Days ahead of the release of matric results on 14 January for the 2025 cohort, the Department of Basic Education (DBE) says it will defend a new court bid by the Information Regulator to stop it from publishing these in the media.
The Information Regulator, having lost a bid earlier this month to stop the DBE from publishing matric results in the media, is now approaching the Supreme Court of Appeal with a request that it be allowed to appeal the North Gauteng High Court ruling that it says is erroneous.
In its court papers, a copy of which is in ITWeb’s possession of, the regulator says such an appeal would resolve all the issues between the parties. “It is in the interests of justice and in the public interest that the lawfulness of the publication of matric results be finally determined by a higher court,” the papers say.
Lukhanyo Vangqa, ministerial spokesman, says the DBE will defend the court application.
Wrongly defined
Among the Information Regulator’s arguments is that the High Court should not have introduced and relied on the new term of “personally identifiable information,” which is not found in the Protection of Personal Information Act (POPIA).
In addition, the Information Regulator says this definition is too narrow and suggests that information is only protected if a person can be identified without any particular effort or “diligence”.
“The court has introduced a phrase and a definition which is foreign to POPIA,” the papers state. “The introduction of the phrase and a definition for it amounts to making law as opposed to interpreting the law and the court does not have law-making powers.”
Based on this new terminology, the High Court concluded that DBE’s publication of results did not violate the law.
However, the agency – headed by Advocate Pansy Tlakula – says the details that the DBE publishes include examination numbers and the associated results, which it argues constitutes personal information under the law. The regulator says the use of the exam number doesn’t require much effort to associate with a person.
POPIA is designed to protect all personal information, regardless of how much “trouble” someone has to go through to link it to a specific person and the high court’s narrow interpretation undermines the purpose of the privacy law, the regulator says.
In November 2024, the Information Regulator issued the DBE with an infringement notice following an “own-initiative assessment” of the department and found that it failed to obtain consent for the publication of matric results from learners or parents/guardians of learners that sat for the 2023 National Senior Certificate examinations.
The regulator directed the department to get consent before it published this year’s results in the media. The DBE stopped publishing full names with matric results in newspapers after the 2021 exams, which were released in January 2022, using individual examination numbers instead.
In the enforcement notice, the Information Regulator argues that publishing results in the media is not the only avenue available to the department to distribute results. Matric results are available via the exam centre, the DBE’s website, and SMS.
Skeleton staff
Another ground for its application is that the department filed its appeal against the regulator’s initial enforcement notice late; after the deadline set by POPIA.
The court permitted this late filing, with the data privacy enforcement agency saying it had no jurisdiction to do so under POPIA.
The papers were lodged with the regulator six days late as the Office of the State Attorney was working on “skeleton staff,” which the North Gauteng High Court deemed was reasonable.
Creating certainty
Donrich Thaldar, Professor of Law at the University of KwaZulu-Natal, argues in an open letter to the Information Regulator that the 12 December judgement should be welcomed “without hesitation” as it “affirms a realistic and workable understanding of identifiability” under the Act.
“Crucially, the judgment makes clear that pseudonymised data placed in the public domain is, in general, non-personal in nature. Where direct identifiers have been removed and no unusual or highly distinctive features render identification realistically possible, the data falls outside POPIA’s scope. This is not a weakening of privacy protection; it is a principled articulation of its limits,” says Thaldar.
Thaldar adds that the ruling provides a practical, principled framework for data governance in South Africa that protects privacy, enables responsible data use, and gives researchers, institutions, and regulators legal certainty.
In another letter, Paul Esselaar, Esselaar Attorneys, co-author of “Overthinking the Protection of Personal Information Act”; Professor Sizwe Lindelo Snail ka Mtuze, Adjunct Professor at Nelson Mandela University and former Member Information Regulator; and Lucien Pierce, telecoms and technology lawyer, co-author of “Cyberlaw IV: The Law of the Internet in South Africa" say South Africans rightly care deeply about the privacy of children.
