/ MEDIA STATEMENT / The content on this page is not written by Polity.org.za, but is supplied by third parties. This content does not constitute news reporting by Polity.org.za.

On Sunday, 12 January 2025, the Information Regulator (Regulator) became aware of social media posts alleging that matric results were being made available to the public, ahead of the official release of the results by the Minister of Basic Education, upon payment of a fee of R100 to a private website (name withheld). The Regulator is concerned that the personal information of data subjects may have been unlawfully accessed and compromised. Therefore, the Regulator wrote to the Department of Basic Education (DBE) to request confirmation of the incident as reported in social media posts and provide it with more information regarding the alleged security compromise incident (see Annexure 1). In light of the urgency of this matter, the Regulator required the DBE to provide it with the requested information by the end of business on Tuesday 14 January 2025.

On Monday, 13 January 2025, the Regulator became aware of a public announcement by the Minister of Basic Education that there was a “breach of the (DBE’s) information” through the leaking of the matric results on a private website.

The Regulator cannot yet address the specifics of the recent allegations of a security compromise on personal information of learners held by the DBE until the DBE has fulfilled its obligations under Section 22 of the Protection of Personal Information Act 4 of 2013 (POPIA). Section 22 of POPIA states that when a responsible party has suffered a security compromise, the public or private body must notify the Regulator within a reasonable time. Section 22 also requires that the responsible party, such as the DBE, should notify both the Regulator and data subject(s) of the security compromise that it has suffered. The Regulator has not yet received such a notification from the DBE.

Any unlawful access to, and usage of, personal information of data subjects is treated with extreme seriousness and concern by the Regulator. The security compromise of learners' personal information under the custody of the DBE is no different.

Issued by the Information Regulator of South Africa