South Africa gets online system for reporting data breaches

South Africa’s Information Regulator has launched an online platform for public and private entities to report security compromises. It has instructed all organisations to report any compromises through the system.

The system is accessible through the Information Regulator’s eServices portal, and the Information Regulator will no longer accept reports via email.

“The Regulator has established a new Security Compromises Reporting functionality on the eServices portal which, as of 1 April 2025, is mandatory for all organisations to report any security compromises using the portal, rather than via email,” it said in a statement.

The watchdog said the platform’s launch is part of its ongoing efforts to streamline the reporting process and improve the monitoring of security incidents that expose personal information.

Security compromise reports are made in terms of section 22(1) of the Protection of Personal Information Act where there are reasonable grounds to believe that a data subject’s personal information has been accessed or acquired by an unauthorised person.

“The responsible party must notify the Regulator; and subject to subsection (3), the data subject (individual whose personal information relates to or is identified by), unless the identity of such a data subject cannot be established,” the Information Regulator said.

The information watchdog has provided a step-by-step guide on registering Information Officers (IOs) and submitting compromise reports via the portal to simplify the process.

The Security Compromises Reporting platform is accessible through the regulator’s eServices portal.

Those who don’t follow the Information Regulator’s instructions and fail to report data breaches timeously could be slapped with an enforcement notice, and if they still fail to comply, an infringement notice and a fine.

One such example is the Department of Justice and Constitutional Development, to which the Information Regulator issued a R5 million fine in July 2023 for failing to comply with its instructions.

The department had failed to comply with an enforcement notice the regulator issued on 9 May over a ransomware attack that compromised its systems in September 2021.

The watchdog found that negligence had contributed to the department falling victim to the attack, and it ordered the department to submit proof that it had renewed security software licences within 31 days.

Specifically, it ordered the department to renew its Trend Anti-Virus, Security Incident and Event Monitoring, and Intrusion Detection System licences.

It also instructed the department to carry out disciplinary proceedings for those accountable for the negligence.