Krugersdorp attack: a breach of POPIA

In South Africa, the Information Regulator based in Johannesburg released a statement which declared it will pursue an assessment into an alleged violation of the Protection of Personal Information Act (POPIA) by figures of the South African Police Service (SAPS). This came after the release of sensitive personal details of the victims of an attack in Krugersdorp.

In late July, eight women were gang raped and robbed by a group of armed men, while shooting a music video at a mine dump in West Village near Krugersdorp. Soon after, the Information Regulator noticed a list of personal details of the victims had been leaked to the public. The Information Regulator has, therefore, opted to pursue and conduct a review of the SAPS’ measures to safeguard victims’ personal information, which could lead to further enforcement proceedings in South Africa.

As a result of this alleged breach, the victims’ personal details have become shared publicly and widely across multiple media platforms. The Information Regulator had subsequently issued a condemnation of this, describing it as an act of re-victimisation and a violation of the victims’ right to privacy and human dignity.

POPIA: key information

For the purposes of POPIA, ‘personal information’ is information relating to an identifiable, living natural person, and where applicable, an existing juristic person. It includes information relating to an individual’s race, gender or age, an individual’s health or sex life, and an individual’s name if it appears with other personal information.

POPIA regulates the processing (i.e. collection, dissemination, sharing etc.) of personal information. POPIA will not, however, apply to the processing of personal information by or on behalf of a public body (such as SAPS) for purposes of investigating or proving offences or for the prosecution of offenders. This is provided adequate safeguards have been established in legislation for the protection of such personal information. In this regard, the South African Police Service Act requires appropriate safeguards to be established and maintained in respect of, inter alia, databases containing fingerprints, body-prints and photographic images and DNA evidence.

In the absence of legislation providing for adequate safeguards in respect of the list of personal details of the victims, SAPS has an obligation to comply with the conditions for lawful processing under POPIA, including the obligation to implement appropriate and reasonable measures to secure the integrity and confidentiality of personal information it has in its possession and to prevent unlawful access to the personal information.

POPIA will also not apply to the processing of personal information solely done for the purpose of journalistic, literary or artistic expression, to the extent that it is necessary to, as a matter of public interest, reconcile the right to privacy with the right to freedom of expression. Accordingly, news agencies may publish stories relating to, for example, incidents of rape or crimes being committed, which stories may contain limited personal information.

Victims’ rights

In terms of POPIA, the victims have the right to have their personal information processed in accordance with the provisions of POPIA. This includes the right to be notified when their personal information has been accessed or acquired by an unauthorised person (such as where the list of their personal details is being shared by persons on various media platforms).

As a result of an alleged breach of these rights, the victims may submit a complaint to the Information Regulator or institute civil proceedings for damages against SAPS regarding the alleged interference with their personal information. The Information Regulator may also, on its own accord, conduct an assessment or investigation relating to an alleged breach of the provisions of POPIA.

Following the assessment in the present matter, the Information Regulator will be required to issue a report to SAPS on the result of the assessment and any recommendations, which report will be deemed to be equivalent to an enforcement notice. In addition, any persons distributing the list of personal details on media platforms may similarly be subject to enforcement proceedings by the Information Regulator. A failure to comply may result in punitive action, including the imposition of fines and/or imprisonment.

Nadine Mather is a partner at Bowmans South Africa bowmanslaw.com