By Karl Blom, Peter Grealy, Nozipho Mngomezulu, Wendy Tembedza, Partners & Cindy Leibowitz, Knowledge Lawyer at Webber Wentzel 

Recent developments relevant to data protection issues offer some guidance for businesses, including in the event of data breaches and M&A transactions 

It has been 10 months since the commencement of the Protection of Personal Information Act, 2013 (POPIA). We have taken stock of recent data protection developments and have set out some key learnings to guide you in your POPIA compliance journey.

The matric results debacle – the parameters of compliance when publishing personal information  

At the start of 2022, the Department of Basic Education (DBE) decided not to publish the 2021 matric results on public platforms, as it has traditionally done at the start of each year. The Information Regulator issued a statement following this decision, in which it said that the DBE “has a duty to ensure that matriculants receive their results“, but that this must be done in a manner which complies with POPIA. The Information Regulator emphasised the following (non-exhaustive) requirements in her statement: 

One matriculant challenged the DBE’s decision in the High Court, seeking an order compelling the DBE to publish her results on public platforms. This learner stated that the results could be published without reflecting the learners’ names and surnames. The court granted the order as the matter was unopposed but did not provide any reasons for its decision.  

The matter emphasises that the right to privacy must be balanced with the right to access information. This relationship can be complicated, and many factors need to be considered in assessing each particular set of circumstances to strike the right balance.  Future judgments should provide further guidance on this dynamic. 

Learnings from the TransUnion data breach 

In March 2022, credit bureau TransUnion announced that it had suffered a data breach. The Information Regulator has expressed its views regarding the handling of this data breach, indicating that the notification by TransUnion was “inadequate, unsatisfactory and falls short of what is required” by POPIA. The Information Regulator’s concerns centred around the lack of detail provided to the Information Regulator, indicating that less is not always more when demonstrating to the Information Regulator that a data breach has been managed appropriately.  

M&A and POPIA 

Every business process personal information about its employees, customers, suppliers, contractors, and other stakeholders. A particularly vexing question is how to comply with POPIA when selling a business to a third party. This question must be considered at each stage of the transaction, including post-transaction, when systems are being integrated. 

Companies often grapple with determining whether employee consent is needed to transfer employee personal information to an acquirer. If the acquirer is located outside South Africa, the seller must consider how to lawfully transfer personal information to the offshore acquiring party, given POPIA’s specific requirements. The Information Regulator has not yet provided a guidance note on this particular issue. In the interim, overseas guidance may prove useful, including the Data Sharing Code of Practice published by the Information Commissioner’s Office (ICO) in the UK. 

Ensuring POPIA compliance during an M&A transaction may require some upfront planning, and we recommend involving a privacy lawyer at an early stage of the transaction to avoid falling foul of any regulatory requirements. 

Useful links 

We include some links to guidance notes published by the Information Regulator: