The information regulator issued an enforcement notice to the Department of Justice (DoJ) for contravening the Protection of Personal Information Act (POPIA). The regulator found that the DoJ breached POPIA by failing to secure the personal information of over 250,000 officials and non-officials. Subsequently, the regulator issued an infringement notice to the DoJ.

Regulator’s decision and reasoning

The regulator found that the DoJ breached several provisions of POPIA (Section 19(1)–(3)) because they failed to:

  • implement adequate security measures to protect personal information, and
  • uphold the rights of the data subjects by not protecting their personal information.

DoJ enforcement notice order

The regulator issued an enforcement notice order on the DoJ, which requires them to take several remedial actions to comply with POPIA within 31 days. The DoJ must also submit proof of completion to the regulator for all remedial actions.

 In respect of the breach of section 19(1), the regulator ordered the DoJ to:

  • Provide the regulator with copies of the Personal Information Impact Assessment (PIIA) and the compliance framework in terms of regulation 4(1)(a) of POPIA.
  • Report the security compromise to the South African Police Service (SAPS).
  • Renew the Anti-Virus software, the SIEM license and the Intrusion Detection System.
  • Institute disciplinary proceedings against the official(s) who are responsible for the renewal of the licenses
  • Provide POPIA training to all staff.

In respect of the breach of section 19(2), the regulator ordered the DoJ to:

  • Take reasonable measures to identify all foreseeable internal and external risks to personal information in its possession or under its control.
  • Establish and maintain appropriate safeguards against the risks identified.
  • Regularly verify that the safeguards are effectively implemented.
  • Update the safeguard measures in response to new risks or deficiencies.

Incident response (section 19(3))

  • Update the Incident Response Plan by incorporating all applicable provisions of POPIA.
  • Implement the Public Service Corporate Governance of Information and Communication Technology Framework, dated December 2012.

What you can learn from this Department of Justice enforcement notice

The DoJ enforcement notice issued serves as a reminder of the importance of complying with the provisions of POPIA. Organisations that collect and process personal information must ensure that they have implemented adequate security measures to protect this information from unauthorised access or use. Ongoing training and awareness will make organisations more resilient in their approach to POPIA. For example, the more aware your staff are about POPIA, the more proactive they will be in implementing measures to comply.

Actions you can take regards the DoJ enforcement notice

To avoid receiving a similar enforcement notice, responsible parties should: