Krugersdorp attack: a breach of POPIA

Nadine Mather reviews an alleged breach of victims' personal information in South Africa following an attack by armed men
In South Africa, the Information Regulator based in Johannesburg released a statement which declared it will pursue an assessment into an alleged violation of the Protection of Personal Information Act (POPIA) by figures of the South African Police Service (SAPS). This came after the release of sensitive personal details of the victims of an attack in Krugersdorp.
In late July, eight women were gang raped and robbed by a group of armed men, while shooting a music video at a mine dump in West Village near Krugersdorp. Soon after, the Information Regulator noticed a list of personal details of the victims had been leaked to the public. The Information Regulator has, therefore, opted to pursue and conduct a review of the SAPS’ measures to safeguard victims’ personal information, which could lead to further enforcement proceedings in South Africa.
As a result of this alleged breach, the victims’ personal details have become shared publicly and widely across multiple media platforms. The Information Regulator had subsequently issued a condemnation of this, describing it as an act of re-victimisation and a violation of the victims’ right to privacy and human dignity.
POPIA: key information
For the purposes of POPIA, ‘personal information’ is information relating to an identifiable, living natural person, and where applicable, an existing juristic person. It includes information relating to an individual’s race, gender or age, an individual’s health or sex life, and an individual’s name if it appears with other personal information.
POPIA regulates the processing (i.e. collection, dissemination, sharing etc.) of personal information. POPIA will not, however, apply to the processing of personal information by or on behalf of a public body (such as SAPS) for purposes of investigating or proving offences or for the prosecution of offenders. This is provided adequate safeguards have been established in legislation for the protection of such personal information. In this regard, the South African Police Service Act requires appropriate safeguards to be established and maintained in respect of, inter alia, databases containing fingerprints, body-prints and photographic images and DNA evidence.
In the absence of legislation providing for adequate safeguards in respect of the list of personal details of the victims, SAPS has an obligation to comply with the conditions for lawful processing under POPIA, including the obligation to implement appropriate and reasonable measures to secure the integrity and confidentiality of personal information it has in its possession and to prevent unlawful access to the personal information.
POPIA will also not apply to the processing of personal information solely done for the purpose of journalistic, literary or artistic expression, to the extent that it is necessary to, as a matter of public interest, reconcile the right to privacy with the right to freedom of expression. Accordingly, news agencies may publish stories relating to, for example, incidents of rape or crimes being committed, which stories may contain limited personal information.