"That concern sits at the heart of the Protection of Personal Information Act and must be taken seriously by government, regulators and courts alike. However, privacy protection is weakened — not strengthened — when the concept of personal information is unduly restricted."
They note that the recent litigation involving the minister of basic education and the Information Regulator has brought this issue into sharp focus.
"As ICT and data governance lawyers practising in South Africa, we are concerned that the court’s reasoning on pseudonymised information (personal information that can no longer be attributed to a specific data subject without the use of additional information) did not sufficiently engage with the real-world context in which matric results are written, known, shared and re-identified."
According to the lawyers, this matters because POPIA does not protect information in the abstract. "It protects information where a person is identifiable by reasonably foreseeable means. Context is therefore not optional; it is the test."
They note that international courts have recognised this clearly. "In the 2025 European Single Resolution Board (SRB) litigation, pseudonymised data was shared with Deloitte for a limited auditing purpose. In determining whether the data was 'personal data' in Deloitte’s hands, the court emphasised several decisive contextual factors: the data was disclosed to a single professional recipient; Deloitte had no legal or practical access to the re-identification key; Deloitte was contractually bound not to attempt re-identification; and there was no reasonably foreseeable lawful way for Deloitte to identify the data subjects.
"In that setting, the court accepted that pseudonymised data could fall outside the scope of 'personal data' in the hands of the recipient, Deloitte."
They add that the matric-results context is fundamentally different.
"First, consider access. Matric results published using examination numbers are not disclosed to a confined, professional audience. They are released to the general public at large—including learners, parents, peers, neighbours, journalists and social media users.
"Second, contractual and legal constraints. Unlike Deloitte, the general public has no contractual obligation not to re-identify learners. There is no enforceable legal duty on a learner, parent or friend to “forget” an examination number or to refrain from connecting it to a name.
"Third, foreseeability of re-identification. Re-identification of matric numbers is not hypothetical or technologically sophisticated; it is designed into the examination process itself. Learners see their own numbers on scripts. They sit next to classmates. They observe seating arrangements. They glance at papers while entering or leaving exam halls. Parents are given the numbers. Schools distribute them. The system assumes—and requires—that the learner and family know the number. To suggest that public re-identification is not reasonably foreseeable in this context is to ignore how matric exams actually work."
According to them, this is the critical distinction. "In the SRB case, re-identification was legally and practically remote. In the matric context, re-identification is ordinary, expected and inevitable. The same legal label— 'pseudonymised'—cannot produce the same outcome in two radically different factual environments."
"POPIA itself points us in this direction. It asks whether information can be used, manipulated or linked by a reasonably foreseeable method to identify a person. That inquiry is contextual, not theoretical. It must consider who receives the information, under what conditions, and with what realistic capabilities. POPIA also requires (section 2(b)) that the Information Regulator and courts consider international precedent such as the SRB case above.
"Our focus is on ensuring that courts and regulators apply POPIA coherently and credibly. If pseudonymised data is treated as non-personal in tightly controlled professional settings, but also treated as non-personal when released to the entire public without adequate safeguards, the law loses internal consistency."
Privacy law must be principled to be effective, they add. "Context is not a loophole; it is the mechanism by which the law distinguishes safe data use from harmful exposure. In the case of matric results, that contextual analysis deserved closer attention and it was certainly not “fanciful” to argue, as the Information Regulator did, that personal information would be available to someone other than the data subject.
"So why does all this matter? As soon as the court holds that the information is not “personal information”, then everything - the entire 148 pages of POPIA - no longer applies. This means that every single safeguard built into POPIA to protect privacy falls away. This even includes situations of data sharing and cross-border data transfer (where personal information is sent overseas to other countries who may have poor privacy protections).
"In this context, we call upon the Information Regulator to appeal the judgment by the 8th January 2026 as a failure to do so will mean that South Africa will be fundamentally out of step with international data protection practice and will be a significant blow to South African’s data privacy."
Share