PAIA High Profile matters
We have conducted investigations related to PAIA as a result of complaints lodged with us by organised structures and individual members of the public following the PAIA requests to the public and private bodies for access to certain records held by them. Some matters were resolved through mediation and settlement, whilst others needed us to issue Enforcement Notices. The following matters, amongst others, are the exemplars of why access to information is a human right that must be respected and promoted.
State Security Agency
On 2 August 2024, we issued an Enforcement Notice to the State Security Agency (SSA) directing it to release records following a PAIA complaint lodged with the Regulator. The matter emanated from a PAIA request to SSA by an investigative journalist from the Daily Maverick media house in June 2022. The PAIA request was for access to records on SSA’s expenditure in the 2015 to 2019 financial years for services rendered to it by the African News Agency, including detailed descriptions of all goods and services the SSA procured from the Agency, as well as proof of deliverables thereof. SSA did not respond to the request as required by law. SSA’s lack of response resulted in it being interpreted as a deemed refusal in terms of PAIA. The SSA attended to the matter after the prescribed timeframe when it issued a refusal to grant access to the records, a response that was deemed late.
Following extensive investigation and consideration of the matter by the Enforcement Committee, the Regulator issued an Enforcement Notice in which it directed SSA to disclose the records requested by the complainant. The Regulator found, amongst others, that SSA had failed to prove that the disclosure of the records could reasonably impede or result in a miscarriage of justice and reveal the identity of a confidential source of information in relation to an ongoing investigation on the matter related to the records being requested. SSA also failed to prove that the disclosure of the requested record could reasonably cause prejudice to the security of the country. SSA has opted to take the decision of the Regulator on review in court.
Matters under investigation
Social Media Companies
Another matter we are currently investigating is the complaint made against social media companies, X (formerly known as Twitter), Meta, and Google. The complainant has requested access to the records relating to the classification of elections, risk assessments concerning South Africa’s electoral integrity, and the application of global policies to local contexts within these three entities. The entities’ refusal of access to the records is based on the general presumption that PAIA does not apply extraterritorially to these private bodies despite them conducting business in South Africa. The Regulator accepted the complaints, and all three complaints are currently under investigation.
South African Revenue Service
A complaint was received against a decision of the South African Revenue Service’s Commissioner, wherein the complainant requested access to the former President’s individual tax returns for the tax years 2010 to 2018. The Commissioner of the SARS refused access to the records. The investigation into this matter is at an advanced stage.
Matters referred to the Enforcement Committee
Sibanye Stillwater Ltd and the Department of Mineral Resources & Energy
We also received a complaint from a human rights organisation based at the Wits School of Law against the mining company, Sibanye Stillwater Limited. The complaint concerns a request for access to the Annual Compliance Reports submitted by Sibanye Stillwater Ltd to the Department of Mineral Resources and Energy, in respect of Social Labour Plans for the Eastern and Western platinum mines. The Annual Compliance Reports to which the complainant requested access related to progress on community projects that Sibanye Stillwater Ltd undertook to implement as part of their licensing requirements. The Investigation Report has been finalised and is being considered by the Enforcement Committee.
Matters Settled through mediation
Among the matters settled through mediation is a complaint we received from an investigative journalist who had written several articles about the allegations of fraud and corruption at Gauteng Hospitals. It is alleged that this had resulted in the assassination of the whistleblower, Ms Babita Deokaran. The complaint lodged with the Regulator was against decision of the Head of the Gauteng Department of Health to refuse access to records relating to scheduled payments to suppliers. Upon receipt of this complaint, the Regulator invited the head of the Gauteng Department of Health for a settlement meeting, wherein they agreed to release the requested records.
PAIA Annual Report submissions
On 25 April 2024, we issued a notice calling on all public and private bodies to submit their PAIA Annual Reports for the year 2023/2024 as required in terms of section 32 and section 83 (4) of PAIA. While we are still not satisfied by the low levels of submissions of these reports, we acknowledge the slight improvement compared to last year’s submission, and this may be attributed to the more efficient platform we created for this year’s submission through the new e-Service portal which we developed and launched on 1 May 2024.
Now, why is the submission of these reports fundamental? The importance and purpose of these reports is to give an account of the number of requests for access received, access granted in full, access granted in terms of mandatory disclosure in the public interest, access refused, cases extended, and so forth. The non-submission of these reports impedes the Regulator’s ability to monitor the implementation of PAIA and the effectiveness to ensure that the right of access to information is fully exercised. Those who do not make submissions are infringing on this right and contravening the law. We have noted the dismal submission of PAIA Annual Reports by public bodies, and this is a cause for concern because public bodies have an obligation to make the submission.
PAIA Annual Report: Public Bodies’ poor submissions stats
Out of eight hundred and fifty-three (853) public bodies, which comprise of National Departments, Provincial Departments, Local Government structures, Public Entities, Universities and TVET Colleges, only two hundred and seventy-eight (278) public bodies have submitted their PAIA annual reports to the Regulator, and the overall compliance percentage is about thirty-three percent (33%).
When we look at the granular details of the compliance levels, we have a grave concern about the very low reporting from local government, where out of the two-hundred and fifty-seven (257) municipalities in the country, only fifty-one (51) submitted their annual reports, which marks a 20 percent (%) compliance rate. This was closely followed by PFMA-listed public entities where, out of 371 entities, only one-hundred and forty-one (141) made their submissions, resulting in a thirty-eight percent (38%) compliance level.
