APD guidelines for reporting Cybersecurity accidents and incidents

In this Circular, the APD instructs public and private entities that process personal data to “scrupulously” comply with the rules contained in (i) the Law on the Protection of Personal Data (Lei da Protecção de Dados Pessoais - “LPDP”), (ii) the Law on Electronic Communications and Services of the Information Society (Lei das Comunicações Electrónicas e dos Serviços da Sociedade da Informação - “LCE”) and (iii) the Law on the Protection of Networks and Computer Systems (Lei de Protecção de Redes e Sistemas Informáticos - “LRSI”), regarding the notification of computer accidents and incidents.

The objectives of these guidelines are:

• To publicise the requirements to be considered when reporting  Cybersecurity accidents and incidents involving personal data to the APD;
• To provide information on the legal procedures to be followed in the event of a data breach, while guaranteeing the rights of data subjects.

The notification of Cybersecurity accidents and incidents to the APD is directly related to the APD’s duties as described in Article 44 of the LPDP, regarding the supervision and control of the processing of personal data, together with Article 5 of Presidential Decree 214/16 of 10 October, which approves the APD’s organic statute and entrusts it with the task of ensuring compliance with the legislation on the protection of personal data.

In this regard, the APD recalls that companies subject to the LPDP, LCE and LRSI are obliged to immediately notify the agency of any breach of personal data that could jeopardise the security and privacy of the data subjects.

This notification obligation results from the intersection of various legal provisions contained in the LPDP, the LCE and the LRSI:

• LPDP: Articles 30 and 31 stipulate that those responsible for processing personal data must adopt appropriate security measures to protect the data against risks such as destruction, loss or unauthorised access. As such, the occurrence of any of these circumstances must be reported to the APD in order to assess the consequences and implement the appropriate corrections.
• LCE: Article 55 of this law requires electronic communication operators to notify both the APD and the Angolan Communications Institute (“INACOM”) of any data breach of which they become aware.
• LRSI: Article 35 reinforces the need for organisations subject to this law to adopt appropriate security measures to protect data and to notify the APD in the event of incidents that compromise data security.

Procedures to be adopted

In the event of a personal data breach resulting in destruction, loss, alteration, unavailability, disclosure, unauthorised access or any other security incident, the controller must notify the APD as soon as it becomes aware of it.

The notification must be confidential and must include at least the following details:

• A description of the nature of the personal data breach, including, where possible and appropriate, the type of data breached and the approximate number of data subjects affected.
• A description of the likely consequences of the personal data breach.
• A description of the measures taken or proposed by the controller to remedy the personal data breach, in particular to mitigate any negative effects.

In cases where it is absolutely impossible to provide the information requested, the notification must be accompanied by the reasons for not providing the information, which must be provided at a later stage.

Progress in the APD Guidelines and opportunities for greater clarity

In line with the pedagogical and preventive approach that the APD has taken since its inception, the Guidelines represent a significant step forward in clarifying the obligations of users of personal data.

In order to further assist those obliged to fulfil these obligations, consideration could be given to setting specific deadlines for the notification of incidents, which would provide greater clarity and consistency in the fulfilment of legal obligations.

In addition, the provision of standardised templates or forms for reporting incidents would facilitate the reporting process and ensure that all necessary information is presented in a consistent manner. Clarification of the types of incidents that require immediate reporting and the recommended technical and organisational measures to prevent incidents could also benefit companies.

Conclusion

These APD guidelines play a fundamental role in the context of personal data processing in Angola. With increased monitoring and supervision by the APD, organisations must ensure data processing processes that comply with the law, promoting not only legal compliance, but also the security and protection of data subjects’ privacy.

The implementation of the measures indicated in the APD Circular contributes to the establishment of sound corporate governance, guarantees the protection of the company's reputation and offers a significant competitive advantage in the national and international markets.

In a scenario where the processing of personal data permeates practically every sector of the economy, from e-commerce to banking, health and education services, the application of these guidelines is essential to strengthen the confidence of data subjects and companies in the responsible use of personal data.