The South African Police Service (SAPS) published a revised version of the Standard Operating Procedures (SOPs) for the investigation, search, access, or seizure of electronic evidence in terms of the Cybercrimes Act. The comment period ended on 15 August 2022.

We will update this post when SAPS publishes the final SOPs in the government gazette.

What do the revised SOPs cover?

The revised SOPs are 47 pages as opposed to the previous version which was 40 pages long. The updated version still has a glossary of terms and an annexure of relevant definitions under the Criminal Procedure Act and the Cybercrimes Act. Here’s a summary of the new and revised provisions below:

Purpose of the SOPs (Updated!)

This paragraph was previously titled “Introduction”. Certain sections of the Cybercrimes Act commenced on 1 December 2021. The Act requires law enforcement authorities to issue SOPs within 12 months of the Act’s commencement date (1 December 2021). The document sets out the procedures that SAPS (or any other person or agency) must follow when they investigate a cybercrime or malicious communication. (See offences under Part I and Part II of Chapter 2 of the Cybercrimes Act)

The SOPs will serve as a common standard for investigating authorities to exchange electronic evidence in local and international investigations.  Furthermore, the SOPs will ensure that any data a computer system, digital, or storage device holds is reliable, and authentic. The drafters included a few new provisions under this revised paragraph:

  • The definition of an article.
  • Members of the SAPS, other law enforcement officials, prosecutors and members of the judiciary may participate in the collection, analysis or decisions related to articles during criminal investigation or court proceedings.
  • Authorities must uphold a person’s right to privacy and other fundamental rights. For example, authorities must enforce a person’s right to a fair trial.
  • When dealing with the admissibility of electronic evidence, authorities must consider the authenticity, completeness, reliability, evidentiary weight, and proportionality of the evidence.

Scope and Application (paragraph 2) (New!)

The SOPs apply to:

  • the South African Police Service,
  • any person or agency authorised in terms of any other law to investigate any offence in terms of any law.
  • investigations that can assist a police official with search, access, or seizure (this is in line with Chapter 4 of the Cybercrime Act)
  • investigations of any offence (including a suspected offence) in terms of Part I and Part II of Chapter 2 of the Cybercrime Act.
  • any other offence (including a suspected offence) which a cybercriminal may commit using an article. (See section 1 of the Cybercrime Act for the definition of ‘article’.)

General guidelines (paragraph 4) (Updated!)

This paragraph has been renumbered to paragraph 4. It was previously paragraph 3. There are still many cross references to other laws, so investigating officers have a lot to consider. Therefore, we’ve simplified a lot of the information for you.

Setting up a statutory framework

Anyone investigating cybercrime must do so by complying with the statutory framework or relevant laws. For example:

  • The Preservation and Disclosure Provisions under paragraph 4.10 was previously marked as [Not in operation yet]. The drafters have removed this provision. (New!)
    • Chapter 4 of the Cybercrime Act which deals with the “Powers to Investigate, Search, Access or Seize”. You must remember that certain sections under Chapter 4 are not in operation yet. For example sections 38(1)(d)-(f), 40(3)-(4), and 41 (Expedited preservation of data direction), 42 (Preservation of evidence direction), 43 (Oral application for preservation of evidence direction) and 44 (Disclosure of data direction and search for, access to and seizure of articles subject to preservation).
    • Although these provisions under the Act are not in operation yet, by removing the words “not in operation yet”, the drafters seem to hint that these provisions may soon come into effect. So although the Preservation and Disclosure provisions in the Cybercrimes Act are not in operation yet, the SOPs still set out how investigators should implement them.
  • The Criminal Procedure Act is relevant when conducting searches with or without a warrant.
  • Section 4(3) of the Customs and Excise Act, 1964 which states that an officer may not disclose any information relating to any person, firm, or business they acquire while performing their duties. However, an officer may disclose this information if they are a witness in a court of law.
  • The SOPs allow investigators to prepare for a search, access, or seizure of an article with or without a warrant. These provisions are detailed under paragraph 4 of the revised SOPs and are in line with section 32 of the Cybercrime Act.

Investigators must consider five principles for digital evidence:

  1. Data Integrity
    If law enforcement agencies take any action, agency employees (or their agents) should not change any data, electronic device, or media. This is because prosecuting authorities may use the data, electronic devices, or media as evidence in court.
  2. Audit Trail
    Authorities must create a record of all actions taken when handling electronic evidence so that they can be subsequently audited.
  3. Specialist Support
    The person in charge of a planned operation should promptly notify specialists or external advisers if they expect to find electronic evidence.
  4. Training and Experience
    Anyone authorized to search for, access or seize electronic evidence at a crime scene must be trained to do so.
  5. Legality
    The person and agency in charge of the case must ensure that everyone complies with the law, the evidential safeguards, and the general forensic and procedural principles. If investigators flout the law of legality, there is a risk that courts may not admit evidence during judicial proceedings.

Packaging, transportation, and storage of articles (paragraph 5)

The SOPs set out guidelines for securing articles like computers. Everyone on the investigation team must take special precautions when packaging, transporting, and storing devices that can contain electronic evidence.

Pornographic images of children and other sensitive evidence (paragraph 7)

Investigators must take special care to restrict access to sensitive evidence to prevent secondary victimisation of the victims and other persons. For example, these types of evidence should be restricted to only those who must deal with the evidence in question.

The SAPS Designated Point of Contact (paragraph 13) (Updated!)

Chapter 6 of the Cybercrimes Act provides for the creation of a Designated Point of Contact (DPoCs) within SAPS structures. In the previous version this clause was not in operation yet. It also did not have a list of the DPoCs. The revised version no longer contains the words “[Not in operation yet]”. This is confusing because the Department of Justice has not yet proclaimed the commencement date of Chapter 6 of the Cybercrimes Act.

The previous version indicated that SAPS would provide the DPoC information, however the sentence has now been removed from the revised SOPs.

Offences (now paragraph 12)

The SOPs list several instances where it is an offence to unlawfully and intentionally obstruct or hinder a police official or an investigator during an investigation. For example, a police official or investigator who fails to destroy all passwords, decryption keys, data or other information will be guilty of a criminal offence.

Actions you can take

If you are interested in finding out more about the SOPs, you can:

  • delve into the detail of the revised SOPs by downloading them.
  • compare the revised SOPs with the previous version by downloading the previous version.
  • get a deeper understanding of the impact of cybercrimes on your organisation by attending a half-day online workshop.
  • find other actions you can take related to cybercrime by visiting our main cybercrime law page.