Subscribe
About
  • Home
  • /
  • Security
  • /
  • POPIA violation lands education dept in hot water

POPIA violation lands education dept in hot water

Simnikiwe Mzekandaba
By Simnikiwe Mzekandaba, IT in government editor
Johannesburg, 14 Nov 2024
The InfoReg found the Department of Basic Education failed to comply with section 11 of POPIA.
The InfoReg found the Department of Basic Education failed to comply with section 11 of POPIA.

The Department of Basic Education (DBE) has become the latest entity to be issued with an enforcement notice for a violation of the Protection of Personal Information Act (POPIA).

This, after it failed to obtain consent for the publication of matric results from learners or parents/guardians of learners that sat for the 2023 National Senior Certificate examinations.

This is according to the Information Regulator (InfoReg), the custodian of SA’s data privacy law.

During a media briefing in September, the InfoReg revealed it had issued four enforcement notices since April, noting the Electoral Commission and WhatsApp among the recipients.

In a statement issued yesterday, the regulator says the DBE was issued with the notice following an assessment of its compliance with POPIA.

The assessment found the department was not compliant with section 11 of POPIA and was in breach of the conditions for the lawful processing of personal information.

Further, it found that no legal justification existed for the DBE to continue with the publication of the matric results in newspapers.

As a result, the InfoReg has directed that the results of the 2024 matriculants should not be published in newspapers.

Instead, the results must be made available to learners using methods that are compliant with POPIA. This includes each learner obtaining their result from the school, or using the DBE’s secure SMS platform, which enables each learner to access their results confidentially.

It says: “In the enforcement notice, the IR [Information Regulator] has directed the DBE to obtain the consent of learners, or the parents/guardians of learners who will write the matric examination in 2025 before publishing their results in newspapers.

“The DBE must also, among others, develop a system which will enable it to obtain the consent of the learners, or their parents/guardians before the publication of their matric results in newspapers.

“The IR has directed that the DBE should not publish the results of the 2025 matriculants if the enforcement notice instructions are not complied with.”

The issue around publishing matric results in newspapers became a contentious one in January 2022, when the DBE decided it would not publish them on any media public platforms, citing compliance with the requirements of POPIA.

At the time, the department said the rule was introduced to respect the right to privacy, to protect against unlawful collection, retention, dissemination and use of personal information belonging to school pupils.

However, the Pretoria High Court ruled the matric results should be published on all media platforms.

The matter was brought before the court’s attention by lobby group AfriForum, Maroela Media and Anlé Spies, a 2021 matriculant.

The court ordered that the results be published via various media platforms without the first names and surnames of the learners, noting only exam numbers should be publicised.

The court’s decision was based on factors such as that not everyone has access to the internet, and that some learners no longer live in the area where their high school is based and might not be able to access their results timeously.

The InfoReg, headed by advocate Pansy Tlakula, is mandated to ensure organisations put in place measures to protect the data privacy of South Africans in terms of POPIA.

Under POPIA, organisations must inform the InfoReg if they expose the personal information of data subjects to unauthorised third-parties without their approval.

The Act sets down firm frameworks that companies must abide by to avoid fines, criminal persecution and potential reputation loss. Perpetrators can face fines of up to R10 million or 10 years of imprisonment, depending on the seriousness of the breach.

Share