JAN Vermeulen reports that under South Africa's POPIA, misdirected internal emails revealing personal information can lead to mandatory data breach reporting, even if the disclosure is accidental. The case concerning Central Johannesburg TVET College illustrates this, where employees' credential verification reports were inadvertently sent to unauthorized staff.
The Information Regulator found several violations: the college failed to register an information officer, did not maintain separate files for verification reports and finance policies, and improperly distributed reports to uninvolved staff. Notably, POPIA has no exceptions for accidental disclosures that are deemed non-material or low risk.