The information regulator issued its first enforcement notice to SAPS. After conducting an independent investigation, the regulator found that SAPS breached several conditions for the lawful processing of personal data. The regulator also found that SAPS failed to notify the regulator and the data subjects of a security compromise.

Regulator’s decision and reasoning

The regulator found that SAPS violated several provisions of POPIA because:

  • By distributing data subjects’ personal data in a WhatsApp message, SAPS processed the personal data unlawfully, unreasonably and in a manner that infringed the data subjects’ privacy.
  • They processed the data subjects’ personal data without the data subjects’ consent.
  • The data subjects’ personal data in the WhatsApp message was excessive and not relevant for the purpose for which it was distributed.
  • They failed to take appropriate, reasonable, technical measures to prevent the unlawful access of personal information of data subjects as prescribed in POPIA.

Enforcement notice order

In its enforcement notice, the regulator ordered SAPS to:

  • Notify the data subjects of the security compromise which relates to their personal data within 31 days.
  • Publish an apology to the data subjects in major national weekly newspapers and social media platforms.
  • Investigate the conduct of the SAPS members responsible for the unlawful processing of the personal information, and
  • Include POPIA training in all SAPS training programmes.

Implications for others

The enforcement notice on SAPS demonstrates that nobody is above the law when it comes to enforcing compliance with data protection laws. Controllers who process personal data must take adequate steps to protect that personal data to avoid a data subject suffering harm.

Lessons learned

The regulator launched its own investigation of SAPS after the Krugersdorp incident. They even served summons on SAPS for not fully complying with an information notice. The fact that SAPS did not comply with so many provisions under POPIA shows that they had little awareness about the Act and how to comply with the conditions for the lawful processing of personal data. Therefore, having a robust awareness programme in your organisation will ensure that your employees process personal data lawfully.

You must know about the different types of notices that the information regulator can issue so that you can handle them correctly and timeously. Controllers can avoid getting an enforcement notice from the regulator by:

  • Ensuring that you get the data subjects’ consent to process their personal data.
  • Taking steps to implement appropriate measures to ensure that you protect personal data from harm.
  • Ensuring that your staff, processors and any third parties you work with are aware of the importance of complying with POPIA.

Actions you can take

To avoid finding themselves in a similar position SAPS, controllers should:

  • Comply with any requests from the regulator to provide them with information they ask for.
  • Fully cooperate with the regulator during an investigation into your practices.
  • Comply with the regulator’s guideline on notification of security compromises.
  • Invest in appropriate and up-to-date security technologies to protect personal data.
  • Train employees on POPIA and cybersecurity best practices to protect personal data.

By taking these steps, organisations can avoid getting enforcement notices from the regulator. You can learn more about the different types of notices that the regulator can issue by attending our webinar: Knowing the different notices the information regulator can issue.