By now, you’d have heard about SA’s latest battle: Information Regulator versus SAPS. But what’s the actual tea? Why’s our Information Regulator taking on SAPS? Do they even have the authority to take on SAPS? Perhaps you think POPIA doesn’t apply to SAPS. This post answers those questions and more. Brace yourself: the battle’s background facts are shocking and triggering.
The history
The Krugersdorp incident
On 28 July 2022, a production crew were shooting a music video near a mine dump in West Village, Krugersdorp. During the shoot, a mob of about 20 men—illegal artisanal miners—wearing Basotho blankets and balaclavas raided the set. Next, they reportedly fired several (actual) gunshots into the air and told everyone on the set to lie down on the ground. The unidentifiable men then allegedly proceeded to gang-rape eight women from the set in nearby bushes. The horrific incident was reported to SAPS. They started investigations, eventually arresting 81 suspects who appeared before the Krugersdorp Magistrates’ Court.
SAPS officials leak personal information
For unknown reasons, SAPS officials leaked the rape victims’ personal information via WhatsApp to various people, including the media. The personal information included the victims’:
- names,
- ages,
- home addresses, and
- details of the sexual assault.
Obviously, personal information has value and can be used to harm people. But what’s especially egregious is that the disclosure relates to victims of sexual assault, facilitating ongoing victimisation and impacting their privacy and dignity, especially during women’s month in SA.
Information Regulator contacts SAPS
The Regulator became aware of SAPS officials disclosing the personal information of the Krugersdorp victims. Consequently, it issued SAPS with a notice under section 90 of POPIA demanding details of the disclosure.
Wait, so POPIA applies to SAPS?
Many people think POPIA doesn’t apply to SAPS. The reason is that section 6 of POPIA excludes criminal investigations from the ambit of POPIA. However, there’s a caveat! This section only excludes SAPS from having to comply with the Act “to the extent that adequate safeguards have been established in legislation for the protection of such personal information”. In other words, for POPIA not to apply to SAPS’s processing of personal information, the relevant department needs to create a law that implements adequate safeguards (information security measures) to protect personal information. Since no legislation like that exists, POPIA applies to SAPS just like any other responsible party.
Further, SAPS is responsible for its officials’ conduct when they act in their official capacity or share personal information that SAPS is responsible for; this is known as “vicarious liability”.
The section 90 notice
Returning to the section 90 notice, the Regulator demanded to know:
- the identity of the officials who distributed the messages;
- the purpose of drafting the messages;
- who the intended audience was;
- the persons to whom the officials actually sent the messages— detailing the recipients, their job titles, employers, and cellphone numbers;
- the dates and times at which the officials sent the messages to the recipients; and
- whether the officials sent the messages or related comms on platforms other than WhatsApp.
Further, the Regulator directed SAPS to provide it with two reports:
- an Information Officer report recording that the officials processed personal information in line with POPIA; and
- a report on SAPS’s investigation regarding the personal information disclosed by its officials.
SAPS blueticks the Regulator
Initially, the notice set the deadline for the reports as 15 August 2022. However, SAPS asked the Regulator for a time extension to deliver the reports on 24 August 2022.
Reportedly, the 24th arrived and SAPS provided the Regulator with only a single piece of information listed in the notice. Plus, SAPS added that it could only provide more information once it’s finalised its investigation. But it didn’t indicate when it would do so.
The Regulator issues summons
The Regulator’s Chairperson, Advocate Pansy Tlakula, said the Regulator found SAPS’s response inadequate. The Chairperson added that SAPS’s poor response interferes with the Regulator’s ability to investigate the disclosure.
So, in line with its powers under section 81 of POPIA, the Regulator summonsed SAPS to supply the information it demanded in its notice.
What happens next?
We’re waiting to see how SAPS responds to the summons.
How does this incident affect me?
Stepping away from the incident, there are some lessons you can glean:
- As a responsible party, the Regulator will hold you accountable for non-compliance with POPIA. You will also be responsible for the decisions of your personnel and operators.
- You must train your personnel and operators (service providers) to comply with POPIA.
- You need to respond adequately to notices you receive from the Regulator.
Actions you can take
- Comply with a notice from the Regulator by asking for our advice.
- Protect yourself from risk by asking us to train your personnel and service providers.
- Stay on top of the latest personal data incidents by subscribing to our newsletter.
- Protect personal information by asking us to join our data protection programme.