Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

South Africa: Cybersecurity

Quardia / Essentials collection / istockphoto.com

1. GOVERNING TEXTS

1.1. Legislation

South Africa does not currently have a comprehensive cybersecurity law. Currently, cybersecurity is addressed by a hybrid of different laws and the common law. These laws, when viewed collectively, do not adequately address the challenge of cybersecurity in South Africa.

In 2012, the South African State Security Agency adopted the National Cybersecurity Policy Framework ('NCPF'), which set out the measures and mechanisms for coordination of cybersecurity across government. In February 2017, the Cybercrimes and Cybersecurity Bill, 2017 [B 6—2017] ('the Original Bill') was tabled in Parliament. The Original Bill, among other things, sought to create offences and impose penalties which have a bearing on cybercrime, criminalise the distribution of harmful data messages, provide for interim protection orders and the establishment of structures to promote cybersecurity and capacity building, and regulate the identification and declaration of critical information infrastructures and measures to protect the same.

The cybersecurity provisions within the Original Bill (including those relating to the establishment of structures to promote cybersecurity, the regulation and identification of critical information infrastructures, and measures to protect the same) were removed, in October 2018, from the Original Bill, on the basis that cybersecurity would be dealt with under another law.

Pending the enactment of the law on cybersecurity, the following laws address cybersecurity:

  • Section 14 of the Constitution of the Republic of South Africa, 1996, which provides that everyone has the right to privacy, including the right not to have the privacy of their communications infringed;
  • the Cybercrimes Act, 2020 (Act 19 of 2020) ('Cybercrimes Act'), which creates offences which have a bearing on cybercrime, criminalises the disclosure of data messages which are harmful, provides for interim protection orders, regulates jurisdiction and powers in respect of cybercrimes, and provides for the establishment of a designated point of contact in respect of cybercrimes. It was made law on 26 May 2021. Some of the sections in the Cybercrimes Act came into operation on 1 December 2021. These include, among others, Chapter 1 (on definitions), some of Chapter 2 (on cybercrimes, malicious communications and sentencing), Chapter 3 (on the jurisdiction of South African courts in respect of cybercrimes), parts of Chapter 4 (on the powers of the South African Police Service to investigate cybercrimes, search, access and seize and offences relating thereto; the power to investigate, search, access and seize any computer data storage medium or computer system, or to direct any person to do so), Chapter 7 (on evidence of cybercrimes), some of Chapter 8 (on ensuring capacity to detect, prevent and investigate cybercrimes), and parts of Chapter 9 (on various general provisions including the making of regulations and the amendment of various laws);
  • the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA'), which contains some obligations that relate to cybersecurity (most of the provisions of POPIA came into operation on 1 July 2020 and all data processing had to be made to conform with POPIA within one year from this date, i.e. by 1 July 2021);
  • the Electronic Communications and Transactions Act, 2002 ('the ECT Act'), which regulates electronic communications and transactions, and includes provisions on the protection of critical databases and on cybercrimes; and
  • the Regulation of Interception of Communications and Provision of Communication-related Information Act, 2003, which regulates the interception and monitoring of communications.

1.2. Regulatory authority 

The Cybersecurity Hub was established under the NCPF. The Hub is not a regulator, but is South Africa's National Computer Security Incident Response Team ('CSIRT'). It identifies and counters cybersecurity threats, and creates public awareness around cybersecurity threats and education through up-to-date alerts and a portal on its website. The Cybersecurity Hub works in co‑ordination with various sector CSIRTs such as telecoms, retail, finance, health, and higher education.

The Information Regulator was established pursuant to Section 30 of POPIA. The Information Regulator's functions include, among others, to monitor and enforce compliance with POPIA. The Information Regulator may conduct assessments, on its own initiative or upon request, of a public or private body in respect of the processing of personal information by that body. In addition, the Information Regulator is empowered to receive and investigate complaints on alleged violations of the provisions of POPIA. The Information Regulator may issue enforcement notices requiring that the responsible party (i.e. the data controller) take specific steps or refrain from taking such steps, or to stop processing personal information in the manner set out in the notice. The Information Regulator may also issue administrative fines of up to ZAR 10 million (approx. €581,310).

