South Africa: Information Regulator issues decision about police breach of POPIA

On 5 April 2023, the Information Regulator of South Africa released the outcomes of matters the office has investigated in terms of the Protection of Personal Information Act 4 of 2013 (POPIA). This included a report on the investigation conducted under section 90 of POPIA in relation to the South African Police Service (SAPS) concerning a leak of personal information of several survivors of a high-profile sexual assault case in Krugersdorp in July 2022.

Following the sexual assaults, the personal information of the survivors, including their names, ages, addresses, and the details surrounding their assaults, was distributed via WhatsApp to several people within the South African Police Service (SAPS) and later on social media platforms. In response to this this, the Information Regulator issued a summons against the SAPS on 29 August 2022 following their failure to provide sufficient information based on the initial Information Notice.

After conducting an ‘own-initiative’ investigation, the Regulator found that the SAPS had violated several provisions of POPIA, including processing personal information unlawfully and unreasonably, failing to take reasonable technical measures to prevent unlawful access to personal information, and not complying with the duty to notify the Regulator and data subjects of the security compromise.

The Regulator issued an Enforcement Notice ordering the SAPS to notify data subjects of the security compromise, publish an apology, investigate the responsible members, and provide POPIA training in all SAPS training programmes.

• The Information Regulator’s media statement can be accessed here.

Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].