South African Local Government Association submission to parliament admitted that only 28% of municipalities had implemented minimum Protection of Personal Information Act compliance requirements by mid-2023. Photo: Reuters
In today’s hyper-connected world, local governments aren’t just responsible for water, roads and waste — they are also custodians of our most personal and sensitive data. As South Africa steadily digitises its service delivery platforms, municipalities have become major collectors and processors of residents’ information. From housing applications to prepaid electricity registrations, personal data flows through local government systems every day.
The passing and enforcement of the Protection of Personal Information Act (Popia) was supposed to place guardrails on this process — setting clear rules on how data should be collected, stored, used and secured. Popia, fully enforceable since July 2021, promises to give effect to the constitutional right to privacy under section 14 of the Bill of Rights. But more than two years later, one urgent question remains — are South African municipalities actually ready to implement Popia and protect the personal data of their residents?
Popia applies to all public and private bodies — including municipalities. It requires responsible parties to collect only the data they need, use it only for the purpose stated and take reasonable steps to protect it from unauthorised access.
Crucially, it also obliges them to report data breaches to the Information Regulator of South Africa and notify affected individuals. Municipalities must appoint Information Officers, develop Promotion of Access to Information Act manuals, register their data processing activities and ensure secure systems and practices. But many have yet to meet even the most basic of these requirements.
The Information Regulator’s 2022 annual report noted that compliance across the public sector remains patchy. Many municipalities failed to register their information officers or submit the required documentation. There is limited evidence of breach reporting and public awareness campaigns are virtually absent at the local government level.
The auditor general’s 2022-23 Municipal Finance Management Act report further underscores the problem. In that reporting year, only 38 out of 257 municipalities received clean audits. A major reason for poor audit outcomes? Weak internal controls — including ICT systems and information management. These are the same systems meant to protect your data.
More alarmingly, the auditor general notes that many municipalities had “no credible IT governance structures”, leaving them vulnerable to both internal and external breaches. This poses a direct risk to compliance with Popia’s security safeguards clause (section 19), which mandates entities to secure data against loss, damage and unauthorised access.
The consequences are not abstract. In 2021, the City of Johannesburg fell victim to a ransomware attack that paralysed systems and compromised resident data. In September 2023, the KwaDukuza local municipality in KwaZulu-Natal suffered a major cyberattack in which hackers encrypted the municipality’s data and demanded a R2 million ransom. The breach brought the municipality’s billing and service systems to a standstill, affecting residents’ ability to access statements, make payments and query accounts.
In both cases, communication to affected parties was limited and neither municipality has provided clarity on their data protection protocols or compliance reviews.
These are not isolated incidents. A 2022 cybersecurity report by Mimecast found that South African municipalities are among the most targeted local government structures in the region, especially as more services go digital without concurrent improvements in security.
Municipalities are not just under cyber threat — they are under governance threat. A 2023 report by Corruption Watch documented more than 5 000 whistleblower reports linked to municipal corruption and mismanagement. In many of these cases, citizen data was either manipulated or accessed inappropriately.
In one notable example, personal information submitted for food parcel relief during the Covid-19 lockdown in Buffalo City was allegedly used for partisan mobilisation in ward elections — a blatant violation of Popia’s purpose limitation principle. This misuse of data is often enabled by a lack of internal policies, poor record-keeping and outsourcing arrangements with third-party service providers who are not subject to municipal oversight.
The Local Government Handbook 2023 lists 66 municipalities as under administration or in serious financial distress. In such environments, Popia compliance is understandably not the top priority — but it should be. This is because poor data governance is not just a legal risk — it’s a threat to democratic participation, human dignity and service delivery.
To be Popia-ready, municipalities need a dedicated information officer trained in privacy compliance; an up-to-date Promotion of Access to Information Act manual available to the public; internal records of data processing activities; regular staff training on personal information handling; secure information and communication technology infrastructure with role-based access controls and clear protocols for breach notification, impact assessments and data subject requests. Few municipalities have all (or any) of these.
A recent South African Local Government Association submission to parliament admitted that only 28% of municipalities had implemented minimum Popia compliance requirements by mid-2023. And even fewer had conducted a data mapping exercise — a first step in knowing what information is collected, where it is stored and who can access it.
The Information Regulator has been proactive, within its means — issuing enforcement notices, conducting awareness sessions and launching registration portals for information officers. But with fewer than 200 staff, it cannot monitor more than 200 municipalities in real time.
In 2023, it prioritised meetings with metros and provincial departments, but local municipalities — especially rural and under-resourced ones — have largely been left to self-regulate. The regulator’s enforcement powers under section 92 of Popia allow it to impose administrative fines of up to R10 million — but only after investigations. To date, no municipality has been fined for non-compliance. The real pressure will probably come from citizens themselves — if they are aware of their rights.
Part of readiness is public education. Citizens must be informed that they have rights under Popia, including the right to request access to personal data held by a municipality; the right to request correction or deletion of inaccurate data; the right to object to certain types of processing; and the right to be notified of data breaches that affect them.
Municipalities must develop user-friendly systems to enable these rights — not just legal notices buried on websites, but walk-in help desks, call centre scripts and translated materials. They must also report transparently on how data is used in service delivery — from digital billing systems to smart meter rollouts.
There are five actionable steps municipalities can take to improve Popia readiness: prioritise appointment and training of information officers in every ward office; integrate Popia into municipal governance frameworks, including supply-chain management, human resources and monitoring and evaluation; audit current ICT infrastructure for vulnerabilities and align with Popia’s section 19 safeguards; partner with academic institutions and digital rights NGOs to build capacity and monitor compliance and publish annual privacy reports detailing data collected, requests processed, breaches encountered and corrective measures taken.
Popia is more than a compliance checklist, it is a tool for restoring trust in governance. People deserve to know that the information they share with their municipality will not be leaked, sold, weaponised or forgotten in unsecured folders.
If municipalities want to modernise and lead in digital transformation, they must also commit to digital responsibility. Being Popia-ready isn’t just about avoiding fines, it’s about recognising that privacy, dignity and service delivery are fundamentally linked. As we look to build smart cities and more efficient service platforms, let’s make sure our municipalities are not only digitally capable — but also ethically prepared.
Dr Lesedi Senamele Matlala is a public policy and digital governance lecturer at the University of Johannesburg, at the School of Public Management, Governance and Public Policy.