Industries

All industriesAgricultureAutomotiveConstruction & EngineeringEducationEnergy & MiningEntrepreneurshipESG & SustainabilityFinanceHealthcareHR & ManagementICTLegalLifestyleLogistics & TransportManufacturingMarketing & MediaPropertyRetailTourism & Travel

Features

BizTrendsPendoringIMC ConferenceLoeriesWomen's MonthCannes LionsOrchids and Onions#StartupStoryMore Sections..

News

Industries

Companies

Jobs

Events

People

Video

Audio

Galleries

My Biz

Submit content

My Account

Advertise

Cyber Law News South Africa

Subscribe

Trending

2 days 7 days 30 days By Industry

Elections 2024

Bantu Holimisa talks about the fragility of the ANC

Bantu Holimisa talks about the fragility of the ANC

sona.co.za

Advertise your job ad
    Submit a job ad >>
    Search jobs

    #SAelections24: Leaked IEC candidates list - being the 'responsible party' under PoPIA

    By Jodi Poswelletski and Keitumetse Khutsoane
    3 May 2024
    3 May 2024
    The Independent Electoral Commission (IEC) is an independent constitutional body that plays the role of an impartial ‘referee’ during election season in South Africa, to ensure that the sanctity of such elections is upheld and maintained.
    Image source: photonphoto –
    Image source: photonphoto – 123RF.com

    Ahead of the much-anticipated election date of 29 May 2024, tensions have been at an all-time high in the political sphere. In a media statement dated 11 March 2024, the Information Regulator confirmed the receipt of two notifications from the IEC pertaining to a security compromise that “saw the unlawful release of candidate lists for the African National Congress (ANC) and Umkhonto we Sizwe Party (MK) for the 2024 elections.”

    Prior to the release of the aforementioned media statement, the security compromise may have prima facie appeared to lie solely within the political spectrum – since it pertains to the upcoming national elections. However, with the Information Regulator’s association therewith, the legal lens of such security compromise is brought into focus - drawing attention to the often subtle but ever-present intersections between law and politics.

    Understanding the intersection

    In accordance with paragraph 18 of the IEC schedule, the candidate lists of each respective political party were scheduled for release to the public on 10 April 2024 - following the completion of the relevant vetting practices by the IEC.

    However, it was just hours after the political parties made their final candidate list submissions to the IEC on 8 March 2024, that the ANC and MK parties’ lists were leaked on social media.

    Since this leak compromised the security of the personal information of the data subjects in the ANC and MK, the IEC – as the ‘responsible party’ for the processing of such personal information – was mandated by section 22(a) of the Protection of Personal Information Act 4 of 2013 (PoPIA) to act accordingly.

    Image source: Jakub Jirsak –
    PoPIA, PAIA online portals go live

    5 Sep 2022

    This section provides that “where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorized person, the responsible party must notify the Regulator.”

    For further context, a ‘responsible party’ is defined in PoPIA as “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing information.”

    As such, by reporting this security compromise to the Information Regulator, the IEC identified itself as a ‘responsible party’, and therefore attached all the obligations thereof to itself.

    The Information Regulator reported further in the aforementioned media statement that it issued the IEC with an information notice requesting further particulars about the security compromise, in order to determine whether the IEC has “met its obligations as a responsible party under PoPIA”.

    The information sought will - according to Advocate Pansy Tlakula in a Newzroom Afrika broadcast of 11 March 2024 - allow the Information Regulator to conduct an enquiry into whether the IEC has taken the “appropriate, reasonable, technical and organisational measures (in terms of section 19 of PoPIA) to secure the integrity and confidentiality of the personal information in their possession.”

    The further particulars from the IEC should include inter alia, the consequences of such security compromise as well as the measures that the IEC have and/or intend to take to address the security compromise. To this end, the IEC conducted an internal investigation which revealed the identity of the employee responsible for leak and such employee was dismissed by the IEC.

