The Information Regulator issued an enforcement notice against Blouberg Municipality after a complaint from a former employee. This Blouberg Municipality enforcement action arose because the municipality had unlawfully published the employee’s personal information on its website as part of a declaration of interest. As a result, the Regulator took enforcement action (between April and September 2024) to correct these violations of POPIA.
The Blouberg Municipality enforcement notice
In its assessment, the Regulator made findings and drew conclusions regarding Blouberg Municipality’s processing of personal information.
- Published personal information of a former employee on its website without lawful justification.
- Failed to maintain transparency by not having a compliant privacy policy and PAIA manual available on its website.
- Breached the principle of purpose limitation by processing personal information for purposes beyond those for which it originally collected it for.
Therefore, the Regulator emphasised section 15 of POPIA, which requires organisations to ensure that any further processing remains compatible with the original purpose. Blouberg Municipality failed to meet this standard. In addition, the case highlights how easily poor governance can lead to serious regulatory action. See our lawful justification for the processing of information module and our Processing for a further purpose module for more guidance.
Why this enforcement notice matters
This Blouberg Municipality enforcement action serves as a reminder that public bodies, like private companies, must fully comply with POPIA. In particular:
- Organisations may only use personal information for its intended purpose.
- They must publish privacy notices and PAIA manuals to ensure the public can access them easily.
- The Information Regulator enforces consequences for non-compliance, and those consequences could include fines, imprisonment, or both.
Consequently, organisations cannot treat POPIA compliance as optional. Instead, they need to integrate compliance into everyday operations. Businesses that fail to embed compliance often face enforcement actions that damage both their reputation and operations.
The Regulator issued an infringement notice
Blouberg Muncipality failed to comply with the enforcement notice and therefore the regulator sent Blouberg an infringement notice with a fine of R500,000. The Municipality failed to pay the administrative fine, prompting the Information Regulator to initiate court proceedings to recover the amount payable.
Actions you can take regarding the Blouberg Municipality enforcement action
- Be cautious when publishing personal information and ensure you have a lawful basis.
- Have an up-to-date PAIA manual by joining the access to the information programme and working through the module on Having a PAIA Manual or attending our webinar.
- Have a privacy policy by joining our data protection programme and working through our Lawful justification for the processing of information and our Processing for a further purpose modules.
- Proactively manage risks by reviewing how your organisation processes employee and stakeholder data and ensure your systems prevent unauthorised exposure.
