SOUTH AFRICA: RELEASE OF PERSONAL DETAILS OF VICTIMS OF THE KRUGERSDORP ATTACK IN BREACH OF POPIA – WHAT IS THE LEGAL POSITION UNDER POPIA?
Last week, the Information Regulator issued a media statement announcing that it will be conducting an assessment into an alleged breach of the Protection of Personal Information Act (POPIA) by officials of the South African Police Service (SAPS) following the release of personal details of the victims of the recent Krugersdorp attack.
In late July, it was widely reported that eight women were gang raped and robbed after a group of armed men accosted them while shooting a music video at a mine dump in West Village near Krugersdorp. It has since come to the Information Regulator’s attention that a list containing personal details of the victims had been leaked to the public, allegedly by officials of the SAPS. The Information Regulator has, on its own initiative, decided to conduct an assessment into the measures implemented by SAPS to safeguard the personal information of the victims, which assessment may result in enforcement proceedings.
In addition, it has become apparent that the list of personal details of the victims is currently being shared publicly across various media platforms. The Information Regulator has condemned the distribution of the list on the basis that it is a breach of POPIA, it constitutes an act of re-victimisation, and it is a violation of the victims’ right to privacy and human dignity.
What you need to know about POPIA in the circumstances
POPIA seeks to give effect to the Constitutional right to privacy, subject to justifiable limitations that are aimed at balancing the right to privacy against other rights (such as the right of access to information) and protecting important interests, including the free flow of information.
For purposes of POPIA, personal information is information relating to an identifiable, living natural person, and where applicable, an existing juristic person. It includes information relating to an individual’s race, gender or age, an individual’s health or sex life, and an individual’s name if it appears with other personal information.
POPIA regulates the processing (i.e. collection, dissemination, sharing etc.) of personal information. POPIA will not, however, apply to the processing of personal information by or on behalf of a public body (such as SAPS) for purposes of investigating or proving offences or for the prosecution of offenders. This is provided that adequate safeguards have been established in legislation for the protection of such personal information. In this regard, the South African Police Service Act requires appropriate safeguards to be established and maintained in respect of, inter alia, databases containing fingerprints, body-prints and photographic images and DNA evidence.
In the absence of legislation providing for adequate safeguards in respect of the list of personal details of the victims, SAPS has an obligation to comply with the conditions for lawful processing under POPIA, including the obligation to implement appropriate and reasonable measures to secure the integrity and confidentiality of personal information it has in its possession and to prevent unlawful access to the personal information.
Accordingly, SAPS may collect and process personal information relating to the victims and alleged perpetrators in order to prosecute the alleged perpetrators. In doing so, however, SAPS is required to implement adequate safeguards to secure the personal information and prevent it from unlawful access (which appears to be the subject matter of the Information Regulator’s pending assessment).
It is worth noting that POPIA will also not apply to the processing of personal information solely done for the purpose of journalistic, literary or artistic expression, to the extent that it is necessary to, as a matter of public interest, reconcile the right to privacy with the right to freedom of expression. Accordingly, news agencies may publish stories relating to, for example, incidents of rape or crimes being committed, which stories may contain limited personal information. It would arguably not, however, be in the public interest for the names and details of the victims to be disclosed in the present matter.
The publication of information relating to the victims
Whilst POPIA does not contain a general prohibition on the publication of personal information, POPIA provides that personal information may only be processed on limited justifiable grounds. These grounds include, for example, when the processing is in the legitimate interests of the individual or where the processing is necessary for the proper performance of a public law duty by a public body (such as SAPS).
The sharing of personal details of the victims may, however, concern special personal information, which includes information relating to, amongst other things, an individual’s health or sex life. POPIA affords additional protection to the processing of special personal information. In this regard, there is a general prohibition on the processing of special personal information, unless, for example, (i) the processing is carried out with the consent of the individual (i.e. where the victim has consented to the publishing of their details); (ii) where the information has deliberately been made public by the individual (i.e. the victim elects to share their details publicly) or (iii) the processing is necessary to exercise a right, or comply with an obligation, in law.
To the extent that any person accesses or shares the list of personal details of the victims on media platforms, and in the absence of the victims’ consent to do so or the victims having deliberately made their personal details public, this would constitute a breach of POPIA and, as stated by Information Regulator, a violation of the victims’ right to privacy.
The victims’ rights and potential consequences
In terms of POPIA, the victims have the right to have their personal information processed in accordance with the provisions of POPIA. This includes the right to be notified that their personal information has been accessed or acquired by an unauthorised person (such as where the list of their personal details is being shared by persons on various media platforms).
As a result of an alleged breach of these rights, the victims may submit a complaint to the Information Regulator or institute civil proceedings for damages against SAPS regarding the alleged interference with their personal information. The Information Regulator may also, on its own accord, conduct an assessment or investigation relating to an alleged breach of the provisions of POPIA.
Following the assessment in the present matter, the Information Regulator will be required to issue a report to SAPS on the result of the assessment and any recommendations, which report will be deemed to be equivalent to an enforcement notice. In addition, any persons distributing the list of personal details on media platforms may similarly be subject to enforcement proceedings by the Information Regulator. A failure to comply may result in punitive action, including the imposition of fines and/or imprisonment.