Chapter XII of the ECT Act provides for the appointment of 'cyber inspectors', whose functions include monitoring and inspecting unlawful activities on any website. To date, no cyber inspectors have been appointed.

1.3. Regulatory authority guidance

The Information Regulator has not yet issued any guidance on cybersecurity. Guidance notes related to privacy more widely can be found on the Information Regulator's website.

The King IV Report on Corporate Governance for South Africa, 2016 ('the King IV Report'), although not prescribed by a regulatory authority, includes voluntary principles for corporate governance, including technology and information governance. Companies listed on, for example, the Johannesburg Stock Exchange, are required by law to comply with the King IV report.

The Cybersecurity Hub publishes high level cyber security tips and advice, and information sheets on its website, specifically cyber advice and information sheets, including as regards, device and software management, protection from scams and good security habits.

2. SCOPE OF APPLICATION

In terms of the Cybercrimes Act, a court in South Africa will have jurisdiction to try an offence under that Act if:

  • the accused is arrested in South Africa, on board a vessel, a ship, off shore installation, platform, or aircraft registered or required to be registered in South Africa;
  • the person charged is a citizen or ordinary resident of South Africa, a company incorporated or registered under the laws in South Africa, or is a body of persons corporate or unincorporated in South Africa;
  • the offence is committed in South Africa, on board a vessel, a ship, off shore installation, fixed platform or aircraft registered or required to be registered in South Africa at the time the offence was committed;
  • any act in preparation of the offence or any action necessary to commit the offence or any part of the offence took place in South Africa, on board a vessel, a ship, off shore installation, fixed platform or aircraft registered or required to be registered in South Africa at the time the offence was committed;
  • the offence affects any person, a registered computer system, public body or business in South Africa;
  • the offence was committed outside South Africa against a person who is a citizen or ordinary resident in South Africa, a restricted computer system, a company, incorporate or registered under the laws of South Africa, a government facility of the country including an embassy or other diplomatic or consumer premises, or any other property of the country; or
  • evidence reveals any other basis recognised by the law of which the country may assert jurisdiction over an offence.

POPIA applies to processing of personal information relating to living natural persons and existing juristic persons. It applies to all processing of personal information, including:

  • to personal information entered in a record by or for a responsible party by making use of automated or non-automated means (provided that when the recorded personal information is processed by non-automated means, it forms part of a filing system or is intended to form part thereof; and
  • where the responsible party is domiciled in South Africa or not domiciled in South Africa, but makes use of automated or non-automated means in South Africa, unless those means are used only to forward personal information through South Africa.

The ECT Act applies in respect of any electronic transactions or data messages.

3. DEFINITIONS

Not applicable.

4. IMPLEMENTATION OF AN INFORMATION MANAGEMENT SYSTEM/FRAMEWORK

4.1.Cybersecurity training and awareness

None, as the cybersecurity law is still to be drafted.

4.2. Cybersecurity risk assessments

None, as the cybersecurity law is still to be drafted.

4.3. Vendor management

None, as the cybersecurity law is still to be drafted.

4.4. Accountability/record keeping

Section 60 of POPIA empowers the Information Regulator to issue codes of conduct, which must incorporate all the conditions for the lawful processing of personal information or set out obligations that provide a functional equivalent of all the obligations set out in those conditions, and prescribe how the conditions for the lawful processing of personal information are to be applied, or are to be complied with, given the particular features of a sector or sectors of society in which the relevant responsible parties are operating.

A code of conduct may apply in relation to a specified information or class of information, any specified body or class of bodies, any specified activity or class of activities, or any specified industry, profession or vocation or class of industries, professions or vocations.

5. DATA SECURITY

A responsible party (i.e. data controller), under Section 19 of POPIA, must ensure the integrity and confidentiality of personal information in their possession or under their control by taking appropriate, reasonable and organisational measures to prevent:

  • the loss, damage to, or unauthorised destruction of personal information; and
  • the unlawful access to or processing of personal information.

