Information Regulator Update April 2024

The information Regulator recently invited media representatives to a meeting to provide an update on their activities during the 2023/2024 financial year.

Their activities are provided in the media briefing via the link at the end of this post. We have, however, provided a summary of the key points below.

Their activities include the Promotion of Access to Information Act (PAIA) and the Protection of Personal Information Act (POPIA) as the Information Regulator is responsible for regulating both laws.

PAIA

The Information Regulator conducted one-hundred and eight (108) PAIA assessments on public and private bodies, including political parties, universities, national & provincial government departments and JSE-listed companies during this period.

The following are the key findings from those assessments:

Thirteen (13) political parties represented in Parliament and one (1) party not represented in Parliament but with a presence in municipal councils nationally. It was found that about 54% of political parties represented in Parliament are generally non-compliant with PAIA. About 46% of political parties represented in Parliament have some level of compliance but need to improve in certain areas. Therefore, none of the political parties represented in parliament are compliant with PAIA.

Twenty-seven (27) JSE-listed companies were assessed for PAIA compliance, and all 27 private bodies were found to be generally compliant with PAIA although some areas of improvement are needed.

Thirteen (13) Universities have compiled PAIA manuals; however, not all Universities’ manuals were compliant with section 51 of the Act, and only 40% of the universities made their PAIA manuals available as prescribed.

Twenty-seven (27) national government departments and 27 Provincial Departments were assessed. All the national government departments, except one, have compiled PAIA manuals. One Department, the State Security Agency, is exempted by the Minister of Justice and Correctional Services from compiling a PAIA manual. All provincial departments, except the Northern Cape Department of Agriculture, have compiled their PAIA manuals, and only six (6) provincial departments’ manuals comply with PAIA.

Varying levels of PAIA compliance were seen with few organisations having been found to fully comply with PAIA in terms of manuals, roles and processes.

POPIA

The Regulator received 982 complaints during the 2023/2024 financial year, and 14 responsible parties were assessed. Of these, 682 complaints were resolved, and 10 assessments were completed and are ready for determination by the Regulator through the issuing of Enforcement Notices.

A few of these have been highlighted in order to provide a snapshot of the enforcement work that the Regulator has been doing over the last twelve months. These include:

TransUnion

A security compromise/breach was self-reported by TransUnion. The Information Regulator conducted an assessment and determined that TransUnion had a number of information/cyber security deficiencies. TransUnion has been issued with an Enforcement Notice and has been given until 26 May 2024 to submit proof to the Regulator that all the remedial measures in the Enforcement Notice have been implemented.

Dischem

Dischem suffered a security compromise in May 2022 following a brute-force attack that saw the personal information of 3.6 million data subjects being accessed by unauthorised persons.

As with Transunion, Dischem was found to have a number of information/cyber security deficiencies and was issued with an Enforcement Notice. The deficiencies included:

Lack of a Personal Information Impact Assessment
Lack of an adequate Incident Response Plan:
Shortfalls in maintaining a vulnerability management programme, implementing strong access control measures, and maintaining an Information Security Policy.
Shortfalls in establishing written contracts with all operators who process personal information on its behalf
Shortfalls in developing, implementing, monitoring and maintaining a POPIA compliance framework

The Information Regulator has subsequently assessed Dischem again and has found that the shortfalls have been adequately addressed. Dischem will, therefore, not be penalised.

Independent Electoral Commission (IEC)

During March 2024, the Information Regulator received two (2) security compromise notifications from the IEC following an unauthorised release of candidate lists for the 2024 national and provincial elections. The Information Regulator has decided to conduct a full POPIA assessment which is currently in progress.

South African Police Service: Part 1 and Part 2.

Part 1. In the previous financial year, the Information Regulator issued an Enforcement Notice against the SAPS for the distribution of personal information of the victims of sexual assault in the Krugersdorp area. An Enforcement Notice was issued instructing SAPS to provide evidence of measures that have been taken to prevent a recurrence of such a compromise. A satisfactory response was received and the matter has been closed.

Part 2: The Information Regulator has had to initiate another investigation into SAPS for a similar breach of POPIA following the release of personal information via WhatsApp. The breach included details of investigations into the deaths of a prominent businessman and the investigating officer.

The information Regulator is considering measures to be taken against SAPS for the continued transgression of POPIA requirements.

Companies and Intellectual Property Commission (CIPC)

The Information Regulator has commenced its own-initiative investigation of the CIPC following the much-publicised security compromise of their systems. The compromise allegedly involved the exposure of personal information of many company directors.

An assessment is currently underway by the Information Regulator. .

Observations

As can be seen, the Information Regulator has become far more active during the past financial year. They have responded to complaints and self-reported compromises/breaches of personal information. They have also undertaken their own assessments relating to PAIA and POPIA compliance without any particular reason for doing so.

The POPIA transgressions reported in the update vary in nature but we see a common thread in shortfalls in the security of personal information which in turn have resulted in the violation of the confidentiality and integrity of personal information. These are typically due to a lack of appropriate and reasonable measures for Information and Cyber Security being established and maintained as required in Condition 7: Security Safeguards in POPIA.

The PAIA reports indicate that the level of compliance is generally reasonable but that shortfalls often exist in terms of PAIA Manuals, roles for managing requests as well as request forms and related processes in organisations.

It is good to note that the Information Regulator has been taking a fair approach and is trying to find resolution rather than imposing penalties where Enforcement Notices have been issued.

To date they have only fined the Department of Justice and Constitutional Development R 5 million for a security compromise. This does not mean that we should be complacent about compliance with POPIA and PAIA. The Information Regulator is empowered to serve fines of up to R 10 million or in extreme cases, to serve a prison sentence on the head of the organisation.

In view of the Information Regulator’s update and related activities, it has become more important to ensure that your POPIA and PAIA compliance frameworks are in a healthy state.

Please do not hesitate to contact us if you have any concerns about your state of POPIA or PAIA compliance.

Please click here to read the full Information Regulator Media Update.

Prepared by: John Cato

Certified Data Protection Officer (CDPO)

12 April 2024

Home Contact Us POPIA Training

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Functional

Performance

Analytics

Others