- The Information Regulatory Authority issued its first notice of breach to the Ministry of Justice and Constitutional Development this week.
- This is a historic moment for data protection in South Africa, as further action by the regulator is expected.
- The regulator ensures that the organizations implement adequate safeguards when processing personal information.
- For more stories, visit Tech and Trends Homepage.
After 10 years of building its capacity, the Information Regulatory Authority this week issued its first Notice of Infringement against the Department of Justice and Constitutional Development after it failed to comply with an enforcement notice requiring it to strengthen cybersecurity programs following a 2021 data breach.
This historic moment of data privacy enforcement in South Africa may be a sign of things to come.
The information regulator is the body responsible for enforcing the provisions of the Personal Information Protection Act (Popia), which was signed into law in 2013.
The regulator was formally created three years later in 2016, but was only given the power to issue enforcement and infringement notices to organizations two years ago.
An enforcement notice is a legal document that states when action will need to be taken to fix the breach, in this case the data breach.
A notice of infringement is issued by a regulatory body that sets out the details of the alleged infringement, in this case an enforcement notice, and determines the penalty.
On Monday, the Information Regulatory Authority issued its first notice of infringement when it imposed a 5 million rand fine on the department.
An executive notice was issued to the department on May 9, requiring it to renew antivirus licenses that expired in 2020 and to implement disciplinary actions against those employees responsible for renewing the software, among other things.
“These licenses did not protect their systems, which is why they were hacked,” said Nomzamo Zondi, senior director of communications and media at the information regulator.
The regulator says this resulted in the loss of 1204 files from the circuit system.
The department had the opportunity to appeal the infringement order, but did not.
It also had to fulfill the requirements of the application within 31 days, and on July 3 the regulator did not receive a response. Then a fine was imposed on the department.
The ministry told News24 that it is considering its options and will not comment at this time.
On the regulator’s first breach and what it means for the future of South Africa’s information regulatory landscape, Zonde said: “A lot is being tested.”
More is coming
Nadine Mather, Partner Bowmans SA And a data privacy law expert, she said she expects more enforcement notices from the information regulator.
“It took a while for the regulator to take off,” she said, but there was a similar wait with GDPR rules, European data protection laws, but now there are cases almost every week.
This prediction was echoed by Mercia Fynn, Chief Commercial Officer at Kish IPIntellectual property law firm.
Finn said more enforcement from the information regulator would send the message that implementing adequate data protection systems “cannot be ignored” by organizations.
when to act
Mather said an information regulator can only issue an enforcement notice when it can be shown that an organization, whether public or private, has not put in place adequate protections for personal information.
“Under Popia, you are required to put in place appropriate and reasonable technical and organizational measures to secure your personal information and prevent it from loss, damage, destruction, or unauthorized access.”
So, regardless of whether personal data is lost and cannot be found again or is publicly leaked, Popia is applicable, according to Mather.
Zondi says the information regulator is interested in whether “appropriate safeguards” have been put in place by an organization when processing personal information, and can issue an enforcement order if those safeguards are not applied.
“As the regulator, if there has been a security breach and we conduct an investigation and find there was negligence in terms of identifying risks, mitigating risks and putting in place measures to ensure reasonable safeguards are in place for personal information, we can enforce that enforcement note.”
The information regulator does not distinguish between adequate safeguards required from private and public organisations, according to Zondi.
Fynn says the infringing parties have the right to appeal the notice of enforcement.
Ad hoc or principled regulation?
Zondi says what constitutes a reasonable safeguard depends on the organization and the nature of the data being processed.
“We can’t really describe what it will be because every organization handles personal information differently. Even different types of personal information and size matters,” she said.
Fynn said the department’s state doesn’t necessarily provide a model for how an information regulator might work in the future.
“I think it has to be on a case-by-case basis. I don’t think that means the information regulator can now just say what actions need to be taken,” she said.
She added that the procedures that the information regulator orders the organization to put in place must take into account what the organization could reasonably bear.
Craig Pederson, forensic investigator, cybercrime expert and director at TCG ForensicsHe said that there must be principles and rules that the information regulator must abide by.
“At the end of the day, we need to see the regulator’s teeth,” Pederson said, “but they must set principles, establish specific practices and [its notices] reflect intensity [of infringements]. “
He said a cautious approach was required from the information regulator.
In the department’s case, the regulator required it to renew certain antivirus software licenses to comply with the enforcement notice, which Pederson said could set a dangerous precedent.
He said that which program is run by the organization and which is not “is not within the competence of the regulator”, as it is an operational and commercial decision.
He said the threat of action by the information regulator could be used by antivirus software providers to pressure organizations to renew their licenses.
Running strong antivirus software is best practice for an organization, Pederson said, but it was not clear in the DOJ case whether the information regulator had the right to enforce the standard of antivirus software the department was required to use.
“The implication here is broader… what next? Would the regulator want to visit all the companies across the country and decide what software they need to buy and when?” Asked.