South Africa’s Protection of Personal Information Act (“POPIA”) imposes strict requirements on processing personal information, especially that of children. Under South African law, a child is a natural person under the age of 18. Recent enforcement action against the Department of Basic Education (“DBE’) highlights the importance of obtaining parental consent and using privacy-respecting methods when handling sensitive data like matriculation results.
In South Africa, matriculation results refer to the outcomes of the National Senior Certificate examinations (akin to the high school diploma examination), which mark the completion of high school education. Traditionally, matric results have been published in newspapers or online platforms, often including personal identifiers such as names and examination numbers. While this practice has been long-standing, it raises significant privacy concerns under POPIA.
What Happened in the DBE Case?
The DBE published the 2023 matric results without securing consent from students 18 years or older, or from the parents/guardians of those under the age of 18. Section 11 of POPIA requires that personal information may only be processed with the consent of the individual (or their parent/guardian if they are a child) unless another legal basis applies, such as compliance with a legal obligation, or the protection of legitimate interests—none of which justified the DBE’s actions in this case.
The Information Regulator ruled the DBE’s publication practice unnecessary and non-compliant with POPIA, ordering the DBE to cease newspaper publication and adopt privacy-compliant alternatives like secure SMS platforms.
Key Lessons
- Consent Is Essential: Explicit consent from parents or guardians is required under POPIA, ensuring all parties understand the purpose of data processing.
- Privacy-Respecting Methods: Organizations must avoid public disclosures of personal information and instead use secure, privacy-compliant alternatives.
- Systems for Consent Management: Robust processes are needed to obtain, track, and verify consent, especially for large-scale operations.
The DBE’s failure demonstrates the risks of violating POPIA, including fines, legal penalties, and reputational harm. This case underscores that respecting privacy is critical when handling children’s data, regardless of longstanding traditions.
* * *
If you have questions about handling data privacy compliance matters, please contact Dan Cooper at dcooper@cov.com, Ben Haley at bhaley@cov.com, Deon Govender at dgovender@cov.com, Mosa Mkhize at mmkhize@cov.com, Ahmed Mokdad at amokdad@cov.com. This article is intended to provide general information. It does not constitute legal advice.