It was with great shock that the South African society learned about the rape of several women near Krugersdorp in July 2022. But what was more worrisome was the shock of the victims upon realising that their personal details such as names, residential addresses and occupations appeared on social media platforms!

The Information Regulator (Regulator) announced on 5 April 2023 that, based on a report of its Enforcement Committee, it found that the protection of personal information of certain data subjects – defined in POPIA as “the person to whom personal information relates” and which in the present case is the victims of these heinous crimes – has been interfered with. It has been found that the South African Police Service (SAPS), which was responsible for the processing of the personal information of the victims, did not comply with POPIA.[1]

In terms of the findings, the SAPS breached the conditions for the lawful processing of personal information and also demonstrated non-compliance with the duty to notify the Regulator of a security breach. This finding means that the SAPS do not have the necessary safeguards in place, let alone safeguards established in legislation as intended by section 6(1)(c)(ii) of POPIA!

The SAPS, in an attempt to justify their actions, explained to the Regulator that it distributed the personal information of the victims (data subjects) on various WhatsApp groups to, amongst others, alert the respective stations and units of the serious crimes which happened in the West Rand District. As a consequence of this distribution, the WhatsApp message was leaked from its intended communication channels and was shared widely on various social media platforms, such as Facebook, which does not in any way relate to the purpose for which the personal information was collected.

This would then lead one to ask, since when is WhatsApp an official authorised police messenger service with unique user and security features? And if this is deemed as an official authorised communications channel, whether there are prescribed content and distribution protocols for specific communication channels?

In its Enforcement Notice, the Regulator has ordered the SAPS to –

• Formally notify the Regulator and the data subjects of the security compromise of their personal information.
• Publish an apology to the data subjects for processing their personal information in a manner that breached the conditions for the lawful processing as stipulated in the Enforcement Notice. The apology must be published prominently in all major national weekly newspapers and in all social media platforms such as Facebook and Twitter.
• Investigate the conduct of the SAPS members who were involved in the unlawful processing of the data subjects’ personal information on WhatsApp and, if necessary, take appropriate action against the members involved.
• Roll out training on POPIA across the SAPS.
• Draft and implement a Privacy Policy.

While the “responsible party” who was found to be in breach of the provisions of POPIA in this instance was the SAPS, it is important to note that any member of the public who transmits, distributes or makes available in any other form the personal information of the data subjects is guilty of perpetuating the breach that has occurred. In other words, any person who shares or posts the personal details of the data subjects – such as their names, ages, and residential addresses – on any digital platform by email or SMS, social media (WhatsApp, Facebook, etc.) or physically, should be aware of POPIA and the impact on the privacy of the data subjects.

What does this mean? POPIA compliance is important. Private and public bodies should establish a POPIA compliance framework. Note should be taken of the obligations and responsibilities imposed by POPIA and organisation should roll out e-leaning to all its employees. Understanding POPIA is of crucial importance.

This is indeed a momentous moment for privacy enforcement in South Africa.

Werksmans POPI e-learning Course

Footnotes

[1]  Protection of Personal Information, Act 4 of 2013.