Info watchdog members reappointed as data breaches mount
President Cyril Ramaphosa has largely retained members of the Information Regulator, although SA has been at the mercy of data breaches and leaks under their watch.
The president appointed four members of the regulator to begin a new term, with effect from 1 December.
The members will serve a five-year term as full-time and part-time members at the regulator. The members are advocates Pansy Tlakula (chairperson), Lebogang Stroom-Nzama (full-time member) and Collen Weapond (full-time member), who will all be serving a second term.
They will be joined by new appointee Mfana Gwala as a part-time member. They start their new term alongside current part-time member Alison Tilley, who was appointed in December 2020.
The Information Regulator is, among other duties, empowered to monitor and enforce compliance by public and private bodies with the provisions of South Africa’s data privacy law, the Protection of Personal Information Act (POPIA).
Following a one-year grace period to comply with POPIA, from 1 July, organisations that do not meet the conditions prescribed by the legislation must be held liable.
Previously, the enforcer of POPIA, the Information Regulator, did not have teeth to deal with violators of the data privacy law, which was passed in July last year.
The Act sets down firm frameworks that companies have to abide by to avoid fines, criminal persecution and potential reputation loss.
Breaching the rules and regulations outlined by this Act can have serious financial implications for the business, which can cost more than money and have long-lasting consequences.
The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.
Data privacy at stake
Although the law is in place, SA continues to be plagued by data breaches and leaks that have exposed the personal details of millions of South Africans.
For example, in September, over a million South African citizens potentially had their personal data exposed after a ransomware attack at debt recovery services firm Debt-IN Consultants. Most local banks make use of Debt-IN Consultants’ services.
In August last year, credit bureau Experian suffered a breach of data, which exposed some personal information of as many as 24 million South Africans and 793 749 business entities to a suspected fraudster.
The Information Regulator, in October, expressed shock that Experian customer data was recently leaked on Telegram, in what appears to be a continuation of the data breach the credit bureau experienced last year.
Also last year, big four bank Absa suffered a data leak, which exposed customer data to external parties.
Ransomware attacks, which expose user data to third-parties, have also become common in SA, with organisations like Transnet, the justice department, as well as the South African National Space Agency recently falling victim.
The regulator has from time to time said it is concerned about the high number of security breaches in SA.
The latest IBM Security Cost of a Data Breach Report indicates the global average cost of a data breach has risen to $4.24 million in 2021, a 10% increase overall and the largest percentage increase in the 17-year history of the report.
In South Africa, IBM says the average cost was $3.21 million – the highest in the southern hemisphere.
According to the regulator, Gwala joins the team with more than 10 years’ experience in public administration matters, employment and labour, constitutional litigation, procurement disputes, commercial litigation and alternative dispute resolution. He has also served as an executive member of the Law Society.
It says the call for nominations of members of the regulator came in less than a month after the regulator took over the functions in terms of the Promotion of Access to Information Act (PAIA) 2000, and the coming into effect of enforcement powers in terms of the POPIA 2013.
This transition has been a major milestone for the members since the establishment of the regulator, the watchdog notes.
Reflecting on the past five years, the regulator says in December 2016, the members of the regulator entered the offices of the Department of Justice and Constitutional Development at Sangro House Pretoria and started day one of their work with nothing more than the copies of POPIA and PAIA.
“It was evident there was a great task at hand to ensure there is protection of personal information and effective access to information for every member of the public,” the watchdog says.
It points out that during their five-year term, members of the regulator managed to build a strong administration, by successfully filling all the executive positions and establishing an administration, which is led by chief executive officer Mosalanyane Mosala.
“What started as a team of five in 2016 has now grown to a team of 84 staff members. In addition, the regulator undertook numerous robust stakeholder engagement sessions, engaging with responsible parties monthly, to assist with interpretation of the provisions of the two laws.
“The members were instrumental in the development of guidance notes, which provided much-needed guidance to responsible parties, to equip them in being POPIA and PAIA compliant.”
Professors Tana Pistorius and Sizwe Snail ka Mtuze served as part-time members in the inaugural term and played an integral role and were instrumental in the establishment of the regulator, it says.
Pistorius served for four years before her resignation in September 2020 following the relocation of her family. Snail ka Mtuze served the full term and did not make himself available for reappointment.
Tlakula expresses her sincere gratitude for their contribution to the institution and lauded their expertise in cyber and ICT laws, which made a significant contribution to the work of the regulator.
“As members of the regulator, we are honoured to be entrusted by Parliament with the responsibility of ensuring the protection of rights of members of the public in so far as these rights relate to access to information and protection of their personal information.
“We are grateful for the stellar contribution of our former colleagues, Prof Pistorius and Prof Snail ka Mtuze. As we continue our work given to us by the representatives of the people of South Africa, we shall build on the solid foundation that these two former colleagues helped to build.”