Improved Measures Taken by the Information Regulator

This article discusses the improved measures that the Information Regulator of South Africa has taken in respect of data privacy breaches.

The Information Regulator of South Africa (“IRSA”) is an independent body responsible for ensuring that private and public bodies comply with the Promotion of Access to Information Act 2 of 2000 (“PAIA”), and the Protection of Personal Information Act 4 of 2013 (“POPIA”).[1]  It is tasked with handling privacy and access to information complaints and conducts assessments and investigations.  Its accountability to the National Assembly ensures that it operates independently so that private and public bodies are monitored impartially to achieve the mandate protecting personal information in South Africa.[2]  It is crucial that the measures it takes in fulfilling these tasks are progressive in order to secure information.

The IRSA recently announced that it will release its investigation and assessment outcomes on matters it deals with each year.  In our view, this may be useful to hold institutions which conduct themselves unlawfully when handling personal information accountable.  Institutions like the South African Police Services and even state institutions like Department of Justice and Constitutional Development (“DOJ & CD”) are organisations that have been held to account by the IRSA.  To elaborate on these outcomes, the IRSA released the following:

The South African Police Services (“SAPS”) were held to account for unlawfully circulating the personal information of victims of an assault that occurred in Krugersdorp.  It was found that SAPS members assigned to the case had distributed the personal information of the victims via WhatsApp and the information was leaked on social media platforms like Facebook.  Not only did the IRSA find that SAPS unlawfully interfered with the victims’ right to privacy by failing to adequately process and protect their information, but that SAPS also failed to notify the victims themselves, and the IRSA, of the security compromise.  As a result, not only did the IRSA order SAPS to notify the victims of the compromise, but that it should also publish an apology to the victims on major national weekly newspapers and social media platforms.  SAPS was also ordered to investigate the conduct of the negligent SAPS members who were responsible for the compromise and provide POPIA training in all SAPS programs.

Two further enforcement actions by the IRSA are the Enforcement Notices issued against the DOJ & CD, as well as Dis-Chem, as a result of their contravention of various privacy provisions under POPIA.  The IRSA further issued a fine of R5 million against the DOJ & CD for its non-compliance with an IRSA Enforcement Notice .  

And finally, the IRSA investigated the Department of Mineral Resources and Energy’s (“DMRE”) refusal to avail the status records of mineral rights in several farms across the country.  With the IRSA’s intervention, the 23 complainants were granted access to the DMRE’s status records.  Matters of this nature are widely known to be dealt with through expensive and lengthy property law litigation in South Africa.

It is of significant value that corporations, institutions, and organisations cannot continue to breach privacy rights and access information in South Africa.  Knowing that effective, trustworthy, and binding recourse taken by the IRSA can apply to such situations without expensive litigious measures is a breakthrough against long-standing injustices that many South African citizens have faced at the mercy of institutions that are notoriously difficult to bring to account.

The IRSA has effectively released its outcomes, educating many about their rights of recourse, thereby enhancing data privacy awareness and protections for all citizens.

Contact us for more good, clear, precise advice.

[1] Information Regulator Website –

[2] Ibid.

Filter By

Must Reads

Subscribe to receive our latest articles

Follow Us

Related Posts