South Africa’s Protection of Personal Information Act (“POPIA”) imposes strict requirements on processing personal information, especially that of children. Under South African law, a child is a natural person under the age of 18. Recent enforcement action against the Department of Basic Education (“DBE’) highlights the importance of obtaining parental consent and using privacy-respecting methods when handling sensitive data like matriculation results.

In South Africa, matriculation results refer to the outcomes of the National Senior Certificate examinations (akin to the high school diploma examination), which mark the completion of high school education. Traditionally, matric results have been published in newspapers or online platforms, often including personal identifiers such as names and examination numbers. While this practice has been long-standing, it raises significant privacy concerns under POPIA.

What Happened in the DBE Case?

The DBE published the 2023 matric results without securing consent from students 18 years or older, or from the parents/guardians of those under the age of 18. Section 11 of POPIA requires that personal information may only be processed with the consent of the individual (or their parent/guardian if they are a child) unless another legal basis applies, such as compliance with a legal obligation, or the protection of legitimate interests—none of which justified the DBE’s actions in this case.

The Information Regulator ruled the DBE’s publication practice unnecessary and non-compliant with POPIA, ordering the DBE to cease newspaper publication and adopt privacy-compliant alternatives like secure SMS platforms.

Key Lessons

  • Consent Is Essential: Explicit consent from parents or guardians is required under POPIA, ensuring all parties understand the purpose of data processing.
  • Privacy-Respecting Methods: Organizations must avoid public disclosures of personal information and instead use secure, privacy-compliant alternatives.
  • Systems for Consent Management: Robust processes are needed to obtain, track, and verify consent, especially for large-scale operations.

The DBE’s failure demonstrates the risks of violating POPIA, including fines, legal penalties, and reputational harm. This case underscores that respecting privacy is critical when handling children’s data, regardless of longstanding traditions.

*           *           *

If you have questions about handling data privacy compliance matters, please contact Dan Cooper at dcooper@cov.com, Ben Haley at bhaley@cov.com, Deon Govender at dgovender@cov.com, Mosa Mkhize at mmkhize@cov.com, Ahmed Mokdad at amokdad@cov.com. This article is intended to provide general information. It does not constitute legal advice.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Photo of Benjamin Haley Benjamin Haley

Ben Haley leads the firm’s White Collar and Anti-Corruption Practice in the Middle East and Africa and is a chair of the firm’s broader Africa Practice. With deep experience representing clients before regulators in high-profile white collar and disputes matters and a history operating on…

Ben Haley leads the firm’s White Collar and Anti-Corruption Practice in the Middle East and Africa and is a chair of the firm’s broader Africa Practice. With deep experience representing clients before regulators in high-profile white collar and disputes matters and a history operating on the ground in emerging markets, he helps clients assess and mitigate a wide range of complex legal and compliance risks.

Complementing his investigations and dispute resolution practice, Ben has a broad-based compliance advisory practice, helping clients proactively manage compliance risk in areas including anti-corruption, trade controls, anti-money laundering, fraud, and data privacy.

Ben represents corporate and individuals clients in a wide range of investigations and disputes, including:

  • Investigations under the U.S. Foreign Corrupt Practices Act (“FCPA”).
  • Investigations into anti-money laundering, financial crimes, anti-terrorism, and sanctions and export control issues.
  • Securities fraud and accounting matters.
  • Board investigations and shareholder litigation.
  • Insurance recovery.

Ben also regularly advises clients on a range of regulatory compliance and corporate governance issues. His compliance advisory practice includes:

  • Performing risk and compliance program assessments.
  • Leading compliance reviews on business partners and assisting companies with third-party risk management processes.
  • Conducting forensic accounting reviews and testing and enhancing financial controls.
  • Advising on market entry, cross-border transactions, and pre-acquisition diligence and post-acquisition integration.
  • Assisting companies in designing, implementing, and maintaining best-in-class compliance programs.

