POPIA: Information regulator - responsible parties should heed the warnings

Just recently, NEASA reported on the issuance of a fine in the amount of R5 million against the Department of Justice and Constitutional Development (DoJCD) by the Information Regulator, for the contravention of various sections of the Protection of Personal Information Act (POPIA), including non-compliance with an enforcement notice. (No further information regarding the execution of this fine could be found at the date of publishing of this newsletter)

Now, it seems the Regulator is gearing up to tackle another responsible party for POPIA contravention. On Thursday, 31 August 2023, the Regulator issued an enforcement notice to Dis-Chem Pharmacies Ltd (Dis-Chem) following a finding of the contravention of POPIA.

Dis-Chem’s third-party service provider, Grapevine, suffered a ‘brute force attack’ by an unauthorised party. Approximately 3.6 million data subjects’ records were accessed from Dis-Chem’s e-statement service database which was managed by Grapevine. Dis-Chem became aware of the security compromise through text messages sent to certain employees, whereafter Dis-Chem notified the Regulator of this security compromise.

Following an own-initiative assessment, the Regulator determined that Dis-Chem had ‘interfered’ with the protection of personal information of the data subjects, leading to the Regulator issuing the enforcement notice. Clearly, responsible parties will be held liable for the POPIA failures of their service providers or “operators” with reference to personal information – this risk should be dreaded by every responsible party (business) in South Africa.

Dis-Chem’s alleged ‘interference’ is premised on its failure to:

  • identify the risk of using weak passwords and prevent the usage of such passwords;
  • put in place adequate measures to monitor and detect unlawful access to their environment;
  • enter into an operator agreement with Grapevine and ensure that Grapevine has adequate security measures in place to secure personal information in its possession. Furthermore, the agreement would have outlined processes of reporting to Dis-Chem in the event of a security compromise.

Consequently, Dis-Chem must provide a report to the Regulator on the implementation of specific actions ordered in the notice within 31 days of the receipt thereof. Should Dis-Chem fail to adhere within the stipulated timeframe, it will be guilty of an offence, on which the Regulator may impose an administrative fine of an amount not exceeding R10 million or be liable, upon conviction, to imprisonment or both.

The remedial steps demanded in the Regulator’s notice include, among others:

  • conducting of a Personal Information Impact Assessment to ensure that adequate measures and standards exist to comply with the conditions for the lawful processing of personal information;
  • implementation of an adequate Incident Response Plan. Furthermore, implementation of the Payment Card Industry Data Security Standards by maintaining a vulnerability management programme, implementation of strong access control measures and maintenance of an Information Security Policy;
  • conclusion of written contracts with all operators who process personal information on its behalf, compelling the operator(s) to establish and maintain same or better security measures;  and
  • the development, implementation, monitoring, and maintenance of a compliance framework, which clearly makes provision for the reporting obligations of Dis-Chem and all its operators.

If Dis-Chem implements the above steps to the satisfaction of the Regulator, they may still avoid the fine, despite the ‘infringement’ having already taken place. However, if any damage is suffered by any data subjects due to the breach, the risk of civil remedies being instituted against them remains.

Employers and other responsible parties who do not wish to suffer the same fate as the DoJCD or Dis-Chem, should ensure they are fully complying with the provisions of the POPIA. It should be clear from these cases that even the malicious actions of third-parties, and failures or non-compliance by third-party service providers, outside the control of the responsible party, can lead to the Regulator deeming a responsible party as having ‘interfered’ with the protection of the personal information of its data subjects.

Being POPIA compliant clearly does not mean the responsible processing of personal information only, but it also means active, conscious efforts (with proof thereof) towards constantly ensuring the safety of the personal information under your control. Merely operating in good faith will not save you from the wrath of the Regulator.

For assistance with POPIA compliance matters, please contact your regional NEASA office.