Information Regulator Issues Enforcement Notices Under POPIA and PAIA
Brought to you by SA Accounting Academy: The Information Regulator has issued Enforcement Notices against Central Johannesburg TVET College (CJC) and Sibanye Stillwater Limited for critical contraventions of the Protection of Personal Information Act, No. 4 of 2013 (POPIA) and the Promotion of Access to Information Act, No. 2 of 2000 (PAIA).
In terms of the Protection of Personal Information Act, No. 4 of 2013 (POPIA), the Information Regulator issued an Enforcement Notice to CJC. This regulatory action followed an investigation into complaints lodged by three affected individuals whose special personal information—specifically academic qualifications, criminal charges, and convictions—was unlawfully shared with third parties within the institution for governance and employee vetting purposes without legal justification.
Under the Promotion of Access to Information Act, No. 2 of 2000 (PAIA), the Information Regulator issued an Enforcement Notice to Sibanye Stillwater Limited. The JSE-listed mining company has been ordered to set aside its decision to refuse access to records requested by a representative of a public interest organisation. The requested records included annual compliance reports for the years 2019 to 2023 for the Eastern and Western platinum mines.
The Regulator determined that Sibanye Stillwater Limited’s reliance on section 68 of PAIA, which covers commercial information exemptions, was not supported by sufficient evidence to establish that disclosure would cause the alleged harm. Furthermore, the private body failed to identify portions of the records that could be severed or redacted. The Regulator emphasized that Social and Labour Plans (SLPs), as contemplated in Regulation 46 of the Mineral and Petroleum Resources Development Regulations, are public documents and must be made automatically available without requiring a formal PAIA request.
Click here to download the Information Regulator Media Statement.
What this means for you, your business, or your clients
- For yourself: No direct individual obligations; professional impact is channelled through advising employers and clients on statutory disclosure and data privacy compliance.
- For your business: Review internal PAIA manuals and automatic disclosure lists to ensure statutory public documents, such as Social and Labour Plans, are accessible without requiring formal request processes.
- For your clients: Advise clients processing employee data to implement strict access controls and verification protocols to prevent the unauthorized internal or external sharing of special personal information, such as criminal records and qualifications, under POPIA.
Originally published at https://accountingacademy.co.za/news/read/information-regulator-enforcement-notices-for-contraventions-of-popia-and-paia-by-public-and-private-bodies






