- Central Johannesburg TVET College unlawfully shared employees' personal information with staff who were not authorised to see it.
- The Information Regulator told the college to apologise, inform the affected employees and improve how it follows POPIA rules.
- If the college does not follow the Enforcement Notice, it could face criminal penalties such as a fine or even jail time.
Central Johannesburg TVET College has been ordered to apologise to employees after the Information Regulator found that it unlawfully shared personal information contained in employee verification reports with staff members who were not authorised to access the information.
The Enforcement Notice, issued on 22 May 2026, followed complaints by three employees whose personal information was disclosed during an internal governance process. The Regulator concluded that the college had breached several provisions of the Protection of Personal Information Act (POPIA), including requirements relating to accountability, further processing of information, security safeguards and the reporting of security compromises.
How the information was shared
The matter arose while the college was under administration and attempting to address governance concerns. Employees were required to declare interests and undergo verification of their qualifications and criminal records.
According to the findings, the personal information was collected through verification reports for the purpose of assessing employee qualifications and strengthening governance within the institution. However, the reports were later mistakenly included in a folder containing finance policies and distributed to various employees by email.
The Regulator found that the sharing of the reports amounted to further processing of personal information that was incompatible with the purpose for which the information had originally been collected.
The notice records that the administrator later recalled the email and informed employees that the documents had been distributed in error. Despite those efforts, the Regulator found that the disclosure had already occurred and that unauthorised employees had gained access to the information.
The Regulator found, "The sharing of these reports with other employees who were not involved in the strengthening of governance of the institution, albeit by mistake, was incompatible with the purpose for which the personal information in the Verification Reports was collected."
Accountability failures identified
The Regulator also found that the college had failed to register its Information Officer and deputy information officers as required by POPIA.
According to the notice, this failure demonstrated a lack of accountability and weakened the institution's ability to ensure compliance with data protection obligations.
The Regulator found, "The Responsible Party does not comply with the condition of accountability by failing to register the Information Officer with the Regulator and to designate deputy information officer(s) and register them with the Regulator."
The notice further concluded that the college had failed to implement adequate organisational measures to safeguard personal information. The fact that verification reports were stored together with unrelated policy documents contributed to the unlawful disclosure. The Regulator found, "The Responsible Party violated Section 19(1) of POPIA."
Failure to report the security compromise
A further finding related to the college's failure to notify both the Information Regulator and the affected employees after the security compromise occurred.
The Regulator found that once unauthorised employees gained access to the verification reports, the college became legally obliged to report the compromise. Although the college sent an internal email acknowledging the error and launched an investigation, it did not formally notify either the Regulator or the affected employees in the manner required by POPIA.
The notice records, "Neither the Regulator nor the complainants were informed of the security compromise."
The Regulator added that the internal communication and investigation did not remove the institution's legal obligations under the Act.
Orders issued against the college
The college has been directed to register its Information Officer and deputy information officers and provide proof of registration to the Regulator.
It must also notify the affected employees and the Regulator of the security compromise, submit a written apology to the complainants, circulate the apology to employees and publish it through its communication channels.
The Enforcement Notice further requires the college to take action against the employee responsible for unlawfully sharing the information, develop or submit a POPIA compliance framework and conduct awareness and training programmes for staff.
The Regulator warned that non-compliance with the Enforcement Notice constitutes an offence under POPIA.
The notice states that a responsible party that fails to comply with an Enforcement Notice is liable upon conviction to a fine, imprisonment for a period not exceeding 10 years, or both.
Get your news on the go. Click here to follow the Conviction WhatsApp channel.