In recent years, Ben has steered a number of clients to successful resolutions and declinations in complex FCPA and corporate fraud matters with the U.S. Department of Justice and Securities Exchange Commission. In his advisory practice, Ben has served as lead compliance counsel on a number of major M&A and investment transactions. He has developed special expertise assisting clients in leveraging technology in their compliance programs, including assisting one of the world’s largest consumer goods companies in the design and implementation of an award-winning compliance data analytics and monitoring system.

Ben has been described by the Chief Compliance Officer of one of his clients as “[a]n outstanding senior lawyer and advisor,” and “a guiding light for all things compliance advisory in Africa,” whose “advice is crystal clear, covers all angles and is business friendly.”

Photo of Deon Govender Deon Govender

Deon Govender is a vice chair of the Africa Practice Group. He focuses his practice on project development and corporate and project finance transactions across Africa, with particular emphasis on southern Africa. His experience ranges from advising on the development and financing of…

Deon Govender is a vice chair of the Africa Practice Group. He focuses his practice on project development and corporate and project finance transactions across Africa, with particular emphasis on southern Africa. His experience ranges from advising on the development and financing of renewable energy and thermal power projects and various other infrastructure assets in the transportation and telecommunications sectors. Deon’s experience additionally includes advising on financing independent power producer projects under the South African government’s Renewable Energy Independent Power Producer Procurement Programme.

Photo of Ahmed Mokdad Ahmed Mokdad

Ahmed Mokdad is an associate based in the Johannesburg office, and a member of the firm’s White Collar Defense and Investigations and Anti-Corruption Practice Groups, as well as the Privacy and Cyber Security Practice Group. With a depth of experience representing clients across…

Ahmed Mokdad is an associate based in the Johannesburg office, and a member of the firm’s White Collar Defense and Investigations and Anti-Corruption Practice Groups, as well as the Privacy and Cyber Security Practice Group. With a depth of experience representing clients across various sectors, Ahmed regularly assists clients navigate and mitigate a broad spectrum of regulatory and compliance risks.

Ahmed’s investigations practice includes internal and government investigations into anti-corruption, anti-money laundering, fraud, and financial crimes matters more generally. Complementing his investigations practice, Ahmed has a broad-based compliance advisory practice in these areas and in data protection and information security matters. This includes assisting clients in numerous sectors with compliance under South Africa’s Protection of Personal Information Act (POPIA).

Adding to his investigative, regulatory and compliance advisory experience, Ahmed has extensive experience advising on numerous M&A and complex financial transactions. He has also been involved in several high profile international arbitrations, and litigious matters before the South African courts relating to, among other things, commercial and tax disputes, exchange control violations, government procurement irregularities, and defending white collar crimes. This experience gives Ahmed valuable perspectives and insights when advising on compliance advisory matters.

For international clients facing compliance issues cutting into Africa, Ahmed regularly advises on a range of issues that can arise in such context, e.g., labor and employment considerations, legal professional privilege, whistleblower protections, corporate governance reporting obligations, and control processes and protocols for engaging with government and law enforcement agencies. Ahmed is recognized by clients for providing practical advice and solutions on complex legal issues in ambiguous statutory regimes.

Photo of Mosa Mkhize Mosa Mkhize

Mosa Mkhize is a policy advisor and leads the firm’s Africa Public Policy Practice. Drawing on her experience both in government and in various roles in the private sector, Mosa provides strategic policy and regulatory advice to clients doing business with and across…

Mosa Mkhize is a policy advisor and leads the firm’s Africa Public Policy Practice. Drawing on her experience both in government and in various roles in the private sector, Mosa provides strategic policy and regulatory advice to clients doing business with and across Africa. Mosa does so by leveraging close to two decades of experience in international trade, public policy and government affairs.

Mosa assists clients on a broad range of issues including advocacy, strategic policy, regulatory, and dispute resolution advice in various sectors, including technology, energy and life sciences. In addition to this, Mosa’s capabilities include building strategic relationships and coalitions in support of smart technologies. Furthermore, she is currently working with government officials, private corporations, academia, and the general public on the development of regulations and policies that will bring about an enabling environment for digital transformation and economic growth in Africa.