South Africa’s Information Regulator received 895 complaints relating to alleged violation of the Protection of Personal Information Act (POPIA) during the 2022/2023 financial year. Of these, 616 (68.8%) have been resolved.
This is according to advocate Pansy Tlakula, chairperson of the Information Regulator, speaking during a media briefing held at its offices in Tshwane this morning.
Tlakula unpacked the outcomes of some of the high-profile cases on which the info watchdog has been conducting investigations. These cases relate to the Promotion of Access to Information Act (PAIA) and POPIA complaints received, as well as own-initiative assessments.
These included a matter of accessing records related to the South African Police Service (SAPS), industry royalties involving the South African Music Rights Organisation, a matter regarding mining status reports from the Department of Mineral Resources and Energy, and access to patients’ health records from the Eastern Cape Department of Health.
The complaints received, she noted, entail an individual or organisation complaining about a firm’s illegal processing,sharing and storage of personal information, as stipulated in the data protection law.
According to Tlakula, most of the 616 complaints submitted were resolved through settlement or a conciliation and mediation process between the complainant and the responsible party.
“If the complainant and the perpetrator reach a settlement agreement, where the organisation admits to having violated POPIA regulations and they are willing to take certain actions to correct themselves, and both parties agree on the procedure to follow – then the matter is resolved.
“A settlement certificate is then issued detailing the actions that will be taken by the perpetrator in resolving the issue within a certain time frame. However, in instances where the complaint cannot be resolved, the matter will be referred for full investigation.”
According to Tlakula, upon completion of the investigation, a report is shared with the Enforcement Committee for a finding and recommendation of actions to be taken against the information officer or head of the private body in respect of POPIA.
The Information Regulator, which is headed by Tlakula, is mandated to ensure organisations put in place measures to protect the data privacy of South Africans under the POPIA.
It took over the regulatory mandate functions relating to the PAIA from the South African Human Rights Commission in June 2021. The Enforcement Committee consists of external experts and one member of the regulator, and is chaired by advocate Helen Fourie.
Providing an update on the matter between the SAPS and the Krugersdorp sexual assault victims, she pointed out the law enforcement agency faces prosecution if it does not comply with the regulator’s recommendations.
In August, the InfoReg initiated an investigation into an alleged breach of the POPIA by some officials of the SAPS, following a leak of the personal information of the victims of the Krugersdorp attack, circulated on social media platforms such as Facebook.
“The regulator found the SAPS violated several provisions of POPIA, namely, that by distributing the personal information of data subjects in a WhatsApp message, it processed such information unlawfully, unreasonably and in a manner that infringed their privacy and did so without the consent of the data subjects,” noted Tlakula.
She added it would be interesting to see how the SAPS would approach the predicament of “the SAPS prosecuting itself” if it continues ignoring the regulation’s recommendations.
The personal information of data subjects contained in the WhatsApp message was excessive and not relevant for the purpose for which it was distributed. The purpose, according to SAPS, was to alert the respective stations of the serious crime which had been committed in the West Rand, she added.
“The responsible party had failed to take appropriate, reasonable, technical measures to prevent the unlawful accessing of personal information of data subjects as prescribed in POPIA.
“The regulator has, against the above backdrop, among others, ordered that the SAPS notify, within 31 days, the data subjects of the security compromise which relates to their personal information, and publish an apology to data subjects, prominently in major national weekly newspapers and social media platforms, for the unlawful processing of their personal information,” she concluded.
Share