In another landmark decision, SA’s data privacy enforcer the Information Regulator (InfoReg) has slapped the Department of Basic Education (DBE) with a R5 million fine.
This marks the second time a South African organisation has been fined under the country’s Protection of Personal Information Act (POPIA)data privacy law.
In 2023, the regulator issued a R5 million fine against the Department of Justice and Constitutional Development after it suffered a ransomware attack on its IT systems that resulted in personal information of data subjects being compromised during the attack.
Yesterday, the information watchdog issued an infringement notice to the DBE, in which it orders the department to pay an administrative fine of R5 million following its failure to comply with the enforcement notice issued by the regulator 18 November 2024.
The education department was issued with an enforcement notice last month, for contravention of various sections of POPIA.
The regulator says the enforcement notice ordered the DBE to provide an undertaking “that it will not publish the results of the 2024 matriculants in the newspapers” within 31 days from the date on which the order was served.
It also ordered that the department “must not publish the results for the 2024 matriculants in newspapers and must make these results available to the learners using methods that are compliant with POPIA”.
The regulator indicated that should the DBE fail to abide by the enforcement notice within the stipulated timeframe, “it will be guilty of an offence, in terms of which the regulator may impose an administrative fine in the amount not exceeding R10 million, or liable upon conviction to a fine or to imprisonment of the responsible officials”.
Accordingly, the 31 days given to the department expired on 19 December.
“To date, the department has not provided the regulator with an undertaking that it will not publish the results of the 2024 matriculants in the newspapers as ordered in the enforcement notice or any other communication in that regard,” it says.
“The DBE had the right to appeal the enforcement notice in terms of section 97(1) of POPIA. POPIA provides amongst others that if an appeal is brought, the enforcement notice need not be complied with pending the determination or withdrawal of the appeal. The regulator had not been served with the appeal application by close of business on 19 December 2024 despite media reports that the DBE had lodged an appeal against the decision of the regulator in the high court.”
Advocate Pansy Tlakula, chairperson of the Information Regulator, explains: “We understand it from media reports that the DBE intends to publish the matric results in the newspapers on or about 13 January 2025, something which it is prohibited from doing by the enforcement notice issued by the regulator.
“The DBE cannot disobey lawfully issued orders of the regulator without following the procedure stipulated in POPIA. The two (2) orders issued by the Information Regulator against the DBE have the fullest legal force and effect and must be complied with by the DBE until set aside or suspended by an appeal served upon the regulator timeously.”
According to the regulator, it had not yet been served with the DBE’s appeal against the orders issued against it. “For this reason, these orders remain of full force and effect and must be complied with.”
The Information Regulator, headed by Tlakula, is mandated to ensure organisations put in place measures to protect the data privacy of South Africans in terms of POPIA.
Under POPIA, organisations must inform the InfoReg if they expose the personal information of data subjects to unauthorised third-parties without their approval.
The Act sets down firm frameworks that companies must abide by to avoid fines, criminal persecution and potential reputation loss. Perpetrators can face fines of up to R10 million or 10 years of imprisonment, depending on the seriousness of the breach.
In terms of POPIA, a responsible party who fails to comply with an enforcement notice is guilty of an offence, and the regulator may cause to be delivered by hand an infringement notice to a responsible party who has committed an offence as provided for in section 109(1) of POPIA.
The DBE has failed to comply with the enforcement notice, states the regulator.
“Since the regulator has not received the DBE’s undertaking not to publish the results of the 2024 matriculants in the newspapers, the DBE is in breach of the orders issued by the regulator. Consequently, the regulator has issued an infringement notice against the DBE.
“The DBE has 30-days from 23 December 2024 to pay the administrative fine or make arrangements with the regulator to pay the administrative fine in instalments or elect to be tried in court on a charge of having committed the alleged offence referred in terms of POPIA.”
The DBE was served with an enforcement notice in November, after it failed to obtain consent for the publication of matric results from learners or parents/guardians of learners that sat for the 2023 National Senior Certificate examinations.
Resultantly, the InfoReg directed the 2024 matric results should not be published in newspapers, with the results made available to the learners using methods that are compliant with POPIA, such as each learner obtaining their result from the school or using the secure SMS platform of the DBE which enables each learner to access their results confidentially.
However, the education department lodged an application to set aside the enforcement notice issued by the InfoReg regarding the publication of matric results in newspapers.
The DBE stated that “the appeal means that the enforcement notice has been suspended and that the department will proceed and release results to media houses who will publish in terms of the established practice in which only exam numbers are used.”
Share