On 20 May 2026, South Africa's Information Regulator issued its first enforcement notice of the year, served on the Central Johannesburg TVET College under section 95 of the Protection of Personal Information Act (POPIA) and Regulation 12(2)(c). The trigger was mundane: in September 2022, an acting finance official attached employee credential-verification reports — containing criminal records and qualifications — to a folder of finance policies and emailed it to staff who had no business seeing it. From that single misdirected email the Regulator found a cluster of POPIA failures.
What the Regulator actually found
The notice cites three provisions. Under section 19, the college "failed to implement organisational measures to prevent unlawful access to processing of personal information" — files were not separated and no information officer had been registered. Under section 22(1), it "failed to report a security compromise to the Information Regulator and affected data subjects." And under section 15(1), the onward distribution of the reports was processing incompatible with the purpose for which the data was collected (ITWeb).
The remedies are notable for what they are not: there is no administrative fine. Instead the Regulator ordered the college to register its information officer and notify affected employees within 31 days, issue written apologies, take disciplinary action against the responsible employee within 60 days, and submit a full POPIA compliance framework with incident-response policies and staff training (Information Regulator). Non-compliance — not the breach itself — is what carries the penalty: a fine, up to 10 years' imprisonment, or both (Michalsons).
The case for tougher enforcement is real
It is worth stating the strongest version of the pro-enforcement argument before quarrelling with anything. Breach volumes in South Africa are climbing steeply. Information Regulator chairperson Pansy Tlakula has said the body now receives more than 150 security-compromise notifications a month, up from roughly 56 a month a year earlier (ITWeb). A regulator that issues guidance but never names a violator teaches organisations that compliance is optional. By converting a four-year-old incident into a public, documented order, the Regulator signals that section 22 reporting duties have teeth and that "we didn't realise we needed an information officer" is no defence. That deterrent value is genuine.
We think the shape of this enforcement action is right. The orders are diagnostic and capacity-building — register an officer, write the policies, train the staff — rather than punitive for its own sake. For a state-administered college already under intervention for governance failures, a remediation-first notice is proportionate. It fixes the underlying control gap instead of extracting a headline penalty that the fiscus would ultimately fund anyway.
The other enforcement engine is barely running
The harder problem sits one track over. South Africa polices online harm through two parallel systems: POPIA's civil data-protection regime under the Information Regulator, and the criminal regime under the Cybercrimes Act 19 of 2020, which puts the South African Police Service "firmly in the driving seat" and required SAPS to stand up a 24/7 cybercrime point of contact within a year of commencement (ISS Africa). On paper, that is a coherent division of labour. In practice, the criminal side is the weak link. The same analysis warned that SAPS's "knowledge, experience and staffing are in short supply."
The numbers bear that out. The Democratic Alliance, citing official figures in September 2025, noted that over 100,000 cyber-attacks on banking accounts occurred in 2024 — an 86% jump and roughly R1.8 billion in losses — while SAPS carried just 544 cyber-related fraud cases on its register (Democratic Alliance). That gap is not a rounding error; it is the difference between a law on the books and a law that functions.
More institutions, or more capacity?
The DA's response is to table a Private Member's Bill creating a new Chapter 9 institution — an Office of the Cyber Commissioner. The instinct is understandable, but we are sceptical that South Africa's problem is a shortage of mandates. It already has an Information Regulator, a SAPS cybercrime unit, sector regulators, and a national cybersecurity hub. A breached organisation must today juggle a section 22 notification to the Regulator and a criminal complaint into a SAPS pipeline that closes barely 500 cases a year. Adding a Chapter 9 body risks layering a fourth reporting line onto a system whose binding constraint is investigative capacity, not institutional architecture.
The more proportionate fix is unglamorous: properly resource and staff the SAPS 24/7 contact point the Cybercrimes Act already requires, and harmonise incident reporting so that one disclosure satisfies both the civil and criminal duties. The TVET notice shows the Information Regulator can do precise, remediation-focused enforcement with the tools it has. South Africa's cyber-policy energy in 2026 should go toward making the criminal track work that well — not toward inventing another regulator for organisations to report to and another budget line that delivers oversight without arrests.