and affected data subjects of the breach, issue a written apology to the complainants, to be circulated to all staff, take disciplinary action against the responsible employee, develop and submit a PoPIA compliance framework, and conduct staff awareness and training programmes.

Failure to comply with an enforcement notice is a criminal offence punishable by a fine of up to R10m, imprisonment of up to 10 years, or both.

A breach is a breach

The most significant aspect of this enforcement notice is the Regulator's confirmation that even accidental breaches fall within the definition of a "security compromise" for PoPIA purposes.

Responsible parties are required to notify the Regulator and affected data subjects "where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person". The provision does not distinguish between external attackers and internal employees, nor between deliberate and inadvertent disclosures.

In the College’s case, the breach was entirely accidental. Nevertheless, the Regulator held that this constituted a security compromise triggering PoPIA's notification obligations in full.

Formal notification necessary

The Regulator held that even the college’s good-faith remedial steps of recalling the email, launching an investigation and alerting employees that the information was not for staff, did not absolve the College of its statutory duty to formally notify the Regulator and affected data subjects.

The message is clear: informal internal remediation, however swift, is no substitute for formal compliance with PoPIA's breach notification requirements.

Key takeaways

This case holds some key lessons for businesses:

Security: The first is that organisations must implement robust security measures to protect against both internal and external breaches. This requires both technological measures, such as access controls and data loss prevention technology; and organisational measures, such as policies, clear processes, and employee training.

Access controls: Businesses should implement appropriate access controls to limit internal exposure to personal information. Personal information should be accessible only to those who require it for the specific purpose for which it was collected. Role-based access controls, file segregation, and clear protocols for handling sensitive documents are essential.

Response plan: Every organisation should develop and maintain a comprehensive data breach response plan. A proper response plan should include clear procedures for identifying and escalating potential breaches, templates for notification to the Regulator and affected data subjects, designated personnel responsible for managing the response and defined timelines for notification "as soon as reasonably possible".

Reporting: Most importantly, businesses must recognise the obligation to report all breaches to both the Regulator and affected data subjects. PoPIA contains no materiality threshold which means that every security compromise, no matter how minor, must be formally notified.

Organisations should ensure that staff at all levels understand this obligation and that internal reporting channels are in place to escalate potential breaches promptly to those responsible for regulatory notification.

About the author

Armand Swart is a Director at Werksmans Attorneys

 
For more, visit: https://www.bizcommunity.com