| Authority: | Eswatini Communications Commission (Eswatini Data Protection Authority (EDPA)) |
|---|---|
| Jurisdiction: | Eswatini |
| Relevant law: | Section 14(1) and 14 (2)of the Data Protection Act, 2022 |
| Type: | Suo Moto/Regulator's Own Motion |
| Outcome: | Violation |
| Started: | 7 November 2023 |
| Decided: | June 2024 |
| Published: | Yes |
| Fine: | NA |
| Parties: | Liberty Life Swaziland Ltd |
| Case No.: | EDPA-NOTICE 4/2024 |
| Appeal: | N/A |
| Original Source: | Eswatini Communications Commission |
| Original contributor: | MZIZI Africa |
Liberty Life Swaziland Limited faced an enforcement notice from the Eswatini Data Protection Authority (EDPA) due to a data breach that occurred in November 2023. The incident involved the accidental disclosure of personal information via email, which was sent to an unintended external recipient. The email contained sensitive data related to 4,174 individuals, including names, identity numbers, and other personal details.
On November of 2023, Liberty Life Swaziland Limited (the “Respondent “) experienced a data breach.
The incident involved the accidental disclosure of personal information via email, which was sent to an unintended external recipient.
An employee at Liberty Life Swaziland Limited made an error by mistakenly sending an email intended for internal staff members to an external recipient. The email contained personal and sensitive information of 4,174 data subjects, including names, identity numbers, and other personal details.
The Respondent did not have a dedicated IT Manager but accessed the services through a shared service.
The Respondent's IT system was configured to block emails sent by unauthorised employee's, and the email was therefore sequestered in the organisations servers and was not delivered.
Upon realizing the mistake, the employee attempted to contact the IT Security Manager through a Teams call to report the issue and prevent the email from being released. However, the employee missed a returned call from the IT Security Manager. The IT Security Manager, assuming that the missed call was a request to release the email, proceeded to release it without verifying whether the recipient was authorized.
The Respondent self reported the breach in accordance with the Eswatini Data Protection Act, 2022 which triggered am impact review by the Data Regulator.
Upon investigation, it was found that although Liberty Life had security mechanisms in place that would have prevented the breach. However, the employee's failure to take adequate precautions and the IT department's mistake in releasing the blocked email led to the breach.
The EDPA concluded that Liberty Life had violated several provisions of the Act particularly regarding the protection of personal data.
The information regulator found as under: