The Information Regulator (Regulator) confirms that it has received two notifications from the Independent Electoral Commission (IEC) regarding a security compromise that saw the unlawful release of candidate lists for the African National Congress (ANC) and the Umkhonto we Sizwe Party (MK) for the 2024 elections. The Regulator will attend to the notifications from the IEC in accordance with the requirements of the Protection of Personal Information Act No. 4 of 2013 (POPIA). The Regulator has advised the IEC that the notifications sent to the Regulator do not provide sufficient details about the incidents to make them compliant with POPIA requirements. Accordingly, the Regulator has sent an information notice to the IEC requiring the IEC to furnish the Regulator with more details regarding the incidents.
The Regulator’s information notice requests, among others, the following information from the IEC:
Regarding the security compromise involving the ANC candidates -
- Proof that the IEC has published the security compromise notice on its website.
Regarding the security compromise involving the MK candidates -
- proof of written notification to the MK party;
- confirmation of the number of data subjects impacted by the security compromise.
Regarding both parties –
- provision of sufficient information to allow the data subjects to take protective measures against the potential consequences of the compromise.
- Details as to how the unauthorised person accessed the personal information of data subjects, and
- Details as to the technical and organisational measures that the IEC has implemented to mitigate against the risk of the affected data subjects' personal information being unlawfully accessed and/or unlawfully processed.
The requested information will assist the Regulator in determining whether the IEC has met its obligations as a responsible party under POPIA.
Issued by Information Regulator of South Africa