In order to give effect to this requirement, the responsible party must take reasonable measures to:

  • identify all reasonably foreseeable internal and external risks to personal information in their possession or under their control;
  • establish and maintain appropriate safeguards against the risks identified;
  • regularly verify that the safeguards are effectively implemented; and
  • ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

The King IV Report requires the board of a company to monitor the security of information continually and to exercise ongoing oversight of technology and information management. Furthermore, the King IV Report requires that the board proactively monitor intelligence to identify and respond to incidents, including cyberattacks, and manage the performance of, and risks pertaining to, third-party and outsourced services.

The Minister of Communications ('the Minister') may prescribe (Section 55 of the ECT Act):

  • the minimum standards or prohibitions in respect of the general management of critical databases;
  • access to, transfer, and control of critical databases;
  • infrastructural or procedural rules and requirements for securing the integrity and authenticity of critical databases;
  • the procedures and technical methods to be used in the storage or archiving of critical databases;
  • disaster recovery plans in the event of loss of critical databases or parts thereof; and
  • any other matter required for the adequate protection, management, and control of critical databases.

6. NOTIFICATION OF CYBERSECURITY INCIDENTS

Responsible parties must inform the Information Regulator and the data subject (unless the identity of the data subject cannot be established) where there are reasonable grounds to believe that personal information of a data subject has been accessed or acquired by any unauthorised person (Section 22 of POPIA). The notification must be made as soon as possible after discovery of the incident or threat. The responsible party may only delay notification to the data subject if a public body responsible for the prevention, detection, or investigation of offences, or if the Information Regulator determines that notification will impede a criminal investigation by the public body concerned.

Notification must be made in writing and must be communicated to the data subject by post (physical or postal address), email, placed on a prominent place on the responsible party's website, published in a newspaper, or as directed by the Information Regulator.

The Information Regulator may direct a responsible party to publicise the fact of any compromise to the integrity or confidentiality of personal information if the Information Regulator has reasonable grounds to believe such publicity would protect a data subject who may be affected by the compromise.

7. REGISTRATION WITH AUTHORITY

Certain officers of public and private bodies are designated as information officers in terms of Section 1 of the Promotion of Access to Information Act, (Act 2 of 2000) ('PAIA'). Public and private bodies are required to make provision for the designation of such number of persons, if any, as deputy information officers as is necessary to perform the duties and responsibilities of the information officer (Section 56 of POPIA). Officers must be registered with the Information Regulator before taking up their duties (Section 55(2) of POPIA).

The Minister may, by notice in the Gazette, determine the requirements for registration of critical databases with the Department of Communications, and other matters relating thereto (Section 54 of the ECT Act).

8. APPOINTMENT OF A SECURITY OFFICER

Certain officers of public and private bodies are designated information officers, whose functions include ensuring compliance with the provisions of POPIA, including as regards the security of personal information.

9. SECTOR-SPECIFIC REQUIREMENTS

Financial services

The South African Reserve Bank has issued Directive D3/2018 in terms of Section 6(6) of Banks Act 94 of 1990 on Cloud Computing and Offshoring of Data ('Directive D3/2018') and Guidance Note G5/2018 issued in terms of Section 6(5) of Banks Act 94 of 1990 on Cloud Computing and Offshoring of Data.

Directive D3/2018 is applicable to all banks, controlling companies, branches of foreign institutions and auditors of banks or controlling companies and has been effective from 1 October 2018.

In accordance with Directive D3/2018, banks are required to put in place a formally defined and board approved data strategy and data governance framework (paragraph 2.2.1 of Directive D3/2018). Banks must also ensure that their risk and control frameworks, including their application, are designed and operative effectively to manage risks associated with the use of cloud computing and/or the offshoring of data (paragraph 2.2.4 of Directive D3/2018).

The South African Reserve Bank is planning to introduce new rules on the use of digital currencies and cryptocurrencies, in a bid to stop them from being used to evade currency controls. The rules are expected to be put in place during the first quarter of 2020.

