News

The Information Regulator shouldn’t be waiting to release updates on investigations

Brendyn Lotz

22nd March 2024

The Information Regulator will be providing updates into investigations regarding various POPIA and PAIA complaints next week.
This briefing will touch on “new” investigations of the CIPC, Vumacam and the SAPS.
While the updates are welcome, these updates should be made available as soon as possible and not held onto for an event.

Next week Tuesday, the Information Regulator, which is tasked with enforcing the Protection of Personal Information Act (POPIA) will be hosting a briefing in Johannesburg.

Normally we wouldn’t report on this until the briefing happens but there is one point on the agenda that strikes us as an odd inclusion.

“The briefing will also include updates on the Regulator’s investigation of complaints and assessments on POPIA. These include updates on compliance by Dischem, the South African Police Service (SAPS) and the Department of Basic Education. The briefing will also cover new investigations involving the Companies and Intellectual Property Commission (CIPC), Vumacam (regarding the use of CCTVs and public surveillance) and a new investigation into SAPS,” reads an invitation.

The mention of the CIPC hack is what raised our eyebrows here in the Hypertext office. That breach has been public knowledge since 29th February and we’d hoped that the Information Regulator would provide a more timely update. While we are receiving an update, that will seemingly only happen on Tuesday

The mention of Vumacam was also odd as we haven’t heard news of a new incident involving the CCTV firm. That was until we remembered that the organisation was hit by a ransomware attack in March 2023. If the Information Regulator only provides an update about this incident a year after it happened, that is incredibly concerning.

As the enforcer of POPIA, it behoves the Regulator to help citizens safeguard their data and privacy. The best way to do that is to be informed. Citizens shouldn’t need to wait months to know if their data has been stolen and they are at risk. Furthermore, this information should be made public as soon as it is ready and not held onto for the purpose of posturing.

As concerning as this slowness is, it isn’t surprising. Since its inception, the Information Regulator has operated at a snail’s pace when it comes to enforcing POPIA. With that having been said, its rapid response to an IEC breach earlier this month bodes well for the future, if that vigour is maintained.

The Regulator will also use the event to provide updates regarding a number of Promotion of Access to Information Act (PAIA) complaints it has received and compliance assessments conducted on political parties, national and provincial government departments and JSE-listed companies.

“There will be an update regarding the implementation of the enforcement notice issued against Risa Audio Visual Licensing NPC, relating to the payment of royalties in the music industry,” the regulator added.

We’re hoping that Tuesday’s event is an exception and not the rule for how the Regulator intends to update South Africans about investigations into POPIA and PAIA complaints. It’s simply not efficient nor sustainable.

About Author

Brendyn Lotz

Brendyn Lotz writes news, reviews, and opinion pieces for Hypertext. His interests include SMEs, innovation on the African continent, cybersecurity, blockchain, games, geek culture and YouTube.