The Act protects personal information of individuals against harm which may occur as a result of criminal activity and compliance is therefore compulsory for all companies. Should your company be non-compliant with the Act, the Information Regulator who up until now had been permissive, will be hot on your trail.
On
In April or
Following the assessment by the Regulator, it was confirmed that Dis-Chem failed to:
- Identify the risk of using weak passwords and prevent the usage of such passwords;
- Put in place adequate measures to monitor and detect unlawful access to their environment;
- Enter into an operator agreement with Grapevine and ensure that Grapevine has adequate security measures in place to secure personal information in its possession. This agreement would have outlined processes of reporting to Dis-Chem in the event of a security compromise.
Dis-Chem failed to ensure that adequate measures had been in place to prevent unlawful access and had not ensured that an operator agreement had been place. It was Dis-Chem's responsibility as the responsible party to have an agreement in place with all third parties before sharing personal information of a data subject. Dis-Chem had been ordered as a part of the enforcement notice to ensure that it concludes written contracts with all operators who process personal information on its behalf, and that such a contract compels the operator to establish and maintain the same or better security measures as referred to in section 19 of the Act.
Many companies do not have an operator agreement in place with third parties and are therefore in contravention of the Act - a major risk to their organisations. In terms of section 21 of the Act, the responsible party must have a written contract in place so as to ensure that the third party that processes personal information of data subjects establishes and maintains security measures as required in terms of the Act. If your company is in contravention of the Act, the Regulator may either issue an administrative fine of up to R10 million or a prison sentence up to 10 years or both, depending on the seriousness of the breach. Furthermore, the director may also be charged with a criminal offence in his or her personal capacity, with the risk of the director being imprisoned if found guilty.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Koos Benadie
Units
Centurion
Tel: 12001 2739
Fax: 12001 8811
E-mail: mark@barnardinc.co.za
URL: www.barnardinc.co.za/
© Mondaq Ltd, 2023 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source