Information Regulator: Enforcement Notices for contraventions of POPIA and PAIA by Public and Private Bodies

Information Regulator: Enforcement Notices for contraventions of POPIA and PAIA by Public and Private Bodies logo

Summary:The Information Regulator has issued Enforcement Notices for contravention of the Protection of Personal Information Act 4 of 2013 (POPIA) and the Promotion of Access to Information Act 2 of 2000 (PAIA) against Central Johannesburg TVET College (CJC) and Sibanye Stillwater Limited. 


Article:

Central Johannesburg TVET College (CJC) was issued the Enforcement Notice following findings that the institution contravened several provisions of POPIA, initiated by complaints lodged by 3 affected individuals whose special personal information was unlawfully shared with third parties within the institution without legal justification. The information which was disclosed to the employer for purposes of governance and employee vetting included the complainant's qualifications and criminal charges and convictions, which were shared by the responsible party and the responsible party’s employee in contravention of the provisions of POPIA. 

The Regulator concluded that CJC failed to comply with key POPIA obligations, including: 

  • Failure to implement adequate accountability measures; 
  • Unlawful further processing and sharing of personal information; 
  • Failure to maintain appropriate security safeguards; and 
  • Failure to notify both the Regulator and affected individuals of the security compromise as required under Section 22 of POPIA. 

Sibanye Stillwater Limited, a mining company with various other operations listed on the Johannesburg Stock Exchange, is ordered to set aside the decision to refuse access to the records sought by the complainant, who is a representative of a public interest organisation. 

The complainant had requested, amongst other documents, all annual compliance reports for the years 2019 to 2023 for the Eastern and Western platinum mines.  

The Regulator found that Sibanye’s reliance on Section 68 of PAIA (commercial information exemptions) was not supported by sufficient evidence to establish that disclosure would likely cause the alleged harm. The refusal to grant access was therefore not justified, and the private body also failed to identify any portions of the records that could be severed or redacted.  

Sibanye Stillwater Limited is obligated to submit the Social and Labour Plan (SLP) contemplated in Regulation 46, together with the application for the right. The SLP is valid and binding for 5 years, and the holder of the mining right must submit annual compliance reports. The SLPs are public documents and thus should have been made automatically available without a person having to make a PAIA request. 

Click here to download the Media Statement:

https://inforegulator.org.za/wp-content/uploads/2026/06/MEDIA-STATEMENT-INFORMATION-REGULATOR-ISSUES-ENFORCEMENT-NOTICES-FOR-THE-CONTRAVENTIONS-OF-POPIA-AND-PAIA-BY-PUBLIC-AND-PRIVATE-BODIES.pdf 

Relevance to Auditors, Independent Reviewers & Accountants:

  • POPIA and PAIA are more pieces of legislation that your clients must comply with, and which you must assess compliance with.  If they don’t comply with the relevant laws and regulations, you have certain reporting obligations in terms of NOCLAR (NOn-Compliance with Laws And Regulations) – this could include reporting to management, qualifying your audit opinion, reporting a Reportable Irregularity, etc.
  • As an auditor, accountant and independent reviewer, you need to consider updated information that is published by the Information Regulator (as they are responsible for POPIA and PAIA in SA) – especially as it relates to operational functionalities, and other relevant information of interest.
  • As an employer, you also need to comply with POPIA and PAIA in your workplace.

Relevance to Your clients:

  • Both private and public bodies have a duty to comply with POPIA and PAIA, and directors have to fulfil their duties accordingly, otherwise they could be held liable.
  • Your clients need to consider updated information that is published by the Information Regulator (as they are responsible for POPIA and PAIA in SA) – especially as it relates to operational functionalities, and other relevant information of interest.

There are not comments for this article at the moment, check back later.
You must be logged in to add a comment, log in now.

Explore Smarty