Security Compromise (POPIA Section 22)

Section 22 of the Protection of Personal Information Act 4 of 2013 creates South Africa\'s mandatory breach-notification regime. Where there are reasonable grounds to believe that personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify the Information Regulator and the affected data subject as soon as reasonably possible after the discovery of the compromise. Only the Regulator may authorise a delay for law-enforcement reasons or for the integrity of the investigation.

The notification must, under section 22(5), be in writing and communicated to the data subject by email, website, post or prominent media when direct communication is not reasonably practicable. It must provide sufficient information to allow the data subject to take protective measures: a description of the possible consequences; the measures the responsible party intends to take or has taken; a recommendation on what the data subject should do; the identity of the person who accessed the information, where known; and contact details for further information. The Information Regulator\'s POPIA Section 22 Notification Form (eRegulator portal) prescribes the standardised content for the Regulator notification.

Enforcement in 2022–2024 has been aggressive. The Regulator\'s enforcement notice to TransUnion (May 2023) and investigations against Dis-Chem and Experian demonstrate that delayed, partial or misleading notifications are themselves treated as separate contraventions. Well-drafted operator agreements contractually mirror section 22 obligations — usually requiring the operator to notify the responsible party within 24 to 48 hours of discovery, cooperate with forensic investigation, and indemnify the responsible party for regulatory fines arising from the operator\'s failures.