The Information Regulator (IR) has found that the South African Police Service (SAPS) violated several provisions of the Protection of Personal Information Act (Popia) after the personal information of the women who were raped near Krugersdorp in July 2022 appeared on social media platforms.
The horrendous gang rape of eight women who were part of a group that was shooting a music video at an abandoned mine dump shocked the country.
The IR announced on 5 April that, based on a report of its Enforcement Committee, it found that the protection of the personal information of the victims (the data subjects) has been interfered with. It found that the SAPS, which was responsible for processing the women’s personal information, breached the conditions for the lawful processing of their personal information.
Furthermore, SAPS did not comply with the duty to notify the IR and the data subjects of the security compromise as prescribed in Popia.
“This finding means that the SAPS do not have the necessary safeguards in place, let alone safeguards established in legislation as intended by section 6(1)(c)(ii) of Popia,” said Ahmore Burger-Smidt, a director at Werkmans Attorneys.
The SAPS told the IR that it distributed the victims’ personal information on various WhatsApp groups to, among other things, alert the respective stations and units of the serious crime that happened in the West Rand District, Burger-Smidt said.
As a result, the WhatsApp message was leaked from its intended communication channels and was shared widely on various social media platforms, such as Facebook, which does not in any way relate to the purpose for which the personal information was collected, she said.
“This would then lead one to ask, since when is WhatsApp an official authorised police messenger service with unique user and security features? And if this is deemed as an official authorised communications channel, whether there are prescribed content and distribution protocols for specific communication channels?”
Violations of Popia
The IR found that the SAPS violated several provisions of Popia, namely that:
- By distributing the personal information of data subjects in a WhatsApp message, it processed such information unlawfully, unreasonably and in a manner that infringed their privacy and did so without the consent of the data subjects.
- The personal information of data subjects contained in the WhatsApp message was excessive and not relevant for the purpose for which it was distributed.
- The SAPS failed to take appropriate, reasonable, technical measures to prevent the unlawful accessing of personal information of data subjects as prescribed in Popia.
In its Enforcement Notice, the IR ordered the SAPS to:
- Formally notify the regulator and the data subjects of the security compromise of their personal information.
- Publish an apology to the data subjects for processing their personal information in a manner that breached the conditions for the lawful processing as stipulated in the Enforcement Notice. The apology must be published prominently in all major national weekly newspapers and in all social media platforms, such as Facebook and Twitter.
- Investigate the conduct of the SAPS members who were involved in the unlawful processing of the data subjects’ personal information on WhatsApp and, if necessary, take appropriate action against the members involved.
- Roll out training on Popia across the SAPS.
- Draft and implement a privacy policy.
Warning against sharing the leaked information
Burger-Smidt said although in this instance the “responsible party” that was found to be in breach of Popia was the SAPS, it is important to note that any member of the public who transmits, distributes, or makes available in any other form the personal information of the data subjects is guilty of perpetuating the breach that has occurred.
In other words, any person who shares or posts the personal details of the data subjects – such as their names, ages, and residential addresses – on any digital platform by email or SMS, social media, or physically, should be aware of Popia and the impact on the privacy of the data subjects.