The Information Regulator (IR) has fined the Department of Justice and Constitutional Development (DOJ) R5 million for failing to abide by an enforcement notice issued in May.
This is the first time the regulator has imposed a fine for non-compliance with the Protection of Personal Information Act (Popia). The fine is 50% of the maximum amount the regulator is permitted to issue as a penalty against a responsible party for Popia non-compliance.
The fine “is a stark reminder for companies and their board of directors that a failure to responsibly manage personal information and prevent security compromises may result in significant sanctions by the regulator”, says Clyde & Co, which specialises in insurance law.
“The regulator is actively monitoring Popia non-compliance and issuing fines as a result of failure to adhere to timelines to respond to enforcement notices. We expect more regulatory scrutiny and activity in the next 12 months,” it says.
As Moonstone reported on 18 May, the IR’s enforcement notice stemmed from a cyber-attack on the DOJ’s IT systems in September 2021. Hackers encrypted the department’s sytems, preventing employees from accessing more than 1 204 files necessary for service delivery, which affected the functioning of the lower courts.
Read: Data breach: Department of Justice issued with enforcement notice
The IR’s website, which relied on the DOJ’s IT system, also went down, and its staff were unable to access emails for three days.
Popia requires organisations to secure the integrity and confidentiality of personal information in their possession or under their control. In other words, reasonable measures must be implemented both on an organisational (people) level and a technical (systems and processes) level to protect personal information.
An investigation by the IR found that the DOJ had not renewed the licence of its antivirus software, nor had it renewed the licences of software designed to monitor unusual activity on the network and alert it to suspicious activity on the network. The licences expired in 2020, a year before the data breach occurred.
The IR issued the DoJ with an enforcement notice ordering the department to take various measures to improve its cybersecurity. These included submitting proof to the IR within 31 days of receipt of the notice that the three software licences had been renewed.
The DOJ was also told to institute disciplinary proceedings against the official/s who failed to renew the licences.
The IR said the DOJ would be guilty of an offence if it did not abide by the enforcement notice within the stipulated timeframe. This would empower the IR to impose a fine of up to R10m or to impose liability in the form of a fine or imprisonment on any of the responsible officials.
The DoJ had the right to appeal the enforcement notice in terms of section 97(1) of Popia.
The department neither complied with the enforcement nor appealed against it. Accordingly, the IR issued the fine of R5m.
The DOJ has 30 days to pay the fine, arrange to pay it in instalments, or elect to be tried in court on a charge of having committed the alleged offence.
In 2022, Justice and Correctional Services Minister Ronald Lamola told Parliament that the cyber-attack had been “debilitating” and said the department would improve its systems.
But the 2021 data breach was followed by another one in 2023 in which hackers stole R18m from the Guardians Fund, which falls under the Master of the High Court.
Warning to organisations
Organisations should note that a data breach is not in and of itself an offence in terms of Popia. Instead, it is the failure to have appropriate security measures in place to protect personal information that will be cause for concern, says Ahmore Burger-Smidt, the head of regulatory practice at Werkmans Attorneys.
When the IR points out to an organisation that it has fallen short from a data protection perspective and indicates where remedial action should be taken, and the organisation does not take such remedial action, a fine will most likely follow.
Accordingly, the IR’s fining of the DOJ should serve as a warning to all organisations to get their proverbial data protection house in order and, if required, abide by enforcement notices from the regulator, Burger-Smidt says.
If you are unsure what your organisation must do to meet its Popia obligations, Moonstone Compliance’s privacy governance service offering provides a complete solution to your information and data privacy needs. Click here for more information.
Ironic.
It is impossible to fully comply with the POPI act.
Arguably the most ridiculous piece of legislation yet.
On that note I wonder when the immigration act with cater for extra-terrestrials?
This fine is tantamount to the government fining itself. No actual implications to the treasury. The individuals concerned being sanctioned is the only reasonable recourse
Yes! A fine is a punitive measure, so fining a government department is a joke. Who “feels” the “p” in punitive? NOBODY. It is just a flex so the government can LOOK like it is worried, but if it is worried, then why have our security services been reduced to an alley of clowns, meaning that the employees of accountable institutions are required to police our own national security with a flurry of crippling new legislations to try to fool the rest of world into thinking it is not corrupt to the core?
Actually, we have been fined as Dep of Justice is funded by tax payers
Ja. What a farce.