Department of Justice and Constitutional Development
0Issued by Information Regulator of South Africa on 2023-05-09
What happened
South Africa's Information Regulator issued an enforcement notice against the Department of Justice and Constitutional Development following a devastating ransomware attack in September 2021 that encrypted the department's entire IT infrastructure. The attack disrupted court operations, child maintenance payments, and legal aid services across the country for weeks. Personal data of millions of South Africans involved in legal proceedings was potentially compromised. The Information Regulator found that the department had failed to implement adequate security measures to protect personal information as required by POPIA Section 19, and had not established sufficient incident response capabilities. While no monetary fine was imposed (the regulator focused on compliance orders), the enforcement notice required the department to implement comprehensive security improvements within specified deadlines.
Articles violated
Lessons learned
Government departments handling sensitive legal data of millions of citizens must invest in robust cybersecurity infrastructure. POPIA enforcement in South Africa is still developing, but the Information Regulator has shown willingness to take action against government entities. Ransomware preparedness — including offline backups, incident response plans, and business continuity procedures — is essential for organizations whose services affect critical public functions. This case demonstrates that POPIA enforcement extends to the public sector, not just private companies.
Source
View original decisionDisclaimer: This summary is for informational purposes only and does not constitute legal advice. Refer to the original decision for complete details.
Get enforcement alerts for Other
We track GDPR fines across Europe. Enter your email to get notified about new enforcement actions.