Information regulator takes action against Department of Justice and Constitutional Development

​​​The Information Regulator has levied an administrative fine of ZAR 5 million on the Department of Justice for breaching POPIA.

In September 2021, the Department of Justice and Constitutional Development (the DoJ) suffered a cyberattack that resulted in the loss of over 1 200 files, the encryption of internal documents and the compromise of personal information.Following an assessment of the DoJ's systems, the Information Regulator of South Africa (Information Regulator) concluded that the DoJ had failed to put adequate security measures in place to monitor, detect and prevent data breaches. Specifically, the DoJ had failed to renew its Security Incident and Event Monitoring (SIEM) Licence and antivirus licence since 2020. The Information Regulator issued an Enforcement Notice to the DoJ.

The Enforcement Notice

In terms of the Enforcement Notice, the Information Regulator ordered the DoJ to:

  • renew its SIEM and antivirus licences; and
  • institute disciplinary proceedings against the officials who failed to renew the SIEM and antivirus licences.

The DoJ was given 31 days to implement the order of the Enforcement Notice. The 31 days expired on 9 June 2023, without the Information Regulator receiving any report on the implementation of this order.

The Infringement Notice

On 3 July 2023, for the first time since it was established, the Information Regulator issued an Infringement Notice to the DoJ, finding that it had contravened the Protection of Personal Information Act 4 of 2013 (POPIA) and ordering it to pay a fine of ZAR 5 million (the maximum fine for contravention of POPIA is ZAR 10 million).

The Information regulator has given the DoJ 30 days from 3 July 2023 to pay the administrative fine or elect to be tried in court for contravention of POPIA.

This latest development demonstrates a clear intention by the Information Regulator to enforce POPIA. We anticipate the Information Regulator will issue more fines for non-compliance in the future.


These materials are provided for general information purposes only and do not constitute legal or other professional advice. While every effort is made to update the information regularly and to offer the most current, correct and accurate information, we accept no liability or responsibility whatsoever if any information is, for whatever reason, incorrect, inaccurate or dated. We accept no responsibility for any loss or damage, whether direct, indirect or consequential, which may arise from access to or reliance on the information contained herein.

© Copyright Webber Wentzel. All Rights reserved.

Webber Wentzel > News > Information regulator takes action against Department of Justice and Constitutional Development
Johannesburg +27 (0) 11 530 5000
Cape Town +27 (0) 21 431 7000
Validating email against database, please wait...
Validating email: please wait...
Email verified: Please click the confirmation link sent to your mailbox, also check junk/spam folder. If you no longer have access to this email address or haven't received the verification email then email
Email verified: You are being redirected to manage your subscription
Email could not be verified: Please wait while you are redirected to the Subscription Form
Unanticipated error: Saving your CRM information Subscription Form