Skip to content

South Africa: Beware – Information Regulator issues first fine of ZAR 5 million under POPIA

5 July 2023
– 4 Minute Read

DOWNLOAD ARTICLE

Overview

  • On 3 July 2023, the South African Information Regulator issued its first administrative fine of ZAR 5 million against the Department of Justice and Constitutional Development (DoJ&CD) for its failure to comply with an enforcement notice issued to it by the Regulator under the Protection of Personal Information Act (POPIA).
  • The DoJ&CD suffered a security compromise in 2021 which severely impacted its electronic systems and resulted in the loss of approximately 1 204 files containing personal information.
  • The Regulator found that the DoJ&CD had failed to implement adequate security measures and to comply with the duty to notify security compromises and issued an enforcement notice in May 2023.
  • The DoJ&CD did not exercise its right to appeal the enforcement notice, nor did it comply with it.

It has been two years since the provisions of the Protection of Personal Information Act (POPIA) became enforceable. Since then, the Information Regulator has been proactively taking steps to monitor and enforce POPIA and issued its first administrative fine in the amount of ZAR 5 million against the Department of Justice and Constitutional Development (DoJ&CD) on 3 July 2023.

The DoJ&CD suffered a security compromise in 2021 which severely impacted its electronic systems and resulted in the loss of approximately 1 204 files containing personal information. After conducting an assessment into the security compromise, the Regulator found that the DoJ&CD had interfered with the protection of personal information by failing to inter alia:

  • put in place adequate technical security measures;
  • renew its software licences, including its intrusion detection licence which would have flagged access to its network by unauthorised persons; and
  • notify the Regulator of the security compromise.

As a result, the Regulator issued an enforcement notice against the DoJ&CD on 9 May 2023, in terms of which it was ordered to, among other things, submit proof within 31 days of receipt of the notice that it had:

  • renewed its antivirus software licenses;
  • instituted disciplinary proceedings against the officials responsible;
  • provided training on POPIA to all staff;
  • implemented reasonable measures to identify internal and external risks to personal information; and
  • implemented a POPIA compliance framework and incident response plan.

In terms of POPIA, a responsible party who is issued with an enforcement notice has the right to appeal the notice to the High Court within 30 days for the setting aside or variation of the notice. Further, a responsible party who fails to comply with, or successfully appeal, an enforcement notice is guilty of an offence and liable upon conviction to a fine or imprisonment for a period not exceeding 10 years or to both such a fine and imprisonment.

The DoJ&CD did not exercise the right to appeal the notice and, to date, has failed to comply with the terms of the enforcement notice.

POPIA empowers the Regulator to issue an infringement notice to a responsible party that is alleged to have committed an offence in terms of POPIA. The infringement notice may impose an administrative fine not exceeding ZAR 10 million. When determining an appropriate fine, the Regulator is required to consider several factors, including for example, the nature of the personal information involved, the duration and extent of the contravention, the number of data subjects affected, the likelihood of damage or distress, and whether the responsible party could have prevented the contravention or has previously committed an offence in terms of POPIA.

The Regulator accordingly elected to issue the DoJ&CD with an administrative fine and determined that ZAR 5 million is an appropriate fine in this matter. The DoJ&CD has 30 days to pay the fine or to make arrangements with the Regulator to pay the fine in instalments. Alternatively, the DoJ&CD may elect to be tried in court on a charge of having committed the alleged offence referred to in terms of POPIA.

To make matters worse, the DoJ&CD was subject to a further security compromise in April this year in which cybercriminals targeted the Department’s Guardian’s Fund and made off with ZAR 18 million. The compromise was reported to the Regulator several days later.

The Regulator continues to be increasingly active and is conducting a number of assessments in respect of various sectors. Click here to learn more about what these assessments entail and the steps that organisations can take to prepare for them.

The Regulator has once again shown that it is not afraid to exercise its powers under POPIA. It is accordingly imperative that organisations ensure that they are fully compliant with their obligations under POPIA. Should the Regulator find that an organisation has interfered with the protection of personal information and elect to institute enforcement proceedings, organisations should ensure that they either comply with the enforcement proceedings or appeal such proceedings timeously. Organisations that fail to take any action do so at their own peril.