Navigating POPIA Compliance: Lessons from the Landmark DOJ&CD Case

The landscape of data protection shifted significantly with the implementation of the Protection of Personal Information Act (POPIA). Recent events, particularly the imposition of the first administrative fine on the Department of Justice and Constitutional Development, illuminate the critical importance of compliance with this legislation. As organizations navigate the complexities of data management and security, understanding the lessons gleaned from this landmark case becomes imperative. Join us as we delve into the intricacies of POPIA and the repercussions of non-compliance in safeguarding personal information.

Protection of Personal Information Act (POPIA)

1. Introduction

The Information Regulator issued the first administrative fine for POPIA violations and failing to cooperate with an enforcement notification on July 3, 2023. This alert considers the key lessons that can be drawn from the fact that the Department of Justice and Constitutional Development failed to address the Information Regulator's identified information security shortcomings and is now the first responsible party to be sanctioned for noncompliance.

On 3 July 2023, the Information Regulator issued an infringement notice and its first administrative fee after receiving over 500 notifications of personal information violations and facing criticism for neglecting to act on data subjects' claims.

Based on data breaches in its IT environment in September 2021, the Information Regulator determined in May 2023 that the Department of Justice and Constitutional Development (DOJ&CD) had violated sections 19 and 22 of the Protection of Personal Information Act 4 of 2013 (POPIA). A total of 1,204 files containing personal information were lost.

Following an investigation, the Information Regulator discovered that the department had failed to renew its security and event monitoring, intrusion detection system, and Trend antivirus licenses, which had expired in 2020 and would have alerted the department to attempted network access had the services been active. Due to insufficient security measures, unauthorised access to the network occurred, as did the compromise of personal information.

The Information Regulator subsequently issued an enforcement notice, giving the DOJ&CD 31 days to correct the deficiencies, sanction the necessary officials, and present proof to the Information Regulator. Despite receiving the notice, the department failed to conduct the necessary corrective actions and did not submit proof that the flaws had been resolved as specified before the notice expired on June 9, 2023. The DOJ&CD, in fact, did not interact with the Information Regulator.? For failing to comply with the enforcement notice, the DOJ&CD was penalised R5 million.

The department was given 30 days beginning July 3, 2023, to pay the administrative fine, make agreements with the regulator to pay the administrative fee in instalments, or chose to be tried in court on a charge of violating POPIA.

There are lessons for natural and legal people to learn from the DOJ&CD's shortcomings and the response of the Information Regulator, which has confirmed that more penalties and administrative fines will be issued for POPIA violations.

2. Personal information must be kept secure

Condition 7 of POPIA, which is part of "General processing of personal information," elaborates on the personal information security procedures that responsible parties must implement. Section 19 states: "Security measures on the integrity and confidentiality of personal information."

(2.1) A responsible party must ensure the integrity and confidentiality of personal information in its possession or control by taking appropriate, reasonable technical and organizational measures to prevent:

(2.1.1) loss, damage, or unauthorised destruction of personal information; and

(2.1.2) unauthorized access to or processing of personal information.

(2.2) To give effect to subsection (1), the responsible party must take reasonable steps to:

(2.2.1) identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;

(2.2.2) establish and maintain appropriate safeguards against the risks identified;

(2.2.3) regularly verify that the safeguards are effectively implemented; and

(2.2.4) ensure that the safeguards are constantly updated in response to new threats.

Responsible parties must follow acknowledged information security standards that are governed by the environment and the type of information that must be secured.

A risk-based strategy is necessary to detect and measure the negative behaviours that might jeopardize the responsible party's information. The responsible party's mitigation efforts must be suitable and demonstrated. This will comprise governance structures, technology measures like as security software, physical data security, and personnel skills required for successful information protection.

