It was with great shock South African society learned about the rape of several women near Krugersdorp in July 2022.
But what was more worrisome was the shock of the victims upon realising that their personal details such as names, residential addresses and occupations appeared on social media platforms.
Read: Matric results: Have we misunderstood the Popi Act
The Information Regulator (regulator) announced on 5 April 2023 that, based on a report of its Enforcement Committee, it found that the protection of personal information of certain data subjects – defined in POPIA as “the person to whom personal information relates” and which in the present case is the victims of these heinous crimes – has been interfered with. It has been found that the South African Police Service (SAPS), which was responsible for processing the victims’ personal information, did not comply with POPIA.[1]
SAPS legal breach
In terms of the findings, the SAPS breached the conditions for the lawful processing of personal information and also demonstrated non-compliance with the duty to notify the regulator of a security breach. This finding means that the SAPS do not have the necessary safeguards in place, let alone safeguards established in legislation as intended by section 6(1)(c)(ii) of POPIA.
The SAPS, in an attempt to justify their actions, explained to the regulator that it distributed the personal information of the victims (data subjects) on various WhatsApp groups to alert respective police stations and units of the serious crimes perpetrated in the West Rand District. As a consequence of this distribution, the WhatsApp message was leaked from its intended communication channels and shared widely on social media platforms, such as Facebook, which did not in any way relate to the purpose for which the personal information was collected.
Official police channels
This would then lead one to ask, since when is WhatsApp an official authorised police messenger service with unique user and security features? And if this is deemed as an official authorised communications channel, one needs to ask whether there are prescribed content and distribution protocols for specific communication channels.
In its Enforcement Notice, the regulator has ordered the SAPS to:
- Formally notify the Regulator and the data subjects of the security compromise of their personal information.
- Publish an apology to the data subjects for processing their personal information in a manner that breached the conditions for lawful processing as stipulated in the Enforcement Notice. The apology must be published prominently in all major national weekly newspapers and on all social media platforms, such as Facebook and Twitter.
- Investigate the conduct of the SAPS members who were involved in the unlawful processing of the data subjects’ personal information on WhatsApp, and if necessary, take appropriate action against them.
- Roll out training on POPIA across the SAPS.
- Draft and implement a Privacy Policy.
Privacy is enforced
While the “responsible party” who was found to be in breach of the provisions of POPIA in this instance was the SAPS, it is important to note that any member of the public who transmits, distributes or makes available in any other form, the personal information of the data subjects, is guilty of perpetuating the breach that has occurred. In other words, any person who shares or posts the personal details of the data subjects – such as their names, ages, and residential addresses – on any digital platform by email or SMS, social media (WhatsApp, Facebook and so on) or physically, should be aware of POPIA and the impact on the privacy of the data subjects.
What does this mean? POPIA compliance is important. Private and public bodies should establish a POPIA compliance framework. Note should be taken of the obligations and responsibilities imposed by POPIA and organisations should roll out e-leaning to all employees. Understanding POPIA is of crucial importance.
This is indeed a momentous moment for privacy enforcement in South Africa.
Read: Dis-Chem flags data hack affecting over 3.6m customers
Ahmore Burger-Smidt, Head of Regulatory & Dakalo Singo, Head of Pro Bono at Werksmans Attorneys.
