ARTICLE
14 June 2026

Information Regulator’s First Enforcement Notice For 2026

E
ENS

Contributor

ENS logo
ENS is an independent law firm with over 200 years of experience. The firm has over 600 practitioners in 14 offices on the continent, in Ghana, Mauritius, Namibia, Rwanda, South Africa, Tanzania and Uganda.
Explore Firm Details
South Africa's Information Regulator has issued an enforcement notice against Central Johannesburg TVET College for multiple violations of the Protection of Personal Information Act (POPIA), including failure to register...
South Africa Privacy
Rakhee Dullabh
Your Author LinkedIn Connections
Rakhee Dullabh’s articles from ENS are most popular:
  • within Privacy topic(s)
  • in Africa
  • in Africa
  • in Africa
ENS are most popular:
  • within Privacy, Accounting and Audit and Insurance topic(s)
  • with Senior Company Executives and HR

The Information Regulator of South Africa published its enforcement notice against the Central Johannesburg TVET College (responsible party) on 20 May 2026. In its finding’s, the Enforcement Committee determined that the responsible party had interfered with the protection of personal information of data subjects in that (i) it had breached the conditions for lawful processing of personal information, and (ii) it had failed to comply with its obligations under the Protection of Personal Information Act, 2013 (POPIA) to notify security compromises as required in terms of section 22.

Specifically, the findings include that:

  • the responsible party has failed to register its Information Officer with the Information Regulator and designate deputy information officers and register them with the Information Regulator;
  • the responsible party has contravened section 15(1) of POPIA and that further processing of personal information of employees was not compatible with the purpose for which such personal information was collected;
  • the responsible party has failed to implement organisational measures to prevent unlawful access to processing of personal information as required by section 19 of POPIA; and
  • the responsible party has failed to report a security compromise to the Information Regulator and affected data subjects and has therefore violated section 22(1) of POPIA.

Based on these findings the Information Regulator has recommended that the responsible party take the following actions:

  • register its Information Officer and provide proof of registration within 31 days;
  • designate and register its deputy information officers and provide proof of registration within 31 days;
  • notify the affected data subjects of the security compromise and provide proof of notification within 31 days;
  • submit a written apology to the affected data subjects regarding the responsible party’s breach of the conditions of processing of personal information by it, which must be sent via email and published through all other communication channels used by the responsible party. Proof of the written apology must be provided within 31 days;
  • take appropriate action against the employee whose actions had resulted in the unlawful sharing of personal information within 60 days;
  • submit its POPIA Compliance Framework to the Information Regulator within 31 days, which framework should include a Privacy Policy, a Retention Policy and Schedule, an Incident Response Policy and an Information Privacy and Security Policy, alternatively, where no POPIA Compliance Framework has been developed, develop same and submit a copy within 120 days; and
  • conduct internal public awareness and training programmes on POPIA for all the employees and provide copies of these programmes with proof that they have been conducted within 90 days.

Key learnings from this enforcement notice

  • The processing condition of accountability under section 8 of POPIA requires that Information Officers and deputy information officers be registered with the Information Regulator on the eServices Portal accessible here.
  • Where personal information is disclosed without a lawful basis for processing such personal information, or is incompatible with the original purpose of collection, even where disclosed in error or by mistake, this will amount to the unlawful disclosure of such personal information.
  • Legitimate purpose and public interest are not lawful grounds of justification to further process personal information in terms of section 15(3) of POPIA.
  • Organisational measures that demonstrate that a responsible party has taken steps to secure the integrity and confidentiality of personal information include establishing policies, procedures and frameworks, implementing access controls to personal information records, training employees, segregating records which contain personal information, and registering an Information Officer.
  • The reasons for why a security compromise occurs (such as, a mistake) does not invalidate the impact of a security compromise and notification is still required to be made in accordance with section 22 of POPIA.
  • Consent to process personal information under section 11 is not required where another lawful ground for processing exists.

Organisations that process personal information in South Africa should ensure that their processing activities comply with POPIA. To the extent that you may have implemented your compliance framework a few years ago, it might be time to review and evaluate whether your current compliance is effective and robust.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Rakhee Dullabh
Rakhee Dullabh
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More