On 16 April 2021, the Information Regulator published the proposed Code of Conduct from the Credit Bureau Association ('CBA') that deals with how personal information will be processed in the credit sector. The purpose of the Code of Conduct is to promote appropriate practices by members of the CBA governing the processing of personal information, encourage the establishment of appropriate agreement between members of the CBA and third parties, and establish procedures for members of the CBA to be guided in their interpretation of POPIA and other laws governing the processing of personal information. The Information Regulator is reviewing submissions received on the draft Code of Conduct.

Directive D12/2019 Reporting of Material Information Technology and/or Cyber Incidents sets out the minimum reporting requirements regarding material IT and cyber incidents.

Health

The National Digital Health Strategy for South Africa 2019 – 2024 ('the Strategy') developed by the Department of Health, lists, as one of the nine strategic interventions to be achieved by 2024, the formulation of national legislation, policy and regulatory framework for digital health. The Strategy provides for a review of existing digital health regulatory landscape and the development of new regulations focusing on data protection, data sharing between private and public sectors, as well as cybersecurity. The Strategy also provides for the establishment of a cybersecurity policy that will include developing the required leadership capacity and decision-making structures in order to build effective threat assessment and mitigation strategies as part of the Strategy's implementation.

The Health Professions Council of South Africa has published Guidelines for Good Practice in the Health Care Profession' Confidentiality: Protecting and Providing Information, which includes requirements to be satisfied in respect of the security of personal information. Section 11 requires that, if necessary, health care practitioners should take appropriate authoritative professional advice on how to keep information secure before connecting to a network and record the fact that they have taken such advice. Health care practitioners must also make sure that their own fax machine and computer terminals are in secure areas. If they send data by fax, they must satisfy themselves, as far as is practicable, that the data cannot be intercepted or seen by anyone other than the intended recipient.

Telecommunications

Not applicable.

Employment

Not applicable.

Education

Not applicable.

Insurance

Not applicable.

10. PENALTIES

In terms of penalties for non-compliance, POPIA provides that:

  • the Information Regulator may issue enforcement notices requiring that the responsible party (i.e. the data controller) take specific steps or refrain from taking such steps, or to stop processing personal information in the manner set out in the notice (Section 95 of POPIA);
  • a data subject or the Information Regulator (at the request of the data subject) may institute action for damages (Section 99 of POPIA);
  • any person convicted of an offence under POPIA is liable, upon conviction, to a fine or to imprisonment of up to between 12 months and 10 years (Section 107 of POPIA); and
  • the Information Regulator may issue an administrative fine of up to ZAR 10 million (approx. €581,310) (Section 109 of POPIA).

In addition, the ECT Act provides that a critical database administrator which fails to comply with its obligations and fails to take remedial action within the prescribed period is guilty of an offence, and is liable, upon conviction, to a fine or imprisonment for a period not exceeding 12 months (Section 89(1) of the ECT Act).

Persons who commit offences under the Cybercrimes Act are liable, on conviction, to a fine, imprisonment for two to 15 years (depending on the offence committed), or both a fine and imprisonment (Sections 19 and 23 of the Cybercrimes Act).

11. OTHER AREAS OF INTEREST

Pending the enactment and/or implementation of cybersecurity law, cyberattacks have increased in South Africa.

Critical Information Infrastructure Operators

Chapter IX of the ECT Act applies to critical database administrators and critical databases or parts thereof. Under the ECT Act the following definitions are applicable:

  • Critical Database Administrator: A person responsible for the management and control of a critical database (Section 1 of the ECT Act).
  • Critical Database: A collection of critical data in electronic form where it may be accessed, reproduced or extracted (Section 1 of the ECT Act).
  • Critical Data: Data that is declared by the Minister to be of importance to the protection of the national security of South Africa or the economic and social well-being of its citizens (Section 1 of the ECT Act).

Tebogo Sibidla Director
[email protected]
Werksmans Attorneys, Johannesburg

Feedback