Conflict of interest between InfoReg, justice department

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 09 Feb 2023
Advocate Pansy Tlakula, chairperson of the Information Regulator.
Advocate Pansy Tlakula, chairperson of the Information Regulator.

South African Members of Parliament (MPs) are calling for the Information Regulator to be independent of its parent ministry, the Department of Justice and Constitutional Development (DOJ&CD), in order to fully carry out its mandate of enforcing the Protection of Personal Information Act (POPIA).

This, as the Information Regulator has frequently faced criticism over its failure to resolve queries by data subjects timeously.

Data breaches that have exposed millions of personal data to unauthorised third-parties have also been on the rise in South Africa.

ITWeb last week reported that South Africans continue to be inundated with unsolicited calls and direct marketing by means of electronic communication.

Unsolicited direct marketing messages do not comply with the provision of section 69 of POPIA, which prohibits direct marketing by means of unsolicited electronic communications.

It is the duty of the Information Regulator to ensure organisations put in place measures to protect the data privacy of South Africans under POPIA.

The Act sets down firm frameworks that companies have to abide by to avoid fines, criminal persecution and potential reputation loss.

Breaching the rules and regulations outlined by this Act can have serious financial implications for the business – repercussions that can cost a fortune and have long-lasting consequences, such as reputational damage.

The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.

Tied down

The regulator, a statutory body established through POPIA, is required to act independently in exercising its functions.

However, the regulator says it currently relies on the policies and procedures of the DOJ&CD to run its administration.

In a statement yesterday, the information watchdog says the lack of total independence of the regulator is inconsistent with the provisions of POPIA, which require the regulator to be an independent entity that accounts directly to Parliament through the National Assembly.

At issue is the fact that the regulator is not currently listed as an entity in terms of the Public Finance Management Act (PFMA), which means it can only receive funding to perform its functions through the DOJ&CD.

Speaking after the parliamentary hearing, advocate Pansy Tlakula, chairperson of the regulator, said: “This state of affairs is not only inconsistent with the principle of institutional independence provided for in POPIA, but also raises several conflicts of interest because the DOJ&CD is a responsible party in terms of POPIA and subject to the regulatory authority of the regulator in how it processes personal information.”

Tlakula’s comments follow the 2021 ransomware attack on the justice department’s IT systems, leading to all of the department’s information systems being encrypted and unavailable to internal employees, as well as members of the public.

The attack spilled over to the office of the Information Regulator, disrupting the watchdog’s IT systems.

The regulator relies on the DOJ&CD’s IT systems for its own operations.

At the time, the regulator “wrote” to DOJ&CD to remind it of its obligations in terms of Section 22 of the POPIA, which requires responsible parties to notify the regulator and the data subject where reasonable grounds exist and the personal information of a data subject has been accessed or acquired unlawfully.

Delay tactics

According to the watchdog, MPs spoke strongly against what is perceived as foot-dragging by the National Treasury in affecting the necessary legislative amendments to the PFMA to secure the regulator’s complete institutional independence.

“All we are asking for is an amendment of schedule one of the PFMA so that the regulator is listed as a constitutional body, as was envisaged when POPIA was passed,” says Tlakula.

“The issue of listing has remained unresolved for over five years. It is a major distraction to the important work that the regulator should be doing in securing the privacy and protection of personal information of all persons,” she adds.

The regulator notes the portfolio committee agreed on the end of March 2023 deadline, for a report to be submitted to the committee on how these matters are being addressed by the National Treasury, DOJ&CD and the regulator.