Information Regulator: Mandatory Reporting of Security Compromises

Posted 16 September 2025 Written by Acts Online
Category Justice

Brought to you by SA Accounting Academy: The Information Regulator has released a Fact Sheet clarifying that all security compromises must be reported under the Protection of Personal Information Act, regardless of the perceived risk level.

In terms of the Protection of Personal Information Act, No. 4 of 2013 (POPIA), the Information Regulator has issued guidance on the handling of security compromises. While the Act does not explicitly define the term ‘security compromise,’ the Regulator interprets it as any compromise in the security, confidentiality, integrity, or availability of personal information. This includes the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal information that may result in harm to data subjects.

The Fact Sheet emphasises that POPIA does not establish a minimum threshold for the reporting of security compromises. Consequently, the following regulatory requirements apply to all responsible parties:

  • Mandatory Reporting: All security compromises must be reported to the Information Regulator by the responsible party, irrespective of the deemed level of risk associated with the incident.
  • No Discretionary Reporting: Responsible parties do not have the discretion to decide whether or not to report a compromise based on internal risk assessments.
  • Data Subject Notification: There is a mandatory requirement to notify affected data subjects of the compromise to mitigate potential harm.

Click here to download the Fact Sheet on Security Compromises.

What this means for you, your business, or your clients

  • For yourself: You must ensure that your professional advice to stakeholders reflects the zero-threshold reporting requirement, as failure to report any breach constitutes a direct contravention of POPIA.
  • For your business: Your firm must update its internal data breach and incident response policies to remove any ‘materiality’ or ‘risk-based’ filters that might prevent the reporting of minor security incidents to the Regulator.
  • For your clients: Advise clients that they are legally obligated to notify both the Information Regulator and the affected data subjects for every instance of unauthorised personal information access, regardless of how small the incident may seem.

Originally published at https://accountingacademy.co.za/news/read/information-regulator-fact-sheet-on-handling-of-security-compromises

The views expressed herein are those of the author and do not necessarily reflect those of Acts Online. Acts Online accepts no responsibility for the accuracy, completeness or fairness of the article, nor does the information contained herein constitute advice, legal or otherwise.