The DOJ&CD was judged to have behaved carelessly by failing to verify that security software licenses were updated and that the information in its environment was safe by controlling the risk of unauthorised access with suitable control mechanisms. The Information Regulator also indicated that individuals in charge of ensuring that the proper protections were in place will be penalized for their inaction. Organizations must guarantee that the personal information they collect, handle, and retain is always safe and not vulnerable to unauthorized access, abuse, or loss.

This may be accomplished by:

1.????? ?implementing and maintaining the necessary effective frameworks, physical and technological safeguards;

2.????? ensuring that officials in charge of protecting information have the necessary skills and tools to achieve security objectives; and

3.????? conducting regular risk assessments to assess the effectiveness of protection measures against current and novel threats.

3. Notify the Information Regulator if security is compromised or a data breach occurs

Section 22 of the POPIA requires the responsible party to notify:

1.????? the Information Regulator; and

2.????? the data subject unless the identification of such data subject cannot be confirmed.

Notifying the Information Regulator is a legally mandated necessity that is not voluntary for responsible parties. The responsible party must notify the regulator as soon as practically reasonable following the event.

Adv. Pansy Tlakula, Chairperson of the Information Regulator, previously indicated that all security compromises must be notified, even if just one person's personal information is implicated. The Information Regulator has produced the "Guidelines on Section 22 Notification of Security Compromises or Guidelines on Completing Section 22 Security Compromise Notification Form" paper, which describes the process for reporting a data breach. The standards are available online, and organizations must follow the clearly specified processes for reporting security compromises.

In this case, the DOJ&CD neglected to notify the security breach to the Information Regulator when it happened, and the Information Regulator conducted its own investigation into the data breach. Serious information security flaws were discovered, and comprehensive feedback was supplied to the DOJ&CD in the form of an enforcement warning.

4. Compliance

An enforcement notice is a statement issued by the Information Regulator outlining the corrective activities that must be performed by a responsible party to address weaknesses in personal information protection that result in non-compliance with POPIA.

Section 95 of the legislation provides that if a responsible party is found to have failed to comply with the obligations of POPIA, the Information Regulator may take action.

"(4.1) serve an enforcement notice on the responsible party requiring the responsible party to do either or both of the following:

(4.1.1) take specified steps within a period specified in the notice, or refrain from taking such steps; or

(4.1.2) stop processing personal information specified in the notice or stop processing personal information for a purpose or in a manner specified in the notice within a period specified in the notice."

A responsible party has the option of appealing an enforcement notice to the High Court or complying with it. Unless the responsible party is very confident that the Information Regulator erred in issuing the enforcement notice, we believe it is advisable to comply with the notice and implement the remedial action indicated by the Information Regulator. Organizations must be aware that refusal to comply with an enforcement notice is a serious offense that can result in imprisonment for up to ten years or a fine of up to R10 million, or both.

Following the issuing of an enforcement notice in May 2023, the DOJ&CD was given 31 days to comply with the notice's conditions; however, it failed to do so, and as a result, it was issued with an infringement notice and an R5 million administrative fee.

Not only did the department fail to secure data subjects' personal information, but it also harmed its own reputation and finances by being the first institution to be sanctioned under POPIA. It had the option to rectify the areas of insufficiency identified by the Information Regulator, but it chose not to do so.

5. Conclusion

The Information Regulator has demonstrated that it would act against breaches of personal information. It is ironic that the first infringement notice and administrative punishment were issued against the DOJ&CD, which is intended to be at the vanguard of comprehending the necessity of legal compliance. This failure by the department should serve as a warning to organizations that are not POPIA compliant and do not take violations of personal information protection seriously to act immediately and avoid becoming the next party sanctioned by the Information Regulator.

As the Information Regulator takes decisive action to enforce POPIA, organizations must heed the lessons learned from the Department of Justice and Constitutional Development case. Compliance with data protection laws is not merely a legal obligation but a fundamental aspect of ethical business conduct.

Let this case serve as a catalyst for proactive measures, fostering a culture of accountability and responsibility in safeguarding personal information. Reach out to us for more guidance on how best to ensure privacy rights are upheld, and data security is kept paramount.