In an increasingly interconnected world, the protection of personal information has become a paramount concern for individuals, businesses, and governments alike. By recognising the importance of safeguarding sensitive personal information and upholding the right to privacy, countries worldwide have embarked on significant efforts to enact comprehensive data protection legislation. From a South African perspective, this prompted the coming into effect of the Protection of Personal Information Act No 4 of 2013 (“Act”) on 1 July 2021. In this article, we will investigate the consequences for non-compliance with the provisions of the Act, with a specific focus on the recent case involving the Department of Justice and Constitutional Development (“DoJ&CD”).
Administrative fines are largely regulated by section 109 of the Act which provides that if a responsible party is alleged to have committed an offence in terms of the Act, the Information Regulator (a regulatory body created in terms of the Act) (“Regulator”) may cause an infringement notice to be delivered to that person (“Infringer”) which must contain, amongst other things, the following particulars:
- the name and address of the Infringer;
- the particulars of the alleged offence; and
- the amount of the administrative fine payable, which amount may not exceed R10 million.
Should the Infringer fail to comply with the requirements of the notice, the Regulator may file with the clerk or registrar of any competent court a statement, setting forth the amount of the administrative fine payable by the Infringer, and such statement thereupon that has all the effects of a civil judgment lawfully given in that court in favour of the Regulator for a liquid debt in the amount specified in the statement.
On 9 May 2023, the Regulator took its first action against an Infringer, being the DoJ&CD, by issuing an enforcement notice after the Regulator had found that the DoJ&CD had contravened several sections of the Act (“Enforcement Notice”).
This decision was brought about after the DoJ&CD experienced a security breach on its IT systems, resulting in the unavailability of its systems to employees and the subsequent disruptions to public services. In response to this incident, the Regulator took proactive measures and conducted an own initiative assessment to investigate the data breach and its implications.
After conducting the own initiative assessment, the Regulator determined that the DoJ&CD had neglected to implement sufficient technical measures for the monitoring and detecting of unauthorised data exfiltration from their system, leading to the loss of approximately 1204 files. This incident was a direct consequence of the DoJ&CD’s failure to renew the Security Incident and Event Monitoring (“SIEM”) license, which would have facilitated the monitoring of unusual network activities and the backup of log files. The critical information stored in these log files became unavailable due to the expired SIEM license, which had lapsed in 2020.
The Enforcement Notice further mandated the DoJ&CD to provide evidence to the Regulator, within 31 days of receiving the Enforcement Notice, confirming the renewal of the Trend Anti-Virus, SIEM and Intrusion Detection System licenses. Additionally, the department was required to initiate disciplinary proceedings against the officials responsible for the license renewals. The Regulator warned that failure to comply with the Enforcement Notice within the specified timeframe would constitute an offense. In such a case, the Regulator could impose an administrative fine on the DoJ&CD of up to R10 million, or alternatively, the responsible officials may face fines or imprisonment upon conviction.
On 3 July 2023, the Regulator took further action against the DoJ&CD by issuing an infringement notice. The notice mandated that the DoJ&CD pay an administrative fine of R5 million due to its non-compliance with the Enforcement Notice.
The case study involving the DoJ&CD highlights the real-world implications of failing to comply with the Act’s requirements and serves as a reminder to all entities handling personal information to take their data protection responsibilities seriously. The Regulator is taking a serious stance on any non-compliance with the Act and we can expect to see more fines being issued to non-compliant entities in the future.
Adhering to the Act not only protects the privacy of individuals but also helps prevent costly breaches and potential legal consequences. As technology continues to advance, maintaining a strong commitment to data protection and complying with relevant legislation becomes increasingly imperative for organisations and individuals alike.
VDMA’s team of experts are available to assist you and your business in ensuring full compliance with the provisions of the Protection of Personal Information Act No. 4 of 2013 (“POPI”) including the drafting POPI manuals, privacy policies, the conducting of POPI training or any other POPI compliance needs you may have.