BUSINESS TECHNOLOGY MEDIA COMPANY
Companies
Sectors

Permission first before matric results publicised, says info watchdog

Read time 4min 50sec
Advocate Pansy Tlakula, chairperson of the Information Regulator.
Advocate Pansy Tlakula, chairperson of the Information Regulator.

The Information Regulator says matric results may only be published in the media with prior consent from learners and their parents.

Learners and parents must also be given the right to object to their personal information, in the form of matric results, being published in the media.

The information watchdog was responding to news that the Department of Basic Education (DBE) has decided not to publish matric exam results on any media public platforms in order to comply with the prescripts of the Protection of Personal Information Act (POPIA).

In a statement, the Information Regulator says it met with the DBE to discuss the department’s approach to bring the processing of matric results in compliance with POPIA, and the conditions that must be adhered to in so doing.

The Information Regulator points out that the DBE has a duty to ensure matriculants receive their results and that these results are accessed in an appropriate manner.

It states: “With regards to POPIA, a responsible party such as the DBE is empowered to decide how to bring its actions or decisions in compliance with POPIA. In this case, the Regulator will assess any decision regarding the publication of matric results based on the provision of POPIA.”

The cardinal principle of POPIA is to safeguard citizens’ personal information.

As a result, there needs to be an agreement between the department and a dissemination platform prescribing how that platform should process the personal information, according to the regulator.

In the case of personal information related to matric results being disseminated, POPIA would also require that the matriculants be advised of such an intention to disseminate the information and be advised of their right to object to such dissemination of information.

It states: “Once a matriculant, or a competent adult acting on their behalf, has objected to dissemination of their information, the department and dissemination platform have an obligation to ensure that such personal information is deleted from the record before it is disseminated.”

Speaking on SABC’s SAfm this morning, Information Regulator chairperson advocate Pansy Tlakula said the DBE has a legitimate reason for publishing matric results through various media platforms in order to make those results accessible.

However, if they decide to do that, they must ensure they comply with POPIA. The media platforms must also ensure they comply with the Act, she explained.

“This requires training in advance; it’s not something that they can do two weeks before publishing those results. For instance, the planning will require them to decide which personal information they share with the media – is it necessary to share ID numbers of learners with the media that, in my view, constitutes over-processing of personal information.

“If they want to disseminate the results through media platforms, they must inform all the learners and all the parents of their intention to make matric results available in various media platforms. They must inform them on which media platforms those results will be made available and how the results can be accessed.

“In addition, the department must also give the learners and the parents the right to object to the publication of their results in the media and the objections should be considered before publishing the results.”

She emphasised that POPIA doesn’t prevent or prohibit private and public bodies from performing their functions or exercising their powers. “If they process personal information, they have to ensure that they do that in compliance with the Protection of Personal Information Act.

“The media also has responsibilities and obligations, meaning that it must ensure that they use that personal information for the purpose of publishing results only. The media must ensure that once they have published that information, it must be deleted. They must also ensure that they protect the confidentiality and integrity of that information and protect it from possible security compromise.”

She added: “Publication is allowed provided all the requirements I have stipulated are complied with by the DBE. Going forward, they must plan in advance how they are going to inform the parents, guardians or the learners that the results will be published, in which media platforms, give them the opportunity to object and also enter into MOUs with the media platforms.”

The Information Regulator is empowered to monitor and enforce compliance by public and private bodies with the provisions of SA’s data privacy law.

Since 2013, SA’s data protection law POPIA has been put into operation incrementally, with a number of its sections having been implemented in April 2014.

On 1 July 2020, the Act as a whole came into effect. However, local companies were given a year-long grace period to comply. As of 1 July 2021, organisations that do not meet the conditions prescribed by the legislation must be held liable.

POPIA sets down firm frameworks that businesses and entities have to abide by to avoid fines, criminal prosecution and potential reputation loss.

Breaching the rules and regulations outlined by this Act can have serious financial implications for the business, which can cost more than money and have long-lasting consequences.

The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.

See also