- The Information Regulator is assessing whether the SAPS complied with its recommendations after officers breached the Protection of Personal Information Act early this year.
- Last year, the personal information of the victims of a gang rape was shared on WhatsApp and made its way to Facebook.
- The time for the SAPS to make submissions on the actions taken in line with the regulator's recommendations has expired.
- For more stories, visit the Tech and Trends homepage.
The Information Regulator is assessing whether the SA Police Service (SAPS) has complied with several recommendations that followed an incident where officers leaked the personal information of Krugersdorp gang-rape victims on WhatsApp last year.
In April, the Information Regulator issued an enforcement notice to the SAPS after it found that officers violated multiple sections of the Protection of Personal Information Act (Popia) when they shared personal information of the victims of gang rape – including their names, ages, home addresses and ID numbers – on a WhatsApp group. This information made its way to other groups before reaching Facebook.
The regulator found that the SAPS "processed the personal information of the data subjects unlawfully and unreasonably in a manner that infringed their privacy" and issued an enforcement order with recommendations including the SAPS must publicly apologise for the leak within 31 days of the order being granted.
In May, national police commissioner General Fannie Masemola said in a statement: "The SAPS regrets the disclosure of such personal information and apologises to the victims of the dreadful crimes for the information breach and the hardship caused as a result."
READ| Krugersdorp gang rapes: SAPS apologises for leaking personal information of victims
The enforcement order also required the SAPS to submit a report about the incident to the Information Regulator within 90 days; to take action against the officers involved in the matter and to detail measures that would be taken to ensure that a similar incident does not occur in the future; and to ensure that all of its training programmes included POPIA training within 120 days.
Now, 150 days after the order was issued, Nomzamo Zondi, the senior manager for communications and media at the Information Regulator, said that the regulator was assessing whether the order had been wholly complied with.
"The 120 days for the implementation of recommendations in the enforcement notice have lapsed and we are processing if they [the SAPS] have adhered fully to the orders, such as taking disciplinary action against those implicated and conducting POPIA training
"We are following due process in evaluating the implementation and thereof we will indicate the outcome and the action," Zondi said.
History of Information Regulator
The Information Regulator is a relatively new body in South Africa. It was created to monitor and enforce compliance with the POPIA.
In early June, it submitted its first infringement order to the Department of Justice for failing to provide evidence that it had improved its cybersecurity systems following a data breach.
The regulator slapped the department with a R5 million fine following its failure to submit proof of compliance with the enforcement order.
READ MORE | Landmark Information Regulator fine sets the tone for SA data protection