/ 4 July 2023

Information regulator fines justice department R5 million

Ed 443597
Justice Minister Ronald Lamola. (Brenton Geach/Gallo Images and Phill Magakoe/ Gallo Images)

The information regulator has fined the department of justice and constitutional development affairs R5 million for failure to comply with the Protection of Personal Information Act (Popia) after it flouted an order to renew licences for antivirus software.

The regulator’s office confirmed that this is the first fine it has issued since its powers came into effect two years ago.

It said it served an enforcement notice on the department on May 9 after finding that it was in contravention of several sections of the Act, which imposes minimum standards for collecting and sharing personal information.

“The enforcement notice had required the [department] to submit proof to the regulator within thirty-one (31) days of receipt of the notice that the Trend antivirus licence, the SIEM [security information and event management] licence and the Intrusion Detection System licence have been renewed,” the regulator said.

“It also required the department to institute disciplinary proceedings against the official/s who failed to renew the licences, which are necessary to safeguard the department against security compromises.”

The notice cautioned that should the department fail to comply by 9 June, it risked being fined up to R10 million.

The regulator never received a response from the department.

“To date, the department has not provided the regulator with a report on implementation of the actions required in the enforcement notice or any other communication in that regard.”

It noted that the department had a right to appeal the enforcement notice in terms of section 97(1) of the Act, but did not do so either.

“Given this lack of compliance with the enforcement notice, the regulator has made a determination that the department has failed to comply with the enforcement notice served to it in terms of Popia. Accordingly, the regulator has issued an administrative fine of R5 million to the department for failure to comply with the enforcement notice.”

The department suffered a calamitous ransomware attack in September 2021 in which documents containing personal information were compromised and a wealth of files lost. It disrupted the functioning of courts as well as all electronic services offered by the department, as employees could not access information systems.

Justice Minister Ronald Lamola subsequently undertook the safety of the department’s digital infrastructure. 

In 2020, hackers stole R10 000 from the Guardian’s Fund account at the Pietermaritzburg office of the master of the court. 

It was reported last month that the Guardian’s Fund — which was created to receive and manage money on behalf of people who are legally incapable or do nor have the capacity to manage their own affairs — has again been targeted by cyber thieves, with the losses totalling R18 million this time.