    Understanding the IEC’s obligations under PoPIA

    Chapter 3 of PoPIA provides eight conditions for the lawful processing of personal information by or for a ‘responsible party’, and it is expected that the Information Regulator will conduct their enquiry of the security compromise against these provisions. The eight conditions are as follows:

    1. Accountability – responsible parties are to ensure compliance with the principles in Chapter 3 of PoPIA in relation to these conditions for lawful processing. [section 8]

    2. Processing limitation – personal information must be processed lawfully and reasonably, and to the extent that it is necessary. Additionally, personal information must be collected directly from the data subject and processed only with the data subject’s consent. [sections 9 to 12]

    3. Purpose specification – personal information must be collected for a specific and explicitly defined purpose and retained only for as long as necessary for such purpose. [sections 13 and 14]

    4. Further processing limitation - further processing of personal information must be compatible with the purpose for which it was collected in terms of section 13. [section 15]

    5. Information quality – responsible parties must take reasonably practicable steps must be taken to ensure personal information is complete, accurate, not misleading, and updated [section 16]

    6. Openness - responsible parties must maintain documentation of all processing operations in terms of the Promotion of Access to Information Act (PAIA) and keep data subjects notified of all processing activities of their personal information. [sections 17 and 18]

    7. Security safeguards – responsible parties must secure the integrity and confidentiality of the personal information in their possession and notify data subjects of any breaches. [sections 19 to 22]

    8. Data subject participation – responsible parties must allow data subjects to make corrections or deletions to the personal information collected and provide them with access to their personal information as per PAIA. [sections 23 to 25]

    Image source: © iqoncept –
    Inside the Information Regulator's PAIA manual

    23 Nov 2021

    Closing remarks

    The security compromise has been described by political analyst, Dr Ebrahim Harvey, as an “undesirable situation that does not inspire confidence [in the elections]”.

    However, Tlakula holds strong confidence in the IEC’s credibility and “ability to manage a free and fair election” In an SABC broadcast that aired on 21 March 2024, Tlakuka commends the IEC for their “systems” that are “not only robust [but] are also transparent.”

    The steps taken by the IEC and Information Regulator following the security compromise of 8 March 2024 are reflective of both parties’ determination to realise PoPIA’s purpose, which such purpose is “to give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party...”.

    Parties who are involved in the processing of personal information activities are cautioned to understand their obligations under PoPIA, and to take the necessary steps to ensure compliance thereof. The results of the Information Regulator’s enquiry into the security compromise could set the tone for responsible parties’ obligations moving forward.

    Read more: Independent Electoral Commission, IEC, security breach, POPIA, POPIA compliance, POPIA regulations, Information Regulator
    NextOptions

    About Jodi Poswelletski and Keitumetse Khutsoane

    Jodi Poswelletski – Director in the Corporate and Commercial Litigation Department (Fairbridges Wertheim Becker) Keitumetse Khutsoane – Candidate Attorney in the Corporate and Commercial Litigation Department

    Related

    Source: © Benoni City Times Spending in preparation for the upcoming elections could have had a positive impact on economic activity in April
    Load shedding suspension and upcoming elections see ‘positive mood’ in economic activity
    8 May 2024
    Google has built up election experience from its global operations
    #SAelections24: Google steps up to safeguard voters
    2 May 2024
    Image supplied. TikTok has announced several initiatives with the local electoral commission and civil society organisations to combat misinformation
    #SAelections24: Initiatives to fight misinformation, provide access to reliable information launched
    26 Apr 2024
    Source: © 123rf Applications for accreditation for national and provincial Results Operations Centres (ROCs) have opened
    #SAelections24: Media accreditation for all Results Operation Centres
    24 Apr 2024
    Image source: Comaniciu Dan –
    PoPIA's telemarketing loophole: Can it be closed?
     14 Mar 2024
    Source:
    Icasa revises political advertisement regulations for upcoming elections
    28 Feb 2024
    Image source: niyazz –
    IEC welcomes Constitutional Court judgment
    5 Dec 2023
    Putting the consumer in control: the power of consent
    Putting the consumer in control: the power of consent
    15 Nov 2023
    More industry news

    Next
    Let's do Biz