Dis-Chem Enforcement Notice Spotlights Why Companies Must Establish Operator Agreements To Comply With SA's POPI Act

The Act protects personal information of individuals against harm which may occur as a result of criminal activity and compliance is therefore compulsory for all companies. Should your company be non-compliant with the Act, the Information Regulator who up until now had been permissive, will be hot on your trail.

On August 31, 2023, Dis-Chem Pharmacies Ltd. (JSE: DCP) was issued with an enforcement notice by the Information Regulator due to the contravention of various sections of the Act. Should Dis-Chem remain non-compliant with the actions ordered, within 31 days of the notice being issued, the entity and/or responsible party would be issued with a fine of an amount not exceeding R10 million or be liable upon conviction to a prison sentence up to 10 years.

In April or May 2022 Dis-Chem's third-party service provider, Grapevine Interactive, was the victim of a cyber-attack whereby an unauthorised party gained access to their records by which the hacker used a trial-and-error method to crack the password, login credentials and encryption keys. This resulted in approximately 3.6 million unauthorized records which had been accessed from the e-statement service database. Following the identification of the breach in security, Dis-Chem failed to notify the affected data subjects as required in terms of section 22 of the Act.

Following the assessment by the Regulator, it was confirmed that Dis-Chem failed to:

1. Identify the risk of using weak passwords and prevent the usage of such passwords;
2. Put in place adequate measures to monitor and detect unlawful access to their environment;
3. Enter into an operator agreement with Grapevine and ensure that Grapevine has adequate security measures in place to secure personal information in its possession. This agreement would have outlined processes of reporting to Dis-Chem in the event of a security compromise.

Dis-Chem failed to ensure that adequate measures had been in place to prevent unlawful access and had not ensured that an operator agreement had been place. It was Dis-Chem's responsibility as the responsible party to have an agreement in place with all third parties before sharing personal information of a data subject. Dis-Chem had been ordered as a part of the enforcement notice to ensure that it concludes written contracts with all operators who process personal information on its behalf, and that such a contract compels the operator to establish and maintain the same or better security measures as referred to in section 19 of the Act.

Many companies do not have an operator agreement in place with third parties and are therefore in contravention of the Act - a major risk to their organisations. In terms of section 21 of the Act, the responsible party must have a written contract in place so as to ensure that the third party that processes personal information of data subjects establishes and maintains security measures as required in terms of the Act. If your company is in contravention of the Act, the Regulator may either issue an administrative fine of up to R10 million or a prison sentence up to 10 years or both, depending on the seriousness of the breach. Furthermore, the director may also be charged with a criminal offence in his or her personal capacity, with the risk of the director being imprisoned if found guilty.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.