ADDITIONAL CHECKLIST ON TECHNICAL MEASURES • • • • • • An information security policy which is implemented. • Conducting regular review of policies and improvement to meet industrial levels and changes. • Conducting training and skills up-tooling for all the individuals involved in data processing. • Conducting regular testing and review of the measures to ensure that they are effective, such as conducting network penetration tests. • Implementing industry certified standards or those approved in a code of conduct by the data protection Authority. • Enforce the technical measures on any data processor, and this should be reflected in the contracting agreement between data controller and data processor s18(8). NOTIFICATIONS The Act provides for two forms of notification to the data protection Authority by the data controller. The first is security breach notification, and second is notification of processing through automated means. Security Breach In the event of an unauthorised destruction, negligent loss, unauthorised alteration or access and any other unauthorised processing of the data, the data controller must notify the DPA within 24 hours of any security in terms of Section 19 of the Act. Under POPIA notification to the data subject is required unless if their identity cannot be established or if the notification will impede investigations by concerned authorities 51. The Authority must provide guidelines that specify the content of the security breach notification such as: Automated Processing Notification Section 20 (1) of the Act requires the data controller to inform the Authority of any automated data processing that might be taking place, wholly or partly. The exceptions under Section 20 (3) are when the information is for purposes of keeping a register for public use by operation of law or when the data controller is pursuing a legitimate interest. Further exemptions can be decided by the Authority from notification if Section 20 (4) is complied with and: • There is no apparent risk of infringing data subject rights and freedoms. • If the data processing purpose; categories of data being processed; categories of data subjects; categories of data recipients; and data retention period are specified. • If the data controller has appointed a data protection officer. WHO IS A DATA PROTECTION OFFICER? The data protection officer (DPO) ‘refers to any individual appointed by the data controller and is charged with ensuring, in an independent manner, compliance with the obligations provided for in this Act’. The appointment of a DPO is important in public institutions, or institutions that process large scale personal data. Section 20(5) of the Act requires data controller to notify the Authority on the appointment of the DPO whose qualifications must meet the criteria set out under Section 20(6) and conduct specified tasks. 51 26 M I S A Z I M B A B W E • G U I D E T O T H E Nature of the security breach. Number of data subjects affected if possible. Categories of personal data breached. Measures taken to mitigate or resolve the breach. Measures to prevent or mitigate adverse effects of the breach on data subjects. POPIA s22(3). Z I M B A B W E A N C Y B E R A N D D A T A P R O T E C T I O N A C T - 2 0 2 2