In September 2021, the Department of Justice and Constitutional Development (the DoJ) suffered a cyberattack that resulted in the loss of over 1 200 files, the encryption of internal documents and the compromise of personal information. Following an assessment of the DoJ’s systems, the Information Regulator of South Africa (Information Regulator) concluded that the DoJ had failed to put adequate security measures in place to monitor, detect and prevent data breaches. Specifically, the DoJ had failed to renew its Security Incident and Event Monitoring (SIEM) Licence and antivirus licence since 2020. The Information Regulator issued an Enforcement Notice to the DoJ.
The Enforcement Notice
In terms of the Enforcement Notice, the Information Regulator ordered the DoJ to:
(i) renew its SIEM and antivirus licences; and
(ii) institute disciplinary proceedings against the officials who failed to renew the SIEM and antivirus licences.
The DoJ was given 31 days to implement the order of the Enforcement Notice. The 31 days expired on 9 June 2023, without the Information Regulator receiving any report on the implementation of this order.
The Infringement Notice
On 3 July 2023, for the first time since it was established, the Information Regulator issued an Infringement Notice to the DoJ, finding that it had contravened the Protection of Personal Information Act 4 of 2013 (POPIA) and ordering it to pay a fine of ZAR 5 million (the maximum fine for contravention of POPIA is ZAR 10 million).
The Information regulator has given the DoJ 30 days from 3 July 2023 to pay the administrative fine or elect to be tried in court for contravention of POPIA.
This latest development demonstrates a clear intention by the Information Regulator to enforce POPIA. We anticipate the Information Regulator will issue more fines for non-compliance in the future.