Under the Protection of Personal Information Act (POPIA), the Information Regulator has the authority to issue an infringement notice to a company or organization that is believed to have violated POPIA. This notice can result in an administrative fine of up to ZAR 10 million. The Regulator considers various factors when determining the appropriate fine, such as the type of personal information involved, how long the violation occurred, the number of individuals affected, the potential harm or distress caused, and whether the responsible party could have prevented the violation or has a history of similar offences under POPIA.
The Information
Regulator has issued its first administrative fine under POPIA against the
Department of Justice and Constitutional Development (DoJ&CD) by fining it
R 5 million for a security compromise that occurred in 2021, resulting in the
loss of personal information.
Introduction:
Since the
enforcement of POPIA in South Africa, companies have faced increasing scrutiny
over their compliance with data protection regulations. One recent development
involves the DoJ&CD, which has been issued with an administrative fine by
the Information Regulator. This article summarizes the key details of the case,
including the security compromises, enforcement notices, and the consequences
faced by the DoJ&CD.
Background:
In September
2021, the DoJ&CD experienced a security compromise that affected its IT
systems, leading to the loss of approximately 1,204 files containing personal
information. The Information Regulator, responsible for overseeing POPIA
compliance, investigated and found that the DoJ&CD had failed to implement
adequate technical measures and safeguards to protect the personal data it
processes.
As a result of
the non-compliance, the Information Regulator issued an Enforcement Notice to
the DoJ&CD in May 2023. The notice outlined specific actions that the
department needed to take to remedy the situation. However, the DoJ&CD
failed to comply with the notice, leading to the imposition of an
administrative fine by the Regulator.
The Regulator
determined that a fine of ZAR 5 million was appropriate in this case. The
DoJ&CD now has a 30-day deadline to pay the fine or arrange with the
Regulator for instalment payments. Alternatively, the department may choose to
be tried in court on the alleged offence referred to in terms of POPIA.
Ironically,
the DoJ&CD suffered another security compromise in April 2023, resulting in
a loss of ZAR 18 million from its Guardian's Fund. The incident was reported to
the Regulator several days later, adding to the challenges faced by the
department in safeguarding personal information.
Conclusion:
The case
involving the DoJ&CD serves as a significant example of the Information
Regulator's enforcement of POPIA regulations. Companies and organizations
operating in South Africa need to prioritize data protection and ensure
compliance with the law. Failure to do so can result in substantial fines,
reputational damage, and potential legal consequences. As the Regulator
continues to actively assess various sectors, organizations must stay vigilant
and take appropriate measures to protect personal information and fulfil their
obligations under POPIA.
Such measures include regularly testing and verifying
your security measures, updating your policies and documents, performing
privacy impact assessments, staying tuned to regulatory updates, and conducting
regular privacy training for employees (especially new joiners) to ensure they
understand the company’s policies and processes and their responsibilities in
protecting personal information.
No comments:
Post a Comment