InfoReg sounds alarm over POPIA non-compliance, breaches

Simnikiwe Mzekandaba
By Simnikiwe Mzekandaba, IT in government editor
Johannesburg, 29 Jun 2022
Advocate Pansy Tlakula, chairperson of the Information Regulator.
Advocate Pansy Tlakula, chairperson of the Information Regulator.

Since July 2021, the Information Regulator has received and pre-investigated over 700 complaints from data subjects.

Furthermore, the regulator recorded over 330 reports of security compromises, or data breaches, since July last year.

This was revealed by advocate Pansy Tlakula, chairperson of the Information Regulator, speaking at the regulator’s media briefing this morning.

The Information Regulator – headed by Tlakula – is, among other duties, empowered to monitor and enforce compliance by public and private bodies with the provisionsof SA’s data privacy law, the Protection of Personal Information Act (POPIA).

Last June, it also took over the regulatory mandate functions relating to the Promotion of Access to Information Act from the South African Human Rights Commission.

Tlakula said most of the complaints received relate to direct marketing, which is of grave concern and an indication that responsible parties are not complying with several POPIA sections. These include section six, relating to direct marketing by means of unsolicited electronic communication, and section 11, on consent, justification and objection, she stated.

“The regulator is concerned that South Africans continue to be bombarded with unsolicited direct marketing messages that do not comply with the provision of section 69 of POPIA,” stressed Tlakula.

“This section prohibits direct marketing by means of unsolicited electronic communications, including automatic calling machines, facsimile machines, SMSes or e-mail, unless the data subject has given their consent to the processing, or is a customer of the responsible party.”

Tlakula pointed out that a subject of contention has been debate on whether a telephone call constitutes an electronic communication in terms of the definition of electronic communication in POPIA.

In POPIA, electronic communication is defined as any text, voice, sound or image message sent over an electronic communications network, which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient.

This is why data subjects have seen an increase in direct marketing by telephone call, as the perpetrators have found a loophole, she explained.

“The regulator intends to draft a guidance note on the interpretation of section 69 of POPIA and will engage relevant stakeholders in this regard. However, section 69 is clear in so far as the requirement for direct marketing through unsolicited electronic communication is concerned.”

Rising risks

According to Tlakula, the country is experiencing an alarming rate of data breaches, with the regulator having recorded more than 330 such reports since last July.

South African organisations are increasingly being targeted by cyber criminals. For example, in May, pharmacy retail giant Dis-Chem fell victim to a cyber attack.The cyber incident emanating from its third-party service provider resulted in data of over 3.6 million South Africans being compromised.

Prior to that, TransUnion’s systems were compromised, leaving millions of personal records of South Africans at the mercy of hackers.

In 2020, Experian experienced a breach of data, which exposed some personal information of as many as 24 million South Africans and 793 749 business entities to a suspected fraudster.

Tlakula said in instances where there is a security compromise, or the regulator believes certain processing does not comply with any of the conditions for lawful processing of personal information, it has the power to conduct its own-initiative assessment.

Resultantly, the own-initiative assessment the regulator is conducting involves WhatsApp, TransUnion and the Department of Justice and Constitutional Development, she noted, adding the assessments are at an “advanced staged”.

“Due to the prevalence of security compromises, the regulator has decided to establish a dedicated security compromise unit, which will conduct extensive investigations or assessments into the security compromises suffered or experienced and issue reports with findings and recommendations.

“These reports are in terms of section 91 (3) of POPIA, deemed to be enforcement notices.”