ROSEWALL AGENCIES CC
REG NO: 1994/000947/23
DATA BREACH POLICY
Clause 1 INTRODUCTION
1.1 This policy aims to help the Company manage personal information data breaches effectively.
1.2 A data breach generally refers to the unauthorized processing (which includes, but is not limited to, accessing, storing, disseminating and deleting) of Personal Information. The Company holds Personal Information about, inter alia, employees, clients, suppliers and other individuals for a variety of business purposes.
1.3 POPIA obliges the Organisation to make reasonable security arrangements to protect the Personal Information that we process to prevent unauthorized access, collection, use, disclosure or similar risks and obliges the Organisation and its staff to report actual or suspected data breaches.
1.4 The objective of this policy is to enable the Organisation, the Information Officer and the staff to act promptly to contain any data breaches that may occur, to minimise the risk/s associated with the data breach and to take action if necessary to secure the Personal Information and prevent further breaches.
1.5 This policy supplements our other policies relating to internet and email
use. We may supplement or amend this policy by additional policies and
guidelines from time to time. Any new or modified policy will be circulated
to staff before being adopted.
Clause 2 SCOPE
2.1 This policy applies to the following persons:
2.1.1 all Organisation staff and employees (which includes, but is not limited to, fixed term, permanent and part time employees);
2.1.2 supervisors and management;
2.1.3 directors and prescribed officers; and
2.1.4 consultants, suppliers, contractors and/or third parties contracted by the Organisation.
2.2 You are required and responsible for familiarising yourself with this policy and complying with its terms.
Clause 3 DEFINITIONS
3.1 Unless otherwise expressly stated, or the context otherwise requires, the words and expressions listed below shall, when used in this policy, including this introduction, bear the meanings ascribed to them:
3.1.1 “Data Subject” refers to a person to whom personal information relates.
3.1.2 “Information Officer” means the person duly nominated and designated by the Organisation as the information officer and who is contactable for the purposes of this policy.
3.1.3 “Personal Information” refers to information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.
3.2 “POPIA” means the Protection of Personal Information Act 4 of 2013;
3.2.1 “Processing” refers to anything that is done with personal information by the Organisation and includes the collection, use, storage, dissemination, modification or destruction of Personal Information (regardless of whether the processing is automatic).
3.2.2 “Responsible Party” refers to the person who determines why and how to process the Personal Information i.e. the Organisation.
3.2.3 “Operator” refers to the person and/or entity who processes the Personal Information on behalf of the Responsible Party.
Clause 4 BACKGROUND INFORMATION
4.1 The purpose of POPIA is to protect Personal Information, to strike a balance between the right to privacy and the need for the free flow of, and access to information, and to regulate how personal information is processed.
4.2 POPIA sets minimum standards for the protection of Personal Information that businesses need to comply with and is applicable to all businesses that collect, process, store and destroy personal information (includes records which the Organisation already has in its possession).
4.3 Notably, the Organisation as the Responsible Party is ultimately responsible for the lawful processing of Personal Information and should only use Operators that can meet the requirements of lawful Personal Information processing prescribed by POPIA.
Clause 5 WHAT IS A PERSONAL INFORMATION BREACH?
5.1 A breach of Personal Information is a breach of security leading to Personal Information being either intentionally, negligently and/or unlawfully accessed, destroyed, lost, stolen, altered, disclosed, transmitted, stored or otherwise Processed by an unauthorised third party.
5.2 Personal Information data breaches may be caused by employees (human error), parties external to the organization (malicious activities) and/or computer system errors.
5.3 Human errors which can result in Personal Information data breaches include, inter alia:
5.3.1 loss of computing devices (portable or otherwise), data storage devices or paper records containing Personal Information;
5.3.2 disclosing Personal Information to a wrong recipient;
5.3.3 handling Personal Information in an unauthorized way (e.g. saving Personal Information in an incorrect and/or unsecure location);
5.3.4 improperly disposing of Personal Information (e.g. hard disk, storage media or paper documents containing Personal Information being sold or discarded before Personal Information is properly deleted); and/or
5.3.5 unauthorized access or disclosure of Personal Information by employees (e.g. sharing login credentials).
