Lize de la Harpe, Senior Legal Advisor at Sanlam

Introduction

The Information Regulator issued an enforcement notice on 22 May 2026 against the Central Johannesburg TVET College after employees’ personal credential verification reports were emailed to unauthorised staff in error.

The legal position

The Protection of Personal Information Act, 2013 (POPIA) regulates the processing of personal information of data subjects. “Processing” is defined very widely and includes collection, storing as well as sharing of personal information of a data subject.

POPIA requires a responsible party to process personal information lawfully and in a manner that does not infringe the privacy of data subjects. In order for such processing to be “lawful” it must comply with the conditions for lawful processing as set out in Chapter 3.

Conditions for lawful processing

For purposes of this matter, we need to focus on the following conditions for lawful processing:

Further processing limitation

Condition 3 (Purpose specification) states that personal information must be collected for a specific, explicitly defined and lawful purpose related to the function or activity of the responsible party.

Condition 3 ties up specifically with Condition 4 (Further processing limitation). Section 15(1) states that further processing of personal information must be in accordance or compatible with the original purpose of collection.

To put it differently: responsible parties may only process personal information for a another (further) purpose if such processing is compatible with the original purpose for which it was collected. Sharing of personal information constitutes further processing.

Security safeguards

Condition 7 requires a responsible party to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable, technical and organisational measures to prevent:

• Loss, damage or unauthorised destruction of personal information; and
• Unlawful access to or processing of personal information.

In order to do this, section 19(2) states that a responsible party must take reasonable measures to:

• identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control
• establish and maintain appropriate safeguards against these identified risks
• regularly verify that safeguards are effectively implemented, and
• ensure safeguards are continually updated in response to new risks or deficiencies.

Notification requirements in the event of a security breach

Section 22 states that where there are reasonable grounds to believe that personal information has been accessed by an unauthorised person, the responsible party must notify the Information Regulator and the data subject as soon as reasonably possible after the compromise. Such notification must be in the time and manner prescribed in the act.

Unlike GDPR where notification to data subjects is only required where it is likely to result in a high risk to the rights and freedoms of natural persons, POPIA requires notification of all breaches of the act that results in the interference with personal information.

Information Regulator’s power to issue enforcement notices

The Information Regulator is an independent body established in terms of POPIA and is tasked with investigating complaints and issuing administrative penalties to responsible parties who do not comply with the act.

Sections 95 states that if the Information Regulator is satisfied that a responsible party has interfered or is interfering with the protection of personal information of a data subject, it may serve the responsible party with an enforcement notice requiring the responsible party to do either or both of the following:

1. to take specified steps within a specified period, or to refrain from taking such steps; or
2. to stop processing personal information as specified in the notice, or to stop processing personal information for a purpose or in a manner as specified within the stated period.

Failure to adhere to an enforcement notice constitutes a criminal offence, punishable by a maximum penalty of R10 million fine or imprisonment for a period not exceeding 10 years or both a fine and imprisonment.

The incident

Now let’s turn to the case at hand.

Central Johannesburg TVET College, the Responsible Party, processed personal information of the complainants, in the context of the employer-employee relationship to restore good governance after it had come to its attention that a sizeable number of employees had failed to declare their criminal records and possible conflict of interest such as doing business with the employer.

As a result, the Responsible Party was placed under administration to investigate and address these problems.

The terms of reference of the Administrator included the restoration of good governance and ensuring that all employees declared their previous criminal records and interests.

By his own admission, the Administrator of the Responsible Party confirmed that in the course of communicating with her team the urgent need to implement the policies, the Acting Chief Financial Officer had erroneously included the Verification Reports of the complainants in the folder that contained finance policies and this information was sent by email to various employees by email.

The complainants learnt about the email containing their personal information when it was sent to some staff members on 6 September 2022. This email was recalled by the Administrator on 8 September 2022 with an explanation that the document was erroneously distributed and was not intended for staff use. He even took corrective action against those who had erroneously sent the document to other staff members. The Responsible Party did not notify the data subject or the Information Regulator of the breach.

The Information Regulator confirmed that the sharing of the Verification Reports of the complainants with other staff of the Responsible Party constituted further processing – and in order to comply with section 15(1) of POPIA, such further processing (sharing) of personal information must be in accordance or compatible with the purpose for which the personal information was collected. The sharing thereof with unauthorised staff who were not involved in the strengthening of governance of the institution, albeit by mistake, was incompatible with the purpose for which the personal information in the Verification Reports was collected and as such unlawful.

Furthermore, the sharing of the Verification Reports with unauthorised staff constituted a security compromise, which triggered the obligation of the Responsible Party to inform the Regulator and the complainant of the security compromise – which they failed to do, which failure constituted a breach of section 22(1) of POPIA.

Based on the above mentioned findings, the Information Regulator issued an Enforcement Notice calling upon the Responsible Party to notify the data subjects of the security compromise within 31 days and also to issue an apology to the complainants for the violation, which apology must also be published on all other communication channels used by the Responsible Party.

Conclusion

One of the most common types of breaches of personal information is an accidental email sent to the wrong recipient. I doubt there is a single one of us who hasn’t done this at least once.

The Information Regulator specifically noted that although an email was issued to all employees to alert them to the fact that personal information of the complainants was shared by mistake, that an investigation was launched to understand the circumstances under which the error occurred and that corrective action was taken, this did not absolve the Responsible Party from its obligation to inform the Regulator and the complainant of the security compromise.

It is therefore clear that the Information Regulator interprets section 22 in a very narrow sense, i.e.: that all breaches, regardless of severity, must be reported. Responsible parties should thus take note of this enforcement notice and ensure that it continuously trains staff of the requirements of the act.

ENDS