In less than 18 months, the information regulator has cracked down on SAPS security compromise. This investigation stems from a security compromise where sensitive details, including personal information, were leaked on WhatsApp. The leaked information reportedly included details related to the deaths of a prominent businessman and officer.
Regulator’s findings in the SAPS security compromise
The information regulator has initiated another investigation into the latest SAPS security compromise for a similar breach of POPIA as the first investigation into SAPS lead to an enforcement action where SAPS officials leaked the rape victims’ personal data via WhatsApp to various people including the media.
This second SAPS security compromise follows the investigations into the deaths of prominent businessman Jabulani Ben Gumbi and the late Captain Ernest Dambuza. Someone leaked sensitive crime scene reports and personal information on Whatsapp. This leaked information included names, car registrations, and even home addresses of people connected to the investigation.
Repeated infringement by SAPS officials
In its media briefing in March this year, the information regulator recently highlighted a troubling trend: public entities are lagging behind private companies in complying with the POPIA. This isn’t the first time SAPS has been caught violating POPIA.
While section 6 of POPIA exempts criminal investigations to some degree, it only applies if there are specific laws protecting the personal information collected. Since such legislative provisions don’t exist, SAPS (and other public entities) must follow POPIA just like everyone else.
The information issued its first enforcement notice against SAPS last year. Now, they’re considering stronger measures to address the continued security compromises. This could include harsher fines, suspension of employment for responsible officials, or even imprisonment.
The message is clear: public entities need to take POPIA compliance seriously. The information regulator will crack down harder to protect personal information.
Lessons to learn from the SAPS security compromise
Those involved (responsible parties, operators, and data subjects) need to grasp the seriousness of a data breach. It can deeply impact the lives of those affected, and it undermines the trust and value associated with personal information.
The information regulator will need to take a firmer stance on repeated violations. This could involve:
- reviewing legislation to o address any loopholes that might be enabling these breaches, or
- considering other methods to escalate investigations to issuing infringement and enforcement notices
Actions to take
- Learn from SAPS’ mistakes by asking us to advise you how to avoid repeated breaches of POPIA.
- Empower yourself to properly manage and resolve disputes with the information regulator by asking us to assist or joining our Data Protection Programme and working through the key modules relating to resolving data protection disputes, securing information and responding to incidents.