5.4 Malicious activities which can result in Personal Information data breaches include, inter alia:
5.4.1 hacking incidents and/or the illegal access to databases containing Personal Information;
5.4.2 theft of computing and mobile devices (portable or otherwise), data storage devices or paper records containing Personal Information; and/or
5.4.3 scams, downloading computer viruses, trojan horses and/or phishing emails that trick staff into releasing Personal Information.
5.5 Computer system errors which can result in Personal Information data breaches includes, inter alia:
5.5.1 failure of cloud services, cloud computing or cloud storage security, authentication and/or authorization systems;
5.5.2 hardware failures.
Clause 6 REPORTING PERSONAL INFORMATION DATA BREACHES
6.1 All members of staff have an obligation to report actual or potential Personal Information compliance failures.
6.2 All Personal Information data breaches must immediately be reported to the Information Officer of the Organisation within, but not later than, 72 (seventy-two) hours after the data breach occurred.
6.3 By reporting actual or potential Personal Information data breaches, the Organisation is able to:
6.3.1 investigate any breach and assess the impact of same;
6.3.2 contain the breach and take remedial steps if necessary;
6.3.3 maintain a register of compliance failures;
6.3.4 notify the Data Subject and the Information Regulator of any compliance failures that are material either in their own right or as part of a pattern of failures.
Clause 7 MANAGING REPORTED DATA BREACHES
7.1 On being notified of a suspected Personal Information data breach, the Information Officer and/or their duly nominated representative must take steps to:
7.1.1 CONFIRM the breach;
7.1.2 CONTAIN the breach;
7.1.3 ASSESS the breach;
7.1.4 REPORT the breach;
7.1.5 REVIEW the breach.
Clause 8 STEP 1: CONFIRM THE DATA BREACH
8.1 Immediately after being notified of a suspected Personal Information data breach, the Information Officer must take immediate steps to establish, confirm and verify whether a breach of Personal Information has occurred.
8.2 If the Information Officer determines and confirms that a breach of Personal Information has in fact occurred, then the Information Officer and/or his/her duly nominated representative must then proceed to contain the breach. If the reported breach is of a serious nature and depending on the severity of the reported risk, the Information Officer may proceed to contain the breach on the basis of an unconfirmed data breach.
Clause 9 STEP 2: CONTAIN THE DATA BREACH
9.1 In order to contain the data breach, the Information Officer may, where applicable, inter alia:
9.1.1 restrict access to and/or shut down the compromised system that led to the data breach;
9.1.2 establish whether steps can be taken to recover lost data and limit any damage caused by the breach (e.g. changing login credentials, blocking accounts, remotely disabling and/or wiping a lost device containing Personal Information);
9.1.3 prevent further unauthorized access to the system;
9.1.4 reset passwords if accounts and/or passwords have been compromised; and/or
9.1.5 isolate the causes of the data breach in the system, and where applicable, change the access rights to the compromised system and remove external connections to the system.
Clause 10 STEP 3: ASSESS THE DATA BREACH
10.1 By assessing and determining the risks and the potential or actual impact of a breach will assist the Organisation and the Information Officer to determine whether there could and/or will be serious consequences as
a result of such breach and what action is required.
10.2 Risk and impact on Data Subjects:
10.2.1 Whose Personal Information has been breached?
Does the Personal Information belong to employees, customers or minors? Different people will face varying levels of risk as a result of a loss of personal data.
10.2.2 What types of Personal Information was involved?
This helps determine whether there is any risk to a Data Subject’s reputation, identity, safety and/or finances.
10.2.3 How many people were affected?
A higher number may not mean a higher risk, but assessing this helps overall risk assessment.
10.2.4 Are there any measures in place to minimize the impact of the breach?
This can reduce the impact of a data breach (e.g. is a device/account password protected, are the files encrypted, etc.).
10.2.5 Risk and impact on the Organisation:
10.2.6 What caused the data breach?
How did the breach occur (e.g. was it through theft, accident, unauthorized access, etc.)? This determination will help identify what immediate steps should be taken to contain the breach.
10.2.7 When and how did the breach occur?
This assists the Organisation to better understand the nature of the breach (e.g. malicious or accidental).
10.2.8 Who might gain access to the compromised Personal Information?
How can the compromised data be used? Data Subjects must be notified if their Personal Information has been processed by an unauthorized person.
10.2.9 Will compromised data affect transactions with any other third parties?
Determining this will help identify if other entities need to be notified.
