The Department of Justice and Constitutional Development (DoJ&CD) has been ordered to pay a R5 million fine following its failure to comply with an Enforcement Notice after contravening the Protection of Personal Information Act (Popia).
On May 9 the Information Regulator issued an Infringement Notice against the department for contravening various sections of Popia.
This after the DoJ&CD suffered a security compromise on its IT systems in September 2021, leading to the department's systems being unavailable to its employees and affecting services to the public.
The Regulator conducted an own initiative assessment after the data breach and found that the department had failed to put in place adequate technical measures to monitor and detect unauthorised exfiltration of data from their environment resulting in the loss of approximately 1 204 files.
The assessment also found that the department failed to renew their Security Incident and Event Monitoring (SIEM) licence which would have enabled it to monitor unusual activity on their network and keep a backup of the log files.
The Regulator issued the Enforcement Notice following the findings, but the department failed to comply by submitting proof to the Regulator within 31 days that the Trend Anti-Virus licence, the SIEM licence and the Intrusion Detection System licence have been renewed. DoJ&CD spokesperson, Chrispin Phiri, said they would issue a statement on the matter in due course.
The Regulator on Tuesday said the notice also required the department to institute disciplinary proceedings against the official/s who failed to renew the licences, which are necessary to safeguard the department against security compromises.
“The Regulator indicated that should the DoJ&CD fail to abide by the Enforcement Notice within the stipulated time frame, ‘it will be guilty of an offence, in terms of which the Regulator may impose an administrative fine in the amount not exceeding R10 million, or liable upon conviction to a fine or to imprisonment of the responsible officials.’
“The 31 days given to the department expired on June 9. To date, the department has not provided the Regulator with a report on implementation of the actions required in the Enforcement Notice or any other communication in that regard. The DoJ&CD had the right to appeal the Enforcement Notice in terms of section 97(1) of POPIA, and they have failed to exercise that right,” the Regulator said.
“Given this lack of compliance with the Enforcement Notice, the Regulator has made a determination that the department has failed to comply with the Enforcement Notice served to it in terms of POPIA.
Accordingly, the Regulator has issued an administrative fine of R5 million to the department for failure to comply with the Enforcement Notice.”
The DoJ&CD has 30-days from July 3 to pay the administrative fine or make arrangements with the Regulator to pay in instalments or elect to be tried in court on a charge of having committed the alleged offence referred to in terms of POPIA.
Cape Times