The Information Regulator (Regulator) of South Africa has given the Department of Basic Education (DBE) until close of business on Tuesday to provide it with the requested information regarding the alleged security breach concerning matric results.

The Regulator wrote to the DBE to request confirmation of the incident after it was made aware of social media posts alleging that matric results were being sold to the public on a private website for R100, ahead of its official release by the Minister of Basic Education Siviwe Gwarube. 

The Regulator expressed concerns that personal information of learners may have been “unlawfully” accessed and compromised.

The Regulator said it cannot yet address the specifics of the security compromise on personal information until the DBE has fulfilled its obligations under Section 22 of the Protection of Personal Information Act, No 4 of 2013 (Popia).

“Section 22 of Popia states that when a responsible party has suffered a security compromise, the public or private body must notify the Regulator within a reasonable time.

“Section 22 also requires that the responsible party, such as the DBE, should notify both the Regulator and data subject(s) of the security compromise that it has suffered. The Regulator has not yet received such a notification from the DBE,” it explained.

The Regulator says it takes seriously any unlawful access to, and usage of, personal information of data subjects.

The security compromise of learners' personal information under the custody of the DBE is no different, it says.