It is That Serious: Are You POPIA and PAIA Compliant?

The recent infringement fine issued by the Information Regulator against the Department of Justice and Constitutional Development (“the DoJ &CD”) in the amount of R 5 million has rung alarm bells across South Africa.

Written By of Cowan-Harper-Madikizela Attorneys

This may be the first of many infringement fines to come and sets the tone on the Information Regulator’s strict attitude towards compliance with the Protection of Personal Information Act 4 of 2013 (“POPIA”).

The infringement fine arises from the DoJ&CD’s failure to comply with the enforcement notice issued by the Information Regulator on 9 May 2023. The enforcement notice was issued after an own initiated assessment was conducted by the Information Regulator following a ransomware attack on the DoJ&CD’s IT systems during September 2021. The enforcement notice cited the various breaches by the DoJ&CD and particularly its failure to, amongst others,:-

  • put in place adequate access controls to prevent a threat actor from gaining access to about 1204 files;
  • prevent the unauthorized access that enabled the installation of malicious software (Mespinoza Ransomware Virus) by an unknown threat actor onto its computer processing infrastructure;
  • to take reasonable measures to identify all reasonably foreseeable internal and external risks to personal information in its possession,
  • establish and maintain appropriate safeguards against risks identified by failing to license the antivirus software, update the Security Incident Event Monitoring License and to update the Intrusion Detection System License;
  • regularly verify that the security safeguards against malware threats are effectively implemented in that the antivirus software had expired more than a year ago;
  • update its Incident Respondent Plan which incorporates the applicable provisions of sections 22(1); and
  • notify the Information Regulator and the data subjects of possible access to the data subjects’ personal information by any unreasonable person.

The DoJ&CD was required to update its various antivirus software licenses and institute disciplinary action against those officials who were responsible for the failure to renew the licenses and to show proof thereof. It failed to do so within the requisite time frame.

It is worth mentioning that an enforcement notice was also issued to the SAPS on 4 April 2023 for breaching the conditions of lawful processing and its duty to notify the Information Regulator and the affected data subjects of security comprises. It seems as if the SAPS were however able to comply with the Information Regulator’s orders and were therefore not issued with a fine for non-compliance.

The very clear inference from the above is that both public and private bodies must regularly and continuously ensure that they are compliant with POPIA otherwise they may also fall foul of the provisions of POPIA. Cybercrime has become more prevalent and many public and private bodies have already been negatively impacted. Ensuring compliance with POPIA may reduce a company’s risk of exposure to cybercrime and the burdensome consequences which follow.

It must also be remembered that the same strict compliance is also expected in terms of the Promotion of Access to Information Act 2 of 2000 9 (“PAIA”) and the Regulations thereto. PAIA Annual Reports, in terms of section 32 of PAIA, are furthermore expected to be submitted by public bodies (as defined).

Employers should also ensure that employees (including new employees) have received adequate training in the provisions of POPIA and PAIA.

CHM POPIA COMMITTEE

Tanya Mulligan

Tanya Mulligan
Executive in Employment

James Horn

James Horn
Partner in Employment

Jessica Fox

Jessica Fox
Partner in Employment

Gael Barrable

Gael Barrable
Partner in Employment

Mbulelo Ndlovu

Mbulelo Ndlovu
Senior Associate in Public Law, Risk, Governance and Compliance

Share This Article

© 2021 - 2024. Cowan-Harper-Madikizela Attorneys
All Rights Reserved.