Clause 11 STEP 4: REPORT THE DATA BREACH
11.1 In terms of POPIA, the Organisation and the Information Officer are legally obliged to notify Data Subjects if their Personal Information has been breached and/or compromised.
11.2 Who to Notify?
11.2.1 Data Subjects i.e. the individuals whose Personal Information has been compromised.
11.2.2 Relevant third parties such as banks, credit card companies or the insurers where relevant.
11.2.3 Information Regulator especially if a data breach involves sensitive Personal Information.
11.2.4 The relevant authorities should be notified if criminal activity is suspected (e.g. police) and evidence for investigation should be preserved (e.g. hacking, theft or unauthorized system access by an employee).
11.3 When to Notify?
11.3.1 Notify Data Subjects immediately if a data breach involves sensitive Personal Information, as this allows them to take necessary actions early on to avoid potential and/or further abuse of the compromised data.
11.3.2 Subject to applicable legislation, if there is no risk of abuse of the compromised data, the Organisation can notify Data Subjects when the data breach is resolved.
11.4 How to Notify?
11.4.1 Use the most effective ways to reach out to Data Subjects, taking into consideration the urgency of the situation and number of individuals affected (e.g. media releases, social media, mobile messaging, SMS, emails,
telephone calls, etc.).
11.4.2 Notifications should be clear, specific and simple to understand and should provide clear instructions on what Data Subjects can do to protect themselves.
11.5 What to Notify?
11.5.1 How and when the data breach occur.
11.5.2 What types of Personal Information was involved in the data breach.
11.5.3 What has the Organisation done, or will do, in response to the risks brought about by the data breach.
11.5.4 Specific facts on the data breach where applicable and actions individuals can take to prevent that data from being misused or abused.
11.5.5 Contact details and how affected Data Subjects can reach the Organisation for further information or assistance (e.g. helpline numbers, e-mail addresses or website).
Clause 12 REVIEW THE DATA BREACH
12.1 After the necessary remedial steps have been taken to resolve the data breach, the Organisation and the Information Officer must review the cause of the breach and evaluate if existing protection and prevention
measures and processes are sufficient to prevent similar breaches from occurring, and where applicable put a stop to practices which led to the data breach.
12.2 Operational and Policy Related Issues
12.2.1 Were audits regularly conducted on both physical and IT-related security measures?
12.2.2 Are there processes that can be streamlined or introduced to limit the damage if future breaches happen or to prevent a relapse?
12.2.3 Were there weaknesses in existing security measures such as the use of outdated software and protection measures, or weaknesses in the use of portable storage devices, networking or connectivity to the Internet?
12.2.4 Were the methods for accessing and transmitting Personal Information sufficiently secure e.g. access limited to authorized personnel only?
12.2.5 Should support services from Operators be enhanced to better protect Personal Information?
12.2.6 Were the responsibilities of Operators clearly defined in relation to the handling of Personal Information?
12.2.7 Is there a need to develop new data-breach scenarios?
12.3 Resource Related Issues
12.3.1 Were sufficient resources allocated to manage the data breach?
12.3.2 Should external resources be engaged to better manage such incidents?
12.3.3 Were key personnel given sufficient resources to manage the incident?
12.4 Employee related issues
12.4.1 Were employees aware of security related issues?
12.4.2 Was training provided on personal data protection matters and incident management skills?
12.4.3 Were employees informed of the data breach and the learning points from the incident?
12.5 Management Related Issues
12.5.1 Did management actively participate in the management of the data breach and if so, how was management involved?
12.5.2 Were there clear lines of responsibility and communication during the management of the data breach?
Clause 13 REPORTING CONCERNS IN RELATION TO DATA PROTECTION
13.1 Prevention is better than cure. As a result, the Organisation’s policy is that it is always better to prevent a breach rather than deal with a Personal Information data breach and protection as an after-thought.
13.2 Data security concerns may arise at any time and you are encouraged to report any concerns (even if these concerns don’t meet the criteria of a data breach) that you may have to the Information Officer. This can help mitigate risks as they emerge and protect the Organisation against from data breaches.
Clause 14 MONITORING
14.1 We will monitor the effectiveness of this and all of our policies and procedures and conduct a full review and update as appropriate.
14.2 Our monitoring and review will include looking at how our policies and procedures are working in practice to reduce the risks posed to the Organisation.