NAVIGATING POPIA COMPLIANCE: THE DBE MATRIC RESULTS CASE AND INTERGOVERNMENTAL DISPUTE RESOLUTION

Executive Summary

This article examines the dispute between the Information Regulator (IR) and the Department of Basic Education (DBE) regarding the publication of matric results. It analyzes the legal framework for resolving such disputes, the implications of the IR's enforcement notice, and the broader lessons for the Protection of Personal Information Act 4 of 2013 (POPIA) compliance. The case highlights the importance of proper dispute resolution procedures and the need for careful consideration of personal information processing in public sector activities.

Introduction

The recent controversy surrounding the publication of matric results has brought to light critical issues concerning intergovernmental relations and the protection of personal information. This case study explores the intricacies of intergovernmental disputes, the definition of personal information, and the challenges of balancing public interest with individual privacy rights. The Information Regulator's Enforcement Notice issued on November 6, 2024, to the DBE serves as a focal point for this analysis.

Enforcement Notice and POPIA Compliance

The IR's enforcement notice to the DBE, issued on November 6, 2024, highlighted several key issues:

1. Consent: The DBE failed to obtain consent from learners or their guardians for publishing matric results in newspapers for the 2023 National Senior Certificate examinations.

2. Legitimate Interest: The DBE did not demonstrate how publishing results in newspapers serves a legitimate interest that outweighs the privacy rights of learners.

3. Legal Obligation: The DBE could not show that publishing results in newspapers is a legal requirement.

4. Examination Numbers: The IR considers examination numbers as personal information, aligning with POPIA's definition.

The notice outlines specific steps for the DBE to comply with POPIA:

1. For the 2024 matric examination results:

a)?The DBE must not publish results in newspapers.

b)?Results should be made available through POPIA-compliant methods, such as individual collection from schools or the DBE's secure SMS platform.

2. ?For the 2025 matric examination results:

a)?The DBE must obtain consent from learners over 18 or parents/guardians of those under 18 before publishing results in newspapers.

b)?A consent management system must be developed and must first be verified by the Regulator, and among others it must also provides for the withdrawal of consent.

c)?The DBE must devise a new method of assigning examination numbers or ensure the current method prevents identification of individual learners within schools.

Personal Information and Context

The definition of personal information under POPIA is broad and context-dependent. An examination number, even without other identifying information, may still constitute personal information if it can be used to identify an individual within a specific context (e.g., within a school).

The court order issued by the Gauteng Division of the High Court in Pretoria on January 18, 2022, allowed publication of matric results without names or surnames, suggesting that examination numbers alone may not be considered personally identifiable in all contexts. This order was in response to a case brought by AfriForum and other applicants against the DBE and other respondents. The judge ruled that the DBE should publish the National Senior Certificate results on public platforms (media platforms) as was the practice in previous years, but without reflecting the first names and/or surnames of any of the learners.

However, this court order clearly does not negate the IR's concerns about potential identification of learners. As a result, the IR maintains that publishing results in newspapers violates POPIA. This highlights the ongoing tension between public interest and individual privacy rights in the context of matric result publication.

Proposed Solutions and Compliance Measures

The IR has proposed several measures for the DBE to comply with POPIA:

1. Obtain consent from learners or guardians before publishing results.

2. Develop a system to manage consent in compliance with POPIA.

3. Devise a new method of assigning examination numbers or ensure current methods prevent identification of individual learners.

Challenges in Implementation

Presuming that a randomized allocation of examination numbers is proposed, such a scheme, or any other that involves a revised numbering scheme, presents several practical challenges:

1. Technical feasibility and time constraints.

2. Cost considerations.

3. Data reconciliation issues.

4. Trust in IT systems and implementation capacity.

The DBE likely views the risks and costs of rushing this change as outweighing the potential benefits for the 2024 results. A more gradual approach, with careful planning and testing, might be more feasible for future examination cycles.

Context Matters

The South African context adds complexity to this case:

?1. Historical practice of publishing matric results.

2. Socioeconomic realities and the digital divide.

3. Diverse educational settings across urban and rural areas.

4. Constitutional rights of children and the public interest in education.

These contextual factors underscore the need for a nuanced approach to data protection that considers the unique circumstances of South Africa's education system.

Legal Framework and Dispute Classification

From my reading of the Intergovernmental Relations Framework Act 13 of 2005, the tussle between the IR and DBE does not constitute an intergovernmental dispute as defined in this Act. The IR, established under section 39 of POPIA, is an independent body subject only to the Constitution and the law. It is not automatically subject to the Intergovernmental Relations Framework Act.

However, Section 2(3)(b) of the Act states that an organ of state may participate in an intergovernmental structure if "it is invited to participate." This provision introduces a nuance to the situation, as the IR could potentially be involved in intergovernmental processes if invited by the DBE which is in fact subject to the Act.

Considering the complex situation between the IR and the DBE, a strategic approach for the DBE would be to propose resolving the matter through the framework provided by the Intergovernmental Relations Framework Act. While the IR is not inherently bound by this Act, Section 2(3)(b) provides a mechanism for their involvement upon invitation. By initiating this process, the DBE could pave the way for a more durable and practical resolution to the dispute.

The DBE's legal representatives could present this proposal as part of their formal response to the Enforcement Notice. Engaging in this collaborative framework has the potential to yield a more constructive outcome that addresses the core concerns of both parties. This approach would aim to ensure compliance with POPIA while also taking into account the practical realities and challenges of implementing data protection measures within South Africa's diverse educational landscape.

Conclusion

The DBE matric results case serves as a crucial reminder of the complexities of POPIA compliance both for purposes of public sector activities and indeed also for the private sector. It also highlights the potential for using intergovernmental dispute resolution mechanisms to address such issues. For Information Officers and organizations, this case underscores the need for:

1. Careful consideration of what constitutes personal information in different contexts.

2. Proactive measures to ensure compliance with POPIA in all data processing activities.

3. Balancing public interest with individual privacy rights.

4. Consideration of practical challenges in implementing data protection measures, particularly in diverse socioeconomic contexts.

5. Familiarity with intergovernmental dispute resolution processes and the potential for inviting independent bodies to participate in these processes.

By learning from this case, organizations can better navigate the complex landscape of data protection, ensuring both legal compliance and the protection of individuals' personal information while addressing the unique challenges of the South African environment.

?