Data breaches are on the rise in South Africa, with the Information Regulator reporting a sharp increase in incident notifications.
This emerged yesterday at a media briefing by advocate Pansy Tlakula, chairperson of the Information Regulator. Tlakula presented the high-level cases centred on the Protection of Personal Information Act (POPIA) and Promotion of Access to Information Act (PAIA), as well as other legislative developments.
According to Tlakula, in the 2024/25 financial year, 2 374 security compromise incidents (data breaches) were reported, with an average of 198 notifications per month.
From the beginning of this financial year (April 2025 to date), 1 947 compromises were reported, with an average of 284 notifications received per month, demonstrating an increase of 40% in reported security compromises, she noted.
“The regulator continues to be deeply concerned about the increased number of compromise incidents occurring in the country, and calls on both the public and private sectors to make the requisite investments in developing and maintaining appropriate technical and organisational measures to secure the integrity and confidentiality of personal information in their possession.”
The Information Regulator plays a central oversight and enforcement role under POPIA when it comes to data protection and data breaches in South Africa.
POPIA requires organisations to notify the Information Regulator (and affected individuals) when a security compromise occurs. Where organisations fail to comply with POPIA, the regulator may issue compliance orders, impose administrative fines (up to R10 million), or refer matters for criminal prosecution in certain cases.
Fine consequences
Tlakula also provided a POPIA update, outlining the latest developments in the enforcement of the law.
“We issued three infringement notices to the bodies that had failed to comply with the enforcement notices served to them in terms of section 95 of POPIA, and have thereby contravened POPIA.
“Responsible parties must note that non-compliance with an enforcement notice is an offence, and we do not take this lightly as the regulator. The infringement notices now issued compel the institutions to pay administrative fines as determined by the regulator.”
According to the regulator, an enforcement notice was issued against the Blouberg Municipality after it was found to have grossly violated the right to privacy (as it relates to the protection of personal information) of its former employee.
Tlakula noted the municipality processed the personal information of a former employee, which was exposed on the internet.
“They failed to adhere to the corrective instructions in the enforcement notice; hence, they were liable to pay a fine of R500 000. The municipality failed to pay the administrative fine, and as such, the regulator has initiated court proceedings wherein the regulator is seeking to recover the amount of the administrative fine payable by the infringer.”
Lancet Laboratories was also issued an enforcement notice, following a compliance assessment, which had been brought about by the number of security compromises (data breaches) experienced by the company, said Tlakula. She noted it failed to comply with the requirement of notifying the regulator about the security compromises as required by section 22 of POPIA.
“What was also of grave concern was that the body did not notify the data subjects affected by the security compromise.”
Lancet Laboratories was compelled, through the infringement notice, to pay a fine of R100 000 following its failure to comply with the enforcement notice.
“We confirm that the fine has been duly paid by Lancet Laboratories,” she said.
According to the watchdog, FT Rams, a company against which a direct marketing complaint had been received, failed to comply with the enforcement notice issued following an investigation. An infringement notice with an administrative fine of R100 000 was then issued.
FT Rams, like Blouberg Municipality, also failed to pay the administrative fine, and the regulator has initiated court proceedings to recover the amount owed.
“We have a few POPIA and PAIA matters which are before the courts. In terms of POPIA, we are glad that some matters are being tested in court because POPIA is still a relatively new legislation. These matters are critical in shaping jurisprudence on POPIA and the right to data privacy in general,” Tlakula noted.
One of the cases relates to the Information Regulator versus the minister of basic education. This is a recent court case that relates to the publication of the annual matric results.
Tlakula said an enforcement notice had been issued against the Department of Basic Education (DBE) on 18 November 2024 following a finding from an assessment of how the DBE processes the personal information of learners who sit for matriculation exams.
She explained that the assessment found the DBE’s practices were in violation of the POPIA provisions, particularly the manner of publication of the results, which the regulator deems likely to compromise the personal information of learners.
The enforcement notice had ordered the DBE to provide an undertaking “that it will not publish the results of the 2024 matriculants in the newspapers” within 31 days from the date on which the order was served. It also ordered that the department “must not publish the results for the 2024 matriculants in newspapers and must make these results available to the learners using methods that are compliant with POPIA”.
“However, the DBE did not comply with the enforcement notice, thus forcing the regulator toissue an infringement notice against the DBE, in which it ordered the DBE to pay an administrative fine of R5 million following its failure to comply with the enforcement notice,” Tlakula said.
In January 2025, the regulator approached the Pretoria High Court to make an application onan urgent basis for an interdict against the publication of the matriculation results. The application was dismissed and placed on the ordinary roll.
The matter was not heard on its merits. In the meantime, the DBE had served papers on the regulator in an action to appeal the regulator’s decision and the matter was argued in the High Court on 27 and 28 October. Judgement was reserved.
Court challenge
Another case involves the Department of Justice and Constitutional Development (DOJ&CD), concerning a 2021 security compromise. After issuing the enforcement and infringement notices, where the DOJ&CD was to pay a R5 million fine, the department challenged this in court. The matter is pending a hearing.
Tlakula also pointed out that on 17 April, the amended POPIA regulations came into effect. The amendments place stricter measures on responsible parties to comply with the provisions of POPIA and subsequently enhance the right to privacy for data subjects (to whom the personal information relates).
Furthermore, the amendments place stricter rules on direct marketing practices in so far as the processing of personal information is concerned. These include the requirement for responsible parties to put in place multiple mechanisms for data subjects to seamlessly object to the processing of their personal information.
“The requirements also include a stipulation that, in the instance where direct marketing is done via telephone, it must be recorded, and the records should be made available to a data subject on request. The regulations compel the responsible parties to improve their compliance frameworks so as to track, handle and manage objections in an effective manner.”
Share