The Independent Electoral Commission (IEC) is an independent constitutional body that plays the role of an impartial ‘referee’ during election season in South Africa, to ensure that the sanctity of such elections is upheld and maintained.
Ahead of the much-anticipated election date of 29 May 2024, tensions have been at an all-time high in the political sphere. In a media statement dated 11 March 2024, the Information Regulator confirmed the receipt of two notifications from the IEC pertaining to a security compromise that “saw the unlawful release of candidate lists for the African National Congress (ANC) and Umkhonto we Sizwe Party (MK) for the 2024 elections.”
Prior to the release of the aforementioned media statement, the security compromise may have prima facie appeared to lie solely within the political spectrum – since it pertains to the upcoming national elections. However, with the Information Regulator’s association therewith, the legal lens of such security compromise is brought into focus - drawing attention to the often subtle but ever-present intersections between law and politics.
Understanding the intersection
In accordance with paragraph 18 of the IEC schedule, the candidate lists of each respective political party were scheduled for release to the public on 10 April 2024 - following the completion of the relevant vetting practices by the IEC.
However, it was just hours after the political parties made their final candidate list submissions to the IEC on 8 March 2024, that the ANC and MK parties’ lists were leaked on social media.
Since this leak compromised the security of the personal information of the data subjects in the ANC and MK, the IEC – as the ‘responsible party’ for the processing of such personal information – was mandated by section 22(a) of the Protection of Personal Information Act 4 of 2013 (PoPIA) to act accordingly.
This section provides that “where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorized person, the responsible party must notify the Regulator.”
For further context, a ‘responsible party’ is defined in PoPIA as “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing information.”
As such, by reporting this security compromise to the Information Regulator, the IEC identified itself as a ‘responsible party’, and therefore attached all the obligations thereof to itself.
The Information Regulator reported further in the aforementioned media statement that it issued the IEC with an information notice requesting further particulars about the security compromise, in order to determine whether the IEC has “met its obligations as a responsible party under PoPIA”.
The information sought will - according to Advocate Pansy Tlakula in a Newzroom Afrika broadcast of 11 March 2024 - allow the Information Regulator to conduct an enquiry into whether the IEC has taken the “appropriate, reasonable, technical and organisational measures (in terms of section 19 of PoPIA) to secure the integrity and confidentiality of the personal information in their possession.”
The further particulars from the IEC should include inter alia, the consequences of such security compromise as well as the measures that the IEC have and/or intend to take to address the security compromise. To this end, the IEC conducted an internal investigation which revealed the identity of the employee responsible for leak and such employee was dismissed by the IEC.
Understanding the IEC’s obligations under PoPIA
Chapter 3 of PoPIA provides eight conditions for the lawful processing of personal information by or for a ‘responsible party’, and it is expected that the Information Regulator will conduct their enquiry of the security compromise against these provisions. The eight conditions are as follows:
- Accountability – responsible parties are to ensure compliance with the principles in Chapter 3 of PoPIA in relation to these conditions for lawful processing. [section 8]
- Processing limitation – personal information must be processed lawfully and reasonably, and to the extent that it is necessary. Additionally, personal information must be collected directly from the data subject and processed only with the data subject’s consent. [sections 9 to 12]
- Purpose specification – personal information must be collected for a specific and explicitly defined purpose and retained only for as long as necessary for such purpose. [sections 13 and 14]
- Further processing limitation - further processing of personal information must be compatible with the purpose for which it was collected in terms of section 13. [section 15]
- Information quality – responsible parties must take reasonably practicable steps must be taken to ensure personal information is complete, accurate, not misleading, and updated [section 16]
- Openness - responsible parties must maintain documentation of all processing operations in terms of the Promotion of Access to Information Act (PAIA) and keep data subjects notified of all processing activities of their personal information. [sections 17 and 18]
- Security safeguards – responsible parties must secure the integrity and confidentiality of the personal information in their possession and notify data subjects of any breaches. [sections 19 to 22]
- Data subject participation – responsible parties must allow data subjects to make corrections or deletions to the personal information collected and provide them with access to their personal information as per PAIA. [sections 23 to 25]
Closing remarks
The security compromise has been described by political analyst, Dr Ebrahim Harvey, as an “undesirable situation that does not inspire confidence [in the elections]”.
However, Tlakula holds strong confidence in the IEC’s credibility and “ability to manage a free and fair election” In an SABC broadcast that aired on 21 March 2024, Tlakuka commends the IEC for their “systems” that are “not only robust [but] are also transparent.”
The steps taken by the IEC and Information Regulator following the security compromise of 8 March 2024 are reflective of both parties’ determination to realise PoPIA’s purpose, which such purpose is “to give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party...”.
Parties who are involved in the processing of personal information activities are cautioned to understand their obligations under PoPIA, and to take the necessary steps to ensure compliance thereof. The results of the Information Regulator’s enquiry into the security compromise could set the tone for responsible parties’ obligations moving forward.