Information Regulator under pressure as complaints mount
The Information Regulator has been accused of taking too long to respond to queries about unauthorised disclosure of personal information.
One ITWeb reader raised these concerns after a local university illegally sent out his e-mail address. ITWeb has seen 1 100 e-mail addresses the university sent without the data subjects’ consent.
A second reader alleges he has been waiting to hear back from the regulator for over two months about Promotion of Access to Information Act manual templates.
Dr Peter Tobin, director of Peter Tobin Consultancy and an information governance specialist, says he launched his complaint in November and the issue has not been resolved to date.
Another reader, John Cato, who is founder and CEO of IACT-Africa, shares similar sentiments, saying his complaint was raised in March, to no avail.
Headed by advocate Pansy Tlakula, the Information Regulator is, among other duties, empowered to monitor and enforce compliance by public and private bodies with the provisions of South Africa’s data privacy law, the Protection of Personal Information Act (POPIA).
As of 30 June 2021, the Information Regulator took over the regulatory mandate functions relating to the Promotion of Access to Information Act from the South African Human Rights Commission.
Who watches the watchdog?
Says Tobin: “I wish to complain that I have not given my consent nor do I have a contract with the university for my e-mail address to be disclosed to all the other addressees for this e-mail.”
He laments that the overall experience is poor. “The Information Regulator is very slow to respond to e-mails, if at all. Six months to give me a decision on a simple complaint is not acceptable.
“The regulator must implement service levels and measure achievement and declare their performance in their annual report.”
He adds the information watchdog should be better staffed to deliver the support South African citizens deserve.
“POPIA has no formal process to complain about the performance of the regulator. This should be addressed. Going to the public protector seems to be the only current option.”
On 25 November, the Information Regulator responded to Tobin, confirming it had received his complaint and provided him with a reference number.
Said the regulator: “Kindly take note that Ms A Maart (investigating officer) will be handling your complaint.”
Cato says he submitted his complaint on 19 March 2022 regarding issues with the Promotion of Access to Information Act manual templates published by the Information Regulator, as well as the lack of information regarding fees that can be charged for processing a request.
“The only correspondence relating to my complaint I have received to date was when I was copied on an e-mail from Mmanoko Mofubetsoane to other Information Regulator staff (Desmond, Amos and Xolanii) on 22 May 2022,” he says.
“I subsequently sent a follow up e-mail to paiacomplaints@inforegulator.org.za on 5 May 2022 requesting progress, to which there has been no response either. To date, I have not received a formal acknowledgement, reference number or any other response relating to my complaint. As a South African citizen, I find this total lack of service unacceptable.”
The complaints come as government departments have faced accusations of not answering phone calls or e-mails.
Last week, opposition party the Democratic Alliance revealed a study it undertook found that seven out of every 10 phone calls or e-mails to national or provincial departments go unanswered.
Escalating need
In response to the accusations, Nomzamo Zondi, spokesperson of the Information Regulator, says it has been inundated with complaints and various POPIA-related compliance applications since its enforcement powers came into effect on 1 July 2021.
Zondi says some complaints, depending on the nature of the complaint, will invariably take longer to resolve; however, this is not the case in all matters that come before the regulator.
“Members of the public and stakeholders may contact our offices during office hours on 010 023 5200 to follow up on matters which they feel are not sufficiently being dealt with.”
According to Zondi, when conducting a pre-investigation on a complaint, the turnaround time, as prescribed in POPIA, is 30 days from the time the complaint was received.
“If a full investigation is being conducted, the timeframe thereof depends on the complexity of a matter and of which the affected party/parties are kept abreast of the progress.
She points out the regulator is adequately staffed; however, there is a rapid increase in the demand for its services.
“These include not only the processing of POPIA complaints (which we have received about 700 of since 1 July 2022), but we also deal with the investigation of data breaches, PAIA complaints, applications for prior authorisations, applications for codes of conduct, applications for exemptions and applications for registration of information officers. Work is carried out by a small group of employees.”
Zondi adds the regulator is assessing the capacity it has against the ability to service the public and stakeholders effectively and efficiently.
She notes the regulator is conducting an organisational development study to introduce systems and techniques which will modify its performance in order to respond favourably to the demand.
“We recognise that for an individual data subject whose complaint remains unresolved over an extended period, this wait will be frustrating, but we appeal to the public to give us time to enhance the efficiencies of our complaints management systems and procedures, considering it has been less than a year since we began accepting complaints from data subjects.
“The regulator strives to be a people-centric and -oriented organisation and therefore will continuously work on improving its systems and approaches to ensure a great customer experience,” she concludes.