Information Regulator is intensifying enforcement

South Africa’s data breach crisis is accelerating, and the Information Regulator is intensifying enforcement. Healthcare practices—handling highly sensitive patient health data—are squarely in the crosshairs. In the 2024/25 financial year, the Regulator received 2,374 security compromise reports (averaging 198 per month). The trend continued sharply upward: from April to late 2025, reports reached approximately 1,947 (averaging 284 per month), marking a 40% increase in reported incidents. Projections for 2025/26 estimate up to 2,500 reports, with healthcare remaining a high-risk sector due to the volume and sensitivity of personal health information.

The Regulator’s 2025/2026 Strategic Plan prioritises bolstering breach response capacity, including team reconfiguration, enhanced online tools, and stricter oversight. The mandatory eServices portal (launched 1 April 2025) now requires all breach notifications to be submitted online—no more email-only reports. Recent enforcement sends a clear message: non-compliance carries real consequences. In late 2025, a well known pathology laboratory was fined R100,000 via an infringement notice after failing to comply with an enforcement notice. The issues included inadequate notification of affected data subjects and systemic security shortcomings—precisely the kind of failures that a tested incident response plan could prevent.

POPIA Section 22: Mandatory Breach Notification – No Exceptions
If there are reasonable grounds to believe a security compromise has occurred (unauthorised access, loss, theft, or acquisition of personal information), you must:

• Notify the Information Regulator and affected data subjects as soon as reasonably possible.
• Provide full details: nature of the breach, remedial measures (taken and planned), and practical advice for data subjects to mitigate harm.
• Submit via the mandatory eServices portal.

Non-compliance risks:

• Administrative fines up to R10 million
• Enforcement notices
• HPCSA disciplinary referrals (for breaching ethical confidentiality duties)
• Reputational damage and patient civil claims

The Essential Role of a Standard Operating Procedure (SOP) for Security Incidents
A documented, tested SOP (or data breach response plan) is the cornerstone of compliance. It transforms legal obligations into clear, repeatable actions and demonstrates accountability to the Regulator.

Every healthcare SOP should cover:

• Defined roles and responsibilities (Information Officer, Deputy IO, IT, clinical staff, leadership)
• Incident identification, classification, and escalation (e.g., ransomware, lost devices, unauthorised EHR access)
• Containment, eradication, recovery, and notification timelines
• Post-incident review, lessons learned, and continuous improvement
• Staff training, regular drills, and integration with your overall POPIA framework (aligned with HPCSA Booklet 9 and ISO 27799)

Without a robust, practice-tested SOP, even diligent teams risk delayed notifications, incomplete responses, or overlooked mitigation—issues the Regulator scrutinises rigorously.

Why Act Immediately?

• Breach volumes are surging, and the Regulator is building enforcement muscle.
• Healthcare’s special personal information (health data) attracts heightened scrutiny.
• Cases like Lancet prove that reactive or incomplete responses lead to penalties.
• A strong SOP safeguards patients, minimises liability, and provides defensible evidence during audits, investigations, or complaints.

Practical Next Steps for Your Practice

1. Develop or audit your Incident Response SOP—ensure full alignment with Section 22 and eServices portal requirements.
2. Conduct tabletop exercises or simulations to test effectiveness.
3. Train all staff annually on breach recognition and response protocols.
4. Maintain comprehensive documentation (logs, notifications, reviews)—your strongest defence.
5. Integrate with HPCSA ethical guidelines and ISO 27799 security controls.

POPIA compliance demands proactive protection, not reactive damage control. A well-implemented SOP for information security incidents is a critical pillar—and the Regulator is watching.

We’re Here to Help – Including Live Seminars

Our POPIA Compliance Framework 2026 includes a dedicated category for Managing Personal Information Security Incidents—with ready SOP templates, checklists, registers, and guidance tailored for healthcare.We also present our popular seminar “The Professional, Ethical, and Legal Role of the Healthcare Receptionist” in various towns across South Africa. This practical session equips front-desk staff with the knowledge to recognise potential security incidents early, handle patient data ethically, comply with POPIA and HPCSA rules, and contribute to effective breach prevention and response.Contact us today for a personalised quote on the framework, to book your practice for the seminar, or to order directly. Stay vigilant. Protect your patients. Safeguard your practice.