The Information Regulator – South Africa (“the Information Regulator”) appeared before the Gauteng High Court (“the High Court”) on Thursday 12 March 2026, for leave to appeal against the decision of the High Court handed down on 12 December 2025 in the matter between the Minister of Basic Education and the Information Regulator. In its earlier ruling, the Gauteng High Court declared that the publication of matric results in newspapers and online platforms does not infringe the Protection of Personal Information Act, 4 of 2013 (“POPIA”).1 . The High Court has reserved judgment on the matter until next week, and it is expected to give its judgment on whether the dispute is to continue to the Supreme Court of Appeal.
The High Court had reasoned that the publication of matric results in newspapers and online platforms through examination numbers did not mean that personal information was being processed for the purposes of POPIA.2 The Court sided with the Minister who argued that there is no publication of personal identifiable information because “no learner is identifiable or at risk of identification by any members of the general public; (or by the reasonable man) solely by the examination number of that learner”3. The Court ultimately stated that the term “personally identifiable information” referred to information which permits the ability to identify a particular person “without any particular diligence by a person considering such information”.4
The Court’s interpretation, consistent with the Minister of Basic Education’s argument, that it is far-fetched for a student to take the time to consider who surrounded them during their examinations and later process another student’s personal information based on the sequence of the examination numbers, would appear to not align with the definitions set out in the Act.
In my view, the above interpretation is incorrect. If we consider rulings in other jurisdictions, we can take guidance from them. For example, consider the recent decision of the Appeal Court of the Royal Courts of Justice in the United Kingdom (“the UK Appeal Court”), in the matter of DSG Retail Limited v The Information Commissioner.5 In that matter, there had been a breach of data resulting from a cyberattack insofar as the attackers were able to obtain the 16-digit card numbers and the expiry dates of those cards. The attackers could not, however, obtain the identity of those cardholders. Despite this lack of identification of a cardholder, there had been identification of a 16-digit number and an expiration date, and the UK Appeal Court ultimately held that such a breach consisted of “personal data”. Although such a ruling is not binding on South African courts, it may be persuasive, and it is a clear indication of the approach other countries are taking towards the protection of personal information. The UK Appeal Court arrived at the conclusion that ‘Information is “personal data” if it falls within the statutory definition of that term’.6 The UK Appeal Court further concluded that if the data controller is able to identify such an individual through any information it may have, such as an identifier number, it will be considered “personal data”.7 Although this is not necessarily a requirement in our law, it remains relevant. In the matric results scenario, the Department of Basic Education, as the “data controller”, can identify a student based on their examination number.
A close inspection of the legislation, specifically the definitions in POPIA, is required for the purposes of this case. Section 1 of the Act defines personal information, and under “(c)” of the definition of personal information there is the inclusion of an “identifying number”. For the purposes of the examinations and the results thereof, an examination number ought to be construed as an “identifying number” in terms of POPIA’s definitions Therefore, under this interpretation, using the definitions set out in POPIA, the examination number should be considered as “personal information”. Once such information is categorised as “personal information” then Chapter 3, Part A of POPIA should apply to such information. “Processing”, in terms of section 1 of the Act, specifically under “(b)” of the definition of “processing” includes the dissemination by means of transmission, distribution, or making available in any other form. In accordance with this definition, the process of publishing matric results in newspapers and online platforms falls under the definition of “processing” for purposes of POPIA.
Chapter 3, Part A of POPIA sets out 8 conditions to be applied with for the processing of personal information. Condition 1 of the Act refers to accountability. The responsible party (the Minister of Basic Education) must ensure conditions for lawful processing.
Condition 2 considers processing limitations, and it is divided into further sections entitled ‘lawfulness of processing’; ‘minimality’; ‘consent, justification and objection’; and ‘collection directly from data subject’. Section 9(b) requires that personal information be processed ‘in a reasonable manner that does not infringe the privacy of the data subject’. The data subject, the student, has their right to privacy infringed through the wide dissemination of their matric marks. It is out in the public, and readily available for any person to obtain. This requirement goes together with section 10, ‘minimality’ – ‘Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant, and not excessive.’ It may be argued that the publication of these marks is not adequate, relevant and is excessive. The Department of Basic Education sends direct text messages to matric students which informs them of their results. The use of direct text messages is a reasonable method of informing students of their results. By using a double system of text messages as well as publication, the process of publication may be viewed as ‘excessive’ for purposes of the Act. Section 11(1)(a) also requires the consent of students over 18, or for their guardian’s consent should the student be under 18, for the personal information to be processed. There has been no indication of whether such consent has been obtained by students or guardians for the processing of such personal information.
Condition 3 refers to purpose specification. The collection of personal information must be for a specific purpose, and this personal information may only be retained for a specific period.
Condition 4 imposes a further processing limitation, and states that further processing must be compatible with the purpose of collection.
Condition 5 refers to information quality and requires the responsible party to collect the information in a manner which reflects the truthfulness of such information.
Condition 6 requires openness on the part of the responsible party and requires such responsible party to notify the data subject of the collection of personal information.
Condition 7 refers to security of information and requires the responsible party to secure the integrity and confidentiality of personal information, and that should a third party process such information, it is done with the knowledge of the responsible party.
Condition 8 requires data subject participation. This entails that the data subject may request the responsible party to confirm whether the responsible party holds personal information regarding the data subject; that the data subject may request the responsible party to correct or delete personal information in the prescribed manner and prescribes the manner of access under this condition.
This is just a brief, undetailed view of the required conditions which must be met for a responsible party to process personal information. As discussed earlier, an examination number ought to be considered as personal information for the purposes of POPIA. It is my view that an examination must be considered as an “identifier number”, which falls within the definition of personal information in terms of the Act. Furthermore, publication of matric results using an examination number falls within the definition of “processing” as defined in the Act as there is dissemination of such results through the medium of newspapers and further online platforms. Therefore, by publishing the students’ matric marks in newspapers and online platforms, this amounts to the processing of personal information in terms of the Act, which is where, in my view, the court erred in its decision. Since this amounts to the processing of personal information, the eight conditions prescribed in the Act must be adhered to in order for the processing of such information to be considered lawful.
In my view, these conditions have not been adhered to by the Minister of Basic Education. Consent has not been obtained from the students or their guardians; and the processing of the information does not prescribe to the “minimality” requirement in the Act. The use of text messages for students to receive their marks together with this publication in newspapers may be viewed as excessive. Therefore, the processing of such personal information cannot be regarded as lawful as it does not comply with the conditions set out in the Act, specifically condition two.
It is for the above reasons that, in my view, the Information Regulator has good prospects of success on appeal. It is now to be seen whether the High Court approves the Information Regulator’s application for leave to appeal, or whether the IR will have to go directly to the Supreme Court of Appeal to apply for leave to appeal. It will be in the interests of justice and the privacy of matric students for this decision to be taken all the way to the Constitutional Court if so required.
Written by Ethan van der Merwe.
