Two Enforcement Notices, One Message: POPIA and PAIA Are Real.

Written By Eszter Rapanos, Quality Assurance, Public Sector and Publication Manager, Chartered Institute for Business Accountants (CIBA)

This article will count 0.25 units (15 minutes) of unverifiable CPD. Remember to log these units under your membership profile.

A college leaked criminal records. A mining giant refused to hand over public documents. The Information Regulator responded with enforcement notices, and the message to every business in South Africa is clear: POPIA and PAIA are not suggestions.

On 2 June 2026, the Information Regulator issued enforcement notices against two organisations: Central Johannesburg TVET College (CJC) and Sibanye Stillwater Limited. One broke POPIA. The other broke PAIA. Both are now facing formal regulatory consequences.

What CJC did wrong

Three individuals lodged complaints after discovering that their personal information, including their qualifications and criminal charges and convictions, had been shared internally without their consent and without legal justification. The disclosure was made to the employer for governance and employee vetting purposes. The Regulator found that CJC failed on multiple fronts:

  • No adequate accountability measures were in place

  • Personal information was further processed and shared unlawfully

  • Security safeguards were inadequate

  • CJC failed to notify the Regulator or the affected individuals of the security compromise, as required under section 22 of POPIA.

This last point is worth noting. POPIA does not only require you to protect data. It requires you to report a breach when one happens. Silence is not a legal option.

What Sibanye Stillwater did wrong

A representative of a public interest organisation requested access to Sibanye Stillwater's annual compliance reports for the Eastern and Western platinum mines, covering the years 2019 to 2023. Sibanye refused, relying on section 68 of PAIA, which allows exemption for commercial information.

The Regulator rejected that justification. Sibanye could not provide sufficient evidence that disclosing the records would cause the alleged harm. The company also failed to identify any portions of the records that could have been partially redacted or severed.

There was a deeper problem too. Sibanye Stillwater's Social and Labour Plan (SLP) is a public document required under mining law. It must be submitted with the application for a mining right and updated annually. It is not a commercial secret. It should have been made available without a PAIA request ever being necessary.

What happens next

CLC has been directed to take corrective actions within specified timeframes. Sibanye Stillwater must set aside its refusal and provide access to the requested records within 31 days of receiving the enforcement notice, issued on 22 May 2026.

The Regulator made clear that failing to comply with an enforcement notice is a criminal offence. Consequences include a fine, imprisonment, or both.

What this means for your practice

Your clients are not immune. Every business, every nonprofit, every employer who holds personal information about staff, clients, or third parties has POPIA obligations. And every company that holds records a person might need to protect or exercise a right has PAIA obligations.

The Regulator is no longer a theoretical threat. Enforcement notices have been issued. Deadlines are being set. Criminal consequences are being stated plainly.

As explored in Cybersecurity for the Small Practice, fines of up to R10 million are possible for serious POPIA breaches, and small practices are not exempt. Every client file you hold is regulated personal information.

If your clients have not yet registered their Information Officer, drafted a PAIA manual, or put a data breach notification process in place, now is the time to fix that. As covered in PAIA Reports Are Due. Charge For Them., these are billable services you can offer right now.

What You Can Do Today

The PAIA Annual Report deadline is 30 June 2026. That means you have days, not months, to get your clients sorted. Every Information Officer, Head of a Private Body, and Deputy Information Officer must file before that date. Even clients who received no access requests during the year must still submit a nil report. Check your client list. Identify any business that holds employee records, processes personal data, or operates in a sector where public interest organisations might request information. For those clients:

  1. Confirm an Information Officer has been registered on BizPortal

  2. Submit the PAIA Annual Report before 30 June 2026. Nil reports count too

  3. Check whether a PAIA manual exists and is up to date

  4. Ask whether a data breach notification procedure is documented

  5. Review whether any special personal information (criminal records, health data, race, union membership) is being processed, and whether there is a lawful basis to do so

This is not administrative overhead. It is risk management your clients are paying you to provide, and right now there is a hard deadline attached to it.

Eszter Rapanos, Quality Assurance, Public Sector and Publication Manager, Chartered Institute for Business Accountants (CIBA)
Previous

7 Rules Every Accountant Must Know Before Using AI
Next

The R100bn Transformation Fund and How It Changes BEE