Information Regulator: Guide on Reporting Security Compromises

Posted 16 September 2025 Written by Acts Online
Category Justice

Brought to you by SA Accounting Academy: The Information Regulator has issued a step-by-step guide to assist responsible parties in navigating the eServices Portal for reporting security compromises.

In terms of section 22 of the Protection of Personal Information Act, No. 4 of 2013 (POPIA), responsible parties are legally obligated to notify the Regulator and the affected data subjects where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person. The newly published guide provides technical instructions for using the eServices Portal, which was established to streamline these notifications.

The Regulator has clarified that all security compromises must be reported, irrespective of the scale or perceived risk level. Under the current regulatory framework, there is no “low-risk” exclusion; any instance where personal information is lost, stolen, leaked, or otherwise exposed qualifies as a reportable incident.

The guide outlines the following procedural steps for compliance:

  • Registration and authentication on the Information Regulator’s eServices Portal;
  • Completion of the digital notification form for security compromises; and
  • Submission requirements for supporting documentation related to the breach.

This development follows the launch of the eServices Portal earlier in 2025, intended to replace manual or email-based reporting with a secure, centralized system.

Click here to download the Step-by-Step Guide on How to Report Security Compromises.

What this means for you, your business, or your clients

  • For yourself: Familiarise yourself with the eServices Portal interface to ensure you can provide immediate technical guidance during a data breach response.
  • For your business: Review and amend internal data breach protocols to ensure that even minor incidents are flagged for reporting, as POPIA does not recognize a “low-risk” threshold for non-disclosure.
  • For your clients: Ensure clients are aware that the failure to report a security compromise via the prescribed portal constitutes a breach of Section 22 of POPIA, potentially attracting administrative fines or enforcement notices.

Originally published at https://accountingacademy.co.za/news/read/information-regulator-reporting-security-compromises-guide

The views expressed herein are those of the author and do not necessarily reflect those of Acts Online. Acts Online accepts no responsibility for the accuracy, completeness or fairness of the article, nor does the information contained herein constitute advice, legal or otherwise.