The Department of Justice & Constitutional Development’s failure to buy antivirus software, as ordered by the information regulator, has earned it a R5m fine — the highest penalty yet imposed for noncompliance with the Protection of Personal Information Act (Popia).
The department suffered a cyberattack in 2021 that resulted in the loss of more than 1,200 files, with encryption of internal documents and personal information being compromised. It forced the court recording systems offline, which led to postponements at lower courts.
It emerged that the department had not renewed its antivirus software, including its intrusion detection licence, that would have flagged suspicious activity by unauthorised people accessing the network. In response, the information regulator issued an enforcement order in May obliging the department to show it had taken remedial action.
The department had two alternatives when it received the order in May: either purchase antivirus software and start disciplinary action, or appeal against the order.
The regulator imposed the fine on Monday after the department failed to do either. This was despite a warning by the regulator that noncompliance with the enforcement order could lead to an administrative fine of up to R10m, or the imprisonment of the responsible officials.
So we finally, after quite a few years, actually see what appears to be one of the first actual fines imposed in South Africa for contravention of the POPI Act. This is very important for two reasons. Firstly, that the Act is seen to be enforced (to prevent others being so tardy), and secondly, that government departments themselves take the precautions that they should be with citizens’ private data. Government departments especially gather a lot of very private citizen information, including everything related to a person’s identity.
Yes, it is ironical that this happened with the Department of Justice and Constitutional Development themselves, but this also illustrates the “tardiness” on the side of government, who probably expected that the Act would mainly be focussing on private companies.
Citizens are already becoming very cautious about parting with their private information, and I predicted last month that we are going to see lots of POPI Act issues around the fact that every small charitable donation, now requires those small charities to collect all sort of private information for tax deduction purposes. Such small non-profits are woefully under skilled and underfunded to protect that information.