Between October 2022 and now, South Africa’s Information Regulator received over 500 notifications of data breaches or security compromises.
The over-processing of data subjects’ personal information is squarely to blame for this, according to advocate Pansy Tlakula, chairperson of the Information Regulator.
Tlakula yesterday participated in a fireside discussion with ITWeb’s editor-in-chief Adrian Hinchcliffe, at the ITWeb Governance, Risk and Compliance 2023 event.
Detailing some of the biggest challenges her office faces, Tlakula noted data breaches are a big problem in this country – much bigger than people think.
“Every public body, every private body that has suffered a security compromise or data breach has to notify us – there is no threshold. Even if one person was breached, they still have to notify us.
“If you look at 500 (it’s 564 to be precise), it means that in a month, this country suffers about 56 data breaches – major and minor ones,” she revealed. “I think we are one of the highest in the world with data breaches.”
The Information Regulator, which is headed by Tlakula, is mandated to ensure organisations put in place measures to protect the data privacy of South Africans under the Protection of Personal Information Act (POPIA).
As of June 2021, it has taken over the regulatory mandate functions relating to the Promotion of Access to Information Act (PAIA) from the South African Human Rights Commission.
Tlakula told the audience that credit bureaus are the top organisations that keep her awake at night. They are followed by mobile operators, financial institutions and direct marketers.
“I always see an advert on television of one of the direct marketing companies, which says ‘if you want to buy, here is number to contact us and send us your ID’. It baffles me; what are they doing with people’s IDs?
“An ID is a unique identifier. If you’re selling goods and you want people to buy those goods, why are you collecting their ID? That particular company, we are actually setting our sights on it.”
However, she wouldn’t divulge the name of the organisation, stating: “It shall remain nameless.”
Asked if she ever pulls the “do you know who I am card” when she’s asked by security guards to provide her personal information upon entering an office park or gated community, the chairperson said she doesn’t, but does explain politely to the manager who she is.
“I refuse to give them [security guards] that information. I ask them why they want that information and they always say it’s for security. I tell them that the only information they need is my registration number, the colour of my car, whether I’m male or female and what I’m wearing.”
What are they doing with all of this information, she questioned. “They scan…the disc, once they scan that, it has all your personal information down to your address, everything.
“That is why there are so many data breaches in this country, because our personal information is all over the place. We don’t know what eventually happens to it.
“I refuse and then they tell me that I can’t enter, which is when I ask them to call the manager. When the manager comes, I explain politely who I am. There’s no point in saying that to the security people; they won’t know what you are talking about.”
In terms of addressing the spate of security compromises, Tlakula is confident the regulator’s recently-instated Enforcement Committee is up to the task, noting it is currently considering complaints of POPIA and PAIA transgressions.
“For me, this is the biggest achievement, because we can now begin to enforce POPIA effectively.”
Share