Section 19 Security measures on integrity and confidentiality of personal information

  1. A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent—
    1. loss of, damage to or unauthorised destruction of personal information; and
    2. unlawful access to or processing of personal information.
  2. In order to give effect to subsection (1), the responsible party must take reasonable measures to—
    1. identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
    2. establish and maintain appropriate safeguards against the risks identified;
    3. regularly verify that the safeguards are effectively implemented; and
    4. ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
  3. The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.

Section 20 Information processed by operator or person acting under authority

  1. An operator or anyone processing personal information on behalf of a responsible party or an operator, must—
    1. process such information only with the knowledge or authorisation of the responsible party; and
    2. treat personal information which comes to their knowledge as confidential and must not disclose it,

unless required by law or in the course of the proper performance of their duties.

Section 21 Security measures regarding information processed by operator

  1. A responsible party must, in terms of a written contract between the responsible party and the operator, ensure that the operator which processes personal information for the responsible party establishes and maintains the security measures referred to in section 19.
  2. The operator must notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.