When most organisations think about data breaches, they picture hackers, ransomware, and large-scale database theft. An enforcement notice issued by the Information Regulator against Central Johannesburg TVET College suggests they should also be thinking about something far more ordinary: an internal email sent to the wrong people.
This, according to legal commentators, is what makes the Regulator’s decision significant. It shows that, under the Protection of Personal Information Act, a disclosure can trigger formal breach-notification duties even when it is accidental and entirely internal.
The enforcement notice, dated 22 May 2026, arose from events that took place while the College was under administration. According to the Regulator, the administration process followed governance concerns, including the alleged non-disclosure by some employees of criminal records and possible conflicts of interest, including doing business with the employer. As part of efforts to restore good governance, the College processed employee information to verify academic qualifications and criminal records. A service provider produced personal credential verification reports for that purpose.
The College’s acting chief financial officer mistakenly included the complainants’ verification reports in a folder containing finance policies, and that information was emailed to various employees.
The complainants became aware of the disclosure when the email was circulated to staff on 6 September 2022. The administrator recalled the email on 8 September 2022, explaining that the document had been distributed in error and was not intended for staff use, and corrective action was reportedly taken against employees who forwarded it.
But the Regulator found that the remedial steps did not satisfy POPIA’s requirements.
The Regulator’s findings
The first finding concerned accountability under section 8 of POPIA. The Regulator said the College had failed to register its information officer with the Regulator and had not designated and registered deputy information officers. That failure was treated not as a mere administrative oversight, but as part of the broader inability to demonstrate compliance with POPIA’s lawful-processing conditions.
The second finding concerned further processing limitation under section 15(1). The verification reports had been collected for a defined purpose: verifying qualifications and criminal records in the context of restoring governance within the institution. The Regulator found that sharing those reports with employees who were not involved in that governance-restoration exercise was incompatible with the original purpose of collection and therefore unlawful further processing. The notice also says the complainants had not consented to this further processing and that none of the recognised legal bases in section 15(3) applied.
The notice records that the Regulator expressly disagreed with the view of its own Enforcement Committee, which concluded that the College had not contravened section 15(1) because the processing served a legitimate purpose and was in the public interest.
The Regulator rejected that reasoning, stating that “legitimate purpose” and “public interest” are not among the circumstances listed in section 15(3) that make further processing compatible with the original purpose of collection.
The third finding concerned security safeguards under section 19(1). The Regulator found that the College had failed to implement appropriate organisational measures to prevent unlawful access to or processing of personal information. The notice points specifically to the failure to keep the verification reports separate from finance policy documents, and to the failure to register an information officer, as indicators of inadequate organisational safeguards.
The fourth finding concerned security-compromise notification under section 22(1). The Regulator held that the disclosure of the complainants’ personal information to employees who were not authorised to access it constituted a security compromise, which triggered the statutory duty to notify both the Regulator and the affected data subjects.
According to the notice, neither the Regulator nor the complainants were formally notified of the compromise. The College’s recall of the email, internal investigation, and corrective action did not remove that obligation.
The notice also records an important non-finding. The Regulator concurred that the relevant report did not contain special personal information and therefore found no breach of section 26(b) of POPIA.
What the College was ordered to do
The enforcement notice ordered the College to take specific steps. Within 31 days of receiving the notice, the College had to register its information officer, designate and register deputy information officers, notify the Regulator and the affected data subjects of the security compromise, submit a written apology to the complainants, and provide its POPIA compliance framework to the Regulator.
The apology also had to be emailed to all employees and published through the College’s communication channels, without disclosing further personal information beyond the complainants’ names and surnames.
The College was also ordered to take appropriate action against the employee who had unlawfully processed or shared the complainants’ information within 60 days; to conduct POPIA awareness and training programmes for all employees within 90 days; and, if it had not yet developed a compliance framework, to develop one and submit it within 120 days. The framework had to include at least a Privacy Policy, a Retention Policy and Schedule, an Incident Response Policy, and an Information Privacy and Security Policy.
The notice further states that the College may appeal within 31 days of receiving the enforcement notice. It also warns that failure to comply with the notice is an offence and may result, upon conviction, in a fine, imprisonment for up to 10 years, or both.
Why lawyers say the notice matters
Commentary from Werksmans Attorneys and ENS highlight the significance of the enforcement notice: both accidental breaches and internal disclosures can fall within the meaning of a “security compromise” for POPIA purposes. The message for organisations is that an internal clean-up is not enough if the statutory notification threshold has already been crossed.
Werksmans says section 22(1) requires a responsible party to notify the Regulator and affected data subjects “where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person”.
That provision does not distinguish between external attackers and internal employees, nor between deliberate and inadvertent disclosures. Any access by a person who is not authorised to receive the information is sufficient to trigger the obligation, say director Armand Swart and associate Hlonelwa Lutuli.
The College’s recall of the email, internal investigation, and corrective action may have been sensible remedial steps, but they did not displace the statutory duty to notify the Regulator and the complainants formally.
Swart and Lutuli link the ruling back to POPIA’s broader structure, arguing that sections 19 and 22, read together, require responsible parties to guard against all forms of unauthorised access – whether the risk comes from an outside attacker, an insider, a deliberate misuse or an accidental mistake.
They also note an important difference between POPIA’s approach to reporting and that in taken in jurisdictions such as the European Union and the United Kingdom. Although these jurisdictions require the reporting of internal and accidental breaches, they apply a materiality threshold, and only high-risk breaches must be reported.
“POPIA contains no such exception. The practical consequence is that private and public bodies under POPIA must report every security compromise, however minor; even a misdirected internal email. This places a considerable administrative burden on responsible parties, and it stretches the Regulator’s finite resources. In the absence of a materiality threshold, there is a real risk that regulatory attention is diverted from serious incidents to trivial ones.”
Swart and Lutuli say organisations should develop and maintain a comprehensive data breach response plan. “The College’s experience illustrates that good-faith remedial steps – such as recalling an email and investigating internally – do not satisfy statutory breach notification obligations.”
A proper response plan should include clear procedures for identifying and escalating potential security compromises; templates for notification to the Regulator and affected data subjects; designated personnel responsible for managing the response; and defined timelines to ensure notification is made “as soon as reasonably possible” as required by POPIA.
ENS executive Rakhee Dullabh highlights the notice’s rejection of “legitimate purpose” and “public interest” as lawful grounds of justification for further processing under section 15(3).
Measures that demonstrate that a responsible party has taken steps to secure the integrity and confidentiality of personal information include establishing policies, procedures, and frameworks, implementing access controls to personal information records, training employees, and segregating records that contain personal information, says Dullabh.
Furthermore, the accountability condition in section 8 requires information officers and deputy information officers to be registered with the Regulator.
Overall, the decision may be particularly relevant to organisations that process large volumes of personal information, because it illustrates the range of obligations that can be engaged when personal information is disclosed to people who are not authorised to access it.
A practical way to strengthen POPIA compliance
POPIA compliance can be difficult to navigate without practical tools and a clear framework. Moonstone Compliance has developed the POPIA Toolkit to help businesses take a more structured, manageable approach to meeting their obligations under POPIA. The Toolkit brings together guidance, relevant legislation, customisable templates, and checklists to support businesses at different stages of their compliance journey. To find out more, speak to your Moonstone Compliance Officer or visit the POPIA Toolkit webpage.
