The Information Regulator has found that Central Johannesburg TVET College contravened multiple provisions of the Protection of Personal Information Act (POPIA).
This, after employees’ personal information was mistakenly shared with unauthorised staff members and the institution failed to report the security compromise.
In an enforcement notice, the regulator ruled that the college breached several conditions for the lawful processing of personal information, including accountability, further processing limitations and security safeguards.
It also found the institution failed to notify affected individuals and the regulator of the security compromise, as required under section 22 of POPIA.
The findings stem from an incident in September 2022, when verification reports containing employees’ personal information were inadvertently distributed to staff members via e-mail.
According to the regulator, the college had collected the information, including qualification and criminal record verification reports, as part of efforts to strengthen governance after being placed under administration.
However, the information was later shared with employees who were not involved in the governance review process.
The regulator found the reports had been mistakenly included in a folder containing finance policies by the acting chief financial officer and subsequently circulated internally.
The sharing of these reports with other employees who were not involved in the strengthening of governance of the institution, albeit by mistake, was incompatible with the purpose for which the personal information in the verification reports was collected, the regulator says.
No justification
It rejected the college’s argument that the complainants were not intended recipients of the e-mail and that possession of the information contravened internal communication policies, stating that such considerations did not justify non-compliance with POPIA.
The regulator found that the college failed to obtain consent for the further processing of the employees’ personal information and that none of the legal grounds for further processing provided under POPIA applied in this case.
In addition, the watchdog determined that the institution had inadequate organisational measures in place to safeguard personal information.
It pointed to the college’s failure to register an information officer and deputy information officers with the regulator, as well as weaknesses in the handling and storage of sensitive information.
The regulator points out that failure by the responsible party to keep separate files for the complainants’ verification reports containing their personal information and the financial policies, coupled with failure to register the information officer with the regulator, points to the absence of organisational measures to prevent unlawful access or processing of personal information.
The regulator also found that the unauthorised disclosure constituted a security compromise that triggered a legal obligation to notify the regulator and the affected data subjects.
While the college issued an internal e-mail acknowledging the mistake and recalling the document, it failed to formally notify either party as required by law.
As a result, the regulator has ordered the college to register its information officer and deputy information officers within 31 days, submit a POPIA compliance framework, implement privacy and security policies, conduct staff awareness and training programmes, and take appropriate action against the employee responsible for the unlawful sharing of the information.
The college has also been instructed to provide proof of compliance to the regulator within specified timeframes.
The institution has 31 days to appeal the enforcement notice. Failure to comply with the order could constitute an offence under POPIA, punishable by a fine, imprisonment of up to 10 years, or both.
Employment relationship
Commenting on the matter, advocate Dirontsho Mohale, chief privacy, legal, compliance and executive officer at Baakedi Professional Practice, says she partly agrees with the findings.
“From the facts detailed in the enforcement notice, I am in agreement with the enforcement committee that the processing was indeed compatible with section 15 requirements, as it was directly related to the employment relationship in terms of which criminal records of employees must be declared and assurance that employees are not in competition with the employer is required.
“These two facts can materially impact the employment relationship. These processing activities are not in dispute.”
Mohale notes that the information that was accessed may have included adverse special personal information, particularly criminal record information.
However, she says the enforcement notice correctly identified the matter as a failure to comply with security compromise notification requirements, as employees who had no legitimate reason to access the information were able to do so.
“There is no mention of the files being protected which means the security safeguards implemented, if any, were inadequate. The college subsequently failed to notify both the regulator and the data subject and had no reason for the delay.”
She also points out that the enforcement notice makes no reference to contractual arrangements with third-party suppliers or operators, although she believes it is unlikely they would have been entirely free of responsibility.
Mohale says the regulator was justified in directing the college to strengthen its POPIA compliance measures and staff training programmes.
“The college should not restrict its training to general awareness training and expand it to role-specific training for each department and risk.”
Mohale further notes that the underlying incident occurred in 2022, raising questions about how long data privacy complaints can remain active before enforcement action is taken.
“Of interest is that the incident took place in 2022 and without access to when the regulator received the complaint, it may appear that there is no prescription period for data privacy complaints.”
ITWeb has reached out to the college for comment on the issue.
Share
