The Information Regulator (InfoReg) has received thousands of complaints from the public, related to the mishandling of personal data by private and public organisations.
From 1 April 2024, to date, the information watchdog has received “an alarming” 2 023 complaints from the public, specifically relating to data security compromises, it says.
Another 1 092 complaints have been lodged against direct marketing, gated complexes and local organisations that have allegedly failed to comply with the requirements of the Protection of Personal Information Act (POPIA).
This is according to advocate Tshepo Boikanyo, executive responsible for POPIA at the InfoReg, speaking yesterday at the annual stakeholder consultative session held by the regulator.
After recently concluding its planning process for the 2025/2026 financial year, the regulator briefed the media and stakeholders on its annual performance plan.
“We have growing volumes of complaints that we've received and the complaints are becoming more complex, leading to longer investigation periods. A high number of complaints are related to residential and business complexes with gated access,” said Boikanyo.
“Public and private bodies are also failing to comply with requirements. Limited resources within the Information Regulator’s office are leading to fewer responsible parties being assessed. There is insufficient staff to manage and handle the complaints effectively. These complaints keep getting more and more complex, and we have gotten to a point where we are utilising our ICT resources.”
In June, the InfoReg noted that in the 2023 financial year (February 2024), the number of reported security compromises by local firms spiked to over 1 700 – more than triple the amount of the previous year.
The InfoReg is, among other duties, empowered to monitor and enforce compliance by public and private bodies with the provisions of POPIA − South Africa’s data privacy law.
As of 30 June 2021, it took over the regulatory mandate functions relating to the Promotion of Access to Information Act from the South African Human Rights Commission.
According to Boikanyo, direct marketing is a major source of concern, as the regulator has received a growing number of complaints relating to this area. Over the past year, it has taken a strong stance against direct marketing firms.
The non-compliance of FT Rams Consulting resulted in an administrative fine of R200 000 being imposed against the direct marketing firm, he added.
“We have issued the first penalty to a direct marketing company, called FT Rams Consulting, for unsolicited direct marketing via e-mail. This was after the complainant had requested the responsible party to stop sending these messages and this was not heeded to. We then sent an enforcement notification.”
The regulator found that the company failed to adhere to POPIA and contravened sections 69 (1) and (2) and subsequently other sections of POPIA, by transmitting to the data subject, without first obtaining their consent, persistent direct marketing communications through e-mails pertaining to the courses or webinars which it offered.
Complex situation
The InfoReg also received mounting complaints from members of the public who are concerned about the handling of data at residential or commercial complex gates. They are often forced to share sensitive personal data upon entry, without any reassurance that it will be kept secure, noted Boikanyo.
“The regulator will develop a code of conduct for the processing of personal information by gated communities. This code aims to ensure complex communities adhere to the provisions of POPIA when handling the personal data of residents and visitors.”
There is general non-compliance with the provisions of POPIA by the public and private bodies, he added. When conducting assessments, the InfoReg has found the private sector is investing more in compliance resources then the public sector – something that is of concern to the regulator.
“Within government bodies, we find that the issue of POPIA compliance is dealt with as a ‘by the way’ issue. It's a source of irritation to comply with POPIA for some of these entities. But, within the private sector, we can see there is a concerted effort. The responsible parties are ensuring they put mechanisms in place to comply with the provisions of the Act.”
Many complaints are either being assessed, or remain under investigation, with the limited number of investigators posing a challenge to deal with each one adequately, he said.
According to Boikanyo, the regulator’s target is to have 85% of simple complaints investigated and resolved, typically within the prescribed time frame of three months, through mediation or settlements focusing on quick and effective resolution.
“Another target is to have 60% of complex complaints be investigated and resolved within the prescribed time frame. These complaints require more than three months to fully investigate and resolve, due to their complexity, which involves detailed investigations and potential legal reviews.
“As we continue conducting our work, we anticipate there will be push-back from responsible parties and a rise in litigation cases. At the moment, we have ongoing litigation with WhatsApp and the Department of Basic Education.”
Share