| Authority: | Regulator - SA |
|---|---|
| Jurisdiction: | South Africa |
| Relevant law: | Section 8, 9, 10, 11, 15, 19 22 of Promotion of Access to Information Act 2 of 2000, as amended, Section 32(1)(b) of the Constitution. |
| Type: | Violation |
| Outcome: | Violation |
| Started: | N/A |
| Decided: | 4 April 2023 |
| Published: | 5 April 2023 |
| Fine: | N/A |
| Parties: | Regulator vs. Lt-General Sehlahle F Masemola, The National Police Commissioner & |
| South African Police Service (SAPS) | |
| Case No.: | Reference CI 317/22 |
| Appeal: | N/A |
| Original Source: | PAIA |
| Original contributor: | MZIZI Africa |
Contents
The Respondents who are members of the South African Police Service (SAPS) violated the provisions of the POPIA on lawful use, excessive processing, technical measures, purpose limitation when they distributed personal details of unnamed data subject (victims of crime) via whatsapp in the course of a criminal investigation, but which message found its way to public social media pages.
This was an own initiative investigation in terms of section 76 (3) of the Protection of Personal Information Act 4 of 2013 (POPIA) by the Regulator against Lt-General Sehlahle F Masemola & 2 Others (the “Respondents”).
The Respondents distributed the personal information of data subjects who also happened to be victims of a horrendous sexual crime, on various WhatsApp groups to alert the respective stations and units of a serious crime which happened in the West Rand District and to mobilise the available resources to respond accordingly and trace possible suspects and to source information from the members of the public.
The personal information of the data subjects was included in a WhatsApp message, a social media platform, that was forwarded by a senior officer of the SAPS to the Provincial Commissioner of the SAPS and subsequently to the Gauteng Generals’ WhatsApp Group, comprising of thirty (30) participants, the West Rand District Commissioner’s WhatsApp Group, comprising of seventy-seven (77) participants and the Randfontein SAPS Station group, comprising of one hundred and forty-eight (148) participants.
As a consequence of the wide and indiscriminate distribution of the WhatsApp message, it was leaked from its intended communication channels which resulted in the message being shared widely on various social media platforms, such as Facebook.
The information shared was detailed personal information of data subjects, which included their ages, occupations and residential addresses. The Respondents did not provide any relevant documentary evidence with reference to protocols, management supervision, content management, usage, and distribution policy of specifically WhatsApp messages within SAPS applicable at the time of the incident.
The Regulator held that there was a breach of the conditions for the lawful processing of personal information and non-compliance with the duty to notify security compromises and ordered that the Respondents: