SAPS under fire for alleged POPIA violation

Sibahle Malinga
By Sibahle Malinga, ITWeb senior news journalist.
Johannesburg, 08 Aug 2022

The Information Regulator (IR) says it has initiated an investigation into an alleged breach of the Protection of Personal Information Act (POPIA) by some officials of the South African Police Service (SAPS).

This comes after the release of personal details of the victims of the recent Krugersdorp attack. Late last month, the shocking story broke about the gang rape of eight women by a group of armed men at West Village near Krugersdorp.

The IR says it has been made aware that a list with personal details of the victims of this heinous crime has been leaked across social media platforms, allegedly by officials linked to the SAPS.

The information watchdog says it will conduct an own-initiative assessment as per Section 89 of POPIA into the measures put in place by SAPS to safeguard the personal information of the victims in this case.

The assessment will establish the circumstances of the leak, it says.

The Act, which came into effect on 1 July 2021, seeks to promote the protection of personal information processed by public and private organisations.

Alison Tilley, a member of the regulator, says: “We appeal to the public to stop sharing this list with the victims' personal details. If you have it, delete it. The list was released publicly in violation of POPIA.”

Tilley notes the distribution of the list is “not only a breach of POPIA, but is also a callous act of re-victimisation, and it is also a violation of the constitutional rights to privacy and human dignity”.

According to the IR, a responsible party has an obligation in terms of the conditions for lawful processing of personal information to secure the integrity and confidentiality of personal information in its possession by taking appropriate reasonable measures to prevent unlawful access to, or processing of personal information.

Should the responsible party fail to adhere to the conditions as referred to in Section 19 of POPIA, they will be in contravention of the law and necessary enforcement measures will be taken.

The regulator has been informed that this information continues to be shared publicly across all media platforms.

“The regulator has a duty to establish how these violations happened and to take necessary corrective and punitive action to ensure such a breach, if the facts show that it has occurred, never happens again. Such corrective and punitive measures include fines and imprisonment,” says the IR.

Faced with an increased number of complaints over the unlawful processing of personal information, the IR last week announced the establishment of an Enforcement Committee.