• The Information Regulator has noted the IEC’s notice that information was shared without its authorisation.
• However, the Information Regulator has noted that the information provided by the IEC didn’t have sufficient details.
• While a fine may be bad news for the IEC, the reputational damage the Commission would suffer may negatively affect elections later this year.

At the weekend candidate lists from both the ANC and uMkhonto weSizwe Party (MK Party) were circulated online. These lists were obtained and shared without authorisation raising eyebrows about security at the Independent Electoral Commission (IEC) which said the lists were grabbed from its internal systems.

On Monday, the Information Regulator which is mandated to hold entities accountable to the Protection of Personal Information Act (POPIA) acknowledged receipt of IEC’s notice that its data was being shared without its authorisation.

However, the Regulator went on to say that the information provided by the IEC didn’t have sufficient details about the incident.

According to the Regulator, the following information is required as per POPIA:

1. Regarding the compromise of ANC candidate details –
   • Proof that the IEC has published the security compromise notice on its website
2. Regarding the compromise of candidates of the MK party
   • proof of written notification to the MK party of the compromise
   • confirmation of the number of data subjects compromised
3. Regarding both parties
   • provision of sufficient information to allow the data subjects to take protective measures against the potential consequences of the compromise
4. Details as to how the unauthorised person accessed the personal information of data subjects, and
5. Details as to the technical and organisation measures that the IEC has implemented to mitigate against the risk of the affected data subjects’ personal information being unlawfully accessed and/or unlawfully processed.

This information is required to determine whether the IEC met its obligations to protect its data subjects as a responsible party under POPIA.

While a fine would be problematic for the IEC, the reputational damage to the Commission so close to the elections in May would surely be far worse for it. As the custodian of elections, South Africans expect a high level of security from the IEC and a leak of important data will surely make citizens doubt the measures that the IEC has in place to assure the integrity of the elections.

We’re happy to see the Information Regulator springing into action so quickly but we hope that its investigation yields fruit that forces the IEC to improve its security. While a candidate list may not be vital information, the fact that confidential information was leaked from the Commission is incredibly concerning.

[Image – Alexa from Pixabay]