To a certain degree, we are pleased with the response by private bodies with regard to the submission of the PAIA Annual Reports. This demonstrates how they are giving effect to the constitutional right of access to any information. Although there was a good response from private bodies, political parties’ submission was dismal in that out of 52 registered political parties only 11 submitted. Thirty-four thousand, four hundred and sixty (34 460) private bodies, including political parties, submitted their PAIA Annual Reports. There was a total of 122 198 requests for access received, and 114 669 requests for access were granted in full.
The Regulator will soon submit proposals to Parliament for amendment of PAIA to provide for stronger enforcement powers in terms of PAIA. The current provisions in PAIA are too mild, and we postulate that this may contribute to the laxness of the public bodies’ compliance with the law.
Assessments completed
From April 2024, we have conducted over thirty (30) PAIA compliance assessments against three (3) social media platforms (Google, Facebook & TikTok) and seventeen (17) law firms, including the following top five (5) law firms, viz. Bowmans, Cliffe Dekker Hofmeyr, ENSafrica, Webber Wentzel and Werksmans. Furthermore, we assessed Schedule 2 public entities such as the Development Bank of Southern Africa, ESKOM, Telkom SA, and Transnet.
Regulator: a role player on the international stage.
We continue to advocate for the right to information on a global stage. Once again, in May 2024, we were re-elected as the Chair and Secretariat of the African Network of Information Commissions (ANIC). Furthermore, the Regulator serves on the Executive Committee of the International Conference for Information Commissioners (ICIC), which is a global network of access to information oversight bodies. These roles do not only seek to serve as an advocacy platform but allow us to be instrumental in contributing to the realisation of this right regionally and globally.
We will be participating in UNESCO’s international conference to commemorate the International Day for Universal Access to Information (IDUAI) in Ghana, which will be hosted by the Government of Ghana. Furthermore, and similarly, in the efforts to equip public bodies with mechanisms to comply with PAIA, we will host a seminar on 27 September in celebration of IDUAI at the University of Pretoria. The theme under which these engagements will be hosted is “Mainstreaming Access to Information and Participation in the Public Sector”.
PROTECTION OF PERSONAL INFORMATION (POPIA)
Enforcement Notices Issued
On POPIA-related matters, since April this year, we have issued four (4) Enforcement Notices against,
– Blouberg municipality- is related to the unlawful processing of personal information of a former employee, where their personal information was exposed on the internet following her submission of her declaration of interest containing their personal information.
– Lancet Laboratories – as a result of a compliance assessment, which was necessitated by the number of security compromises that they experienced. The company failed to comply with the notification requirements in terms of section 22 of POPIA. The company had also failed to notify the data subjects affected by the security compromise within a reasonable time.
– Electoral Commission – as a result of a security compromise that occurred just before the 2024 national and provincial elections. This resulted in the candidate nomination lists of the African National Congress and the Umkhonto weSizwe Party being shared on various social media platforms. We initiated an assessment of their security systems on the safeguarding of personal information that they processed, and we found that they did not have adequate access control measures to protect the confidentiality of personal information in their possession. Furthermore, their section 22 notification to notify the data subjects concerned was found to be inadequate.
– WhatsApp LLC is a very long-standing matter with numerous complexities. The Regulator’s preliminary assessment revealed, amongst others, that WhatsApp adopts different terms of service and privacy policies for users in the European Region compared to Users outside Europe, including South African Users. The privacy safeguards for users in the European Region appeared to be better than those for users in South Africa, even though the General Data Protection Regulations (GDPR) and POPIA have similar standards and protections. The Regulator deemed it appropriate to conduct a compliance assessment in terms of section 89 of POPIA, given the insufficiency of WhatsApp’s Privacy Policy in demonstrating compliance with the provisions of POPIA. The Regulator has issued an Enforcement Notice in which it directed WhatsApp LLC to comply with all conditions for lawful processing by updating their privacy policy, to conduct a personal information impact assessment, and to comply with the provisions of PAIA in so far as it relates to its obligation to maintain the documentation of all processing operations it is responsible for. In this regard, the Regulator dismissed WhatsApp’s argument that PAIA does not apply to it as a social network which is extraterritorial.
On-going high-profile investigations
We are currently investigating another POPIA complaint on alleged interference with the protection of the personal information of data subjects by the South African Police Service. The personal information was processed by SAPS in the course of an investigation of a crime. The personal information was disseminated by the SAPS through WhatsApp messages. Due to the sensitivity of the case and considering that this a similar matter where personal information was leaked, the Regulator has embarked an own initiative investigation into the alleged interference with personal information. The matter has been referred to the Enforcement Committee.
Direct Marketing through Unsolicited Electronic Communications
We have heard the plight of members of the public on the growing frustration because of spam calls as a result of direct marketing. We had reported earlier this year that we had drafted a Guidance Note on Direct Marketing which seeks to guide public and private bodies on how to comply with POPIA when processing personal information of data subjects for direct marketing other than by unsolicited electronic communications in terms of section 11(3) (b) and by unsolicited electronic communications in terms section 69 of POPIA and to also empower data subjects to protect their right.
In July 2024 we shared the draft guidance note with stakeholders in the direct marketing organised structures and the big industry players who largely use direct marketing as part of their business practices. We are at the final stages of considering their intricate inputs,, and on 25 September 2024, we will hold a stakeholder engagement on the final version of the Guidance Note ahead of its publication.
Security Compromise Incidents
We cannot stress enough our concerns with the increase in the number of security compromise incidents that have been reported to us since the coming into effect of the enforcement powers of the Regulator in July 2021. Since the beginning of April 2024, we have received nine hundred and eighty (980) security compromise notifications. This tells us that public and private bodies may not have adequate organisational and technical measures to ensure the integrity and confidentiality of personal information in their possession or under their control. We have since ensured that in all compliance assessments that we conduct, we look into the security safeguard measures that public and private bodies have put in place.