Information Regulator says Department of Justice and Constitutional Development must pay administrative fine of R5m

Published Jul 4, 2023

Share

Johannesburg - The Information Regulator (Regulator) says it has issued an Infringement Notice to the Department of Justice and Constitutional Development (DoJ&CD).

The Regulator ordered the DoJ&CD to pay an administrative fine of R5 million following its failure to comply with the Enforcement Notice issued by the Regulator on May 9.

The Regulator said that it issued the Enforcement Notice following the finding of the contravention of various sections of the Protection of Personal Information Act (POPIA) by the DoJ&CD.

“The Enforcement Notice had required the DoJ&CD to submit proof to the Regulator within 31 days of receipt of the notice that the Trend Anti-Virus licence, the SIEM licence, and the Intrusion Detection System licence have been renewed. It also required the department to institute disciplinary proceedings against the official(s) who failed to renew the licences, which are necessary to safeguard the department against security compromises,” said the Regulator.

The Regulator indicated that should the DoJ&CD fail to abide by the enforcement notice within the stipulated time frame “it will be guilty of an offence, in terms of which the Regulator may impose an administrative fine in the amount not exceeding R10 million or be liable upon conviction to a fine or to imprisonment of the responsible officials”.

The Regulator also said that the 31 days given to the department expired on June 9. To date, the department has not provided the Regulator with a report on the implementation of the actions required in the Enforcement Notice or any other communication in that regard. The DoJ&CD had the right to appeal the Enforcement Notice in terms of section 97(1) of POPIA, and they have failed to exercise that right. Given this lack of compliance with the enforcement notice, the Regulator has made a determination that the department has failed to comply with the Enforcement Notice served to it in terms of POPIA. Accordingly, the Regulator has issued an administrative fine of R5 million to the department for failure to comply with the Enforcement Notice.

“The DoJ&CD has 30 days from July 3, 2023, to pay the administrative fine, make arrangements with the Regulator to pay the administrative fine in instalments, or elect to be tried in court on a charge of having committed the alleged offence referred to in terms of POPIA,” added the Regulator.

In September 2021, the DoJ&CD suffered a security compromise on their IT systems. This led to the department’s systems being unavailable to its employees and subsequently affecting services to the public. The Regulator conducted an own initiative assessment after the department suffered the data breach.

“Following the assessment, the Regulator found that the department had failed to put in place adequate technical measures to monitor and detect unauthorised exfiltration of data from their environment, resulting in the loss of approximately 1 204 files.

"This occurred as a result of the DoJ&CD’s failure to renew the Security Incident and Event Monitoring (SIEM) licence, which would have enabled it to monitor unusual activity on their network and keep a back-up of the log files.

“The failure to renew the licence resulted in the unavailability of critical information contained in the log files. The SIEM licence expired in 2020,” the Regulator said.

The DoJ&CD also failed to renew the Intrusion Detection System licence, which had also expired in 2020.

Had this licence been renewed, the department would have received alerts of suspicious activity by unauthorised people accessing the network, the Regulator said.

The Trend Anti-Virus licence was also not renewed in 2020, when it expired. The failure to renew this licence resulted in the virus definition for known malware threats not being updated.

The Regulator also found that the department had failed to take reasonable measures to identify or reasonably predict internal and external risks to the protection of personal information in its possession or under its control and establish and maintain appropriate safeguards against the identified risks.

“Following the finding that the DoJ&CD had contravened sections 19 and 22 of POPIA, the Regulator issued the DoJ&CD with an Enforcement Notice in which it orders the department to take a number of steps.

“These steps include that the department must submit proof to the Regulator within 31 days of receipt of the notice that the Trend Anti-Virus licence, the SIEM licence, and the Intrusion Detection System licence have been renewed. It must also institute disciplinary proceedings against the official(s) who failed to renew the licences, which are necessary to safeguard the department against security compromises.

“Should the DoJ&CD fail to abide by the Enforcement Notice within the stipulated time frame, it will be guilty of an offence, in terms of which the Regulator may impose an administrative fine in the amount not exceeding R10 million or be liable upon conviction to a fine or to imprisonment of the responsible officials.”

The department said it would respond to requests for comment in due course.

The Star