As South Africa’s public services go digital, municipalities have become custodians of large amounts of highly sensitive information. Beyond essential services such as water, electricity, and waste management, local governments now bear an even greater responsibility; protecting personal data. Despite this, only 51 out of 257 municipalities submitted their mandatory data protection and access to information reports in 2024.
The Protection of Personal Information Act (POPIA) sets strict, non-negotiable rules for how personal data must be collected, stored, used and secured. Non-compliance not only breaches legal obligations, but it also undermines public trust. “Having the right laws in place is important, but that is just the starting point. Real protection occurs when POPIA and cybersecurity work in tandem – you cannot separate the two. POPIA tells you what needs to be protected, but it is solid cybersecurity that actually does the protecting,” says Calin Cloete, enterprise security solutions lead at ESET Southern Africa.
POPIA casts a wide net, applying to all public and private bodies, including municipalities. The act mandates the prompt reporting of data breaches to the Information Regulator and immediate notification of affected individuals. To comply, municipalities must appoint Information Officers, develop Promotion of Access to Information Act (PAIA) manuals, register their data processing activities and maintain secure systems. Despite these clear obligations, compliance remains worryingly low, underscoring the ongoing gap between policy and practice.
“This alarming lack of compliance paints a troubling picture. When municipalities do not have basic IT governance or strong internal controls, they are not just failing audits; they are leaving systems like billing platforms and service portals wide open to attack. It is not enough to have policies on paper. Municipalities require genuine, verifiable security measures to safeguard personal data. Without them, residents’ privacy and security are at risk,” says Cloete.
The consequences are far from abstract. In just the past three years, an alarming number of public institutions, including municipalities, have fallen victim to cyberattacks. Incidents have stretched across the country, bringing key services to a standstill from the KwaDukuza Local Municipality in KwaZulu-Natal to the City of Cape Town in the Western Cape.
“This year’s municipal by-elections across South Africa add another layer of complexity. Securing the digital systems that support these elections is essential. A cyberattack could compromise voter data or manipulate election information. With public confidence in institutions already fragile, even a minor security breach could have serious consequences for voter turnout and the perceived legitimacy of the results,” says Cloete.
Moving forward, digital responsibility must go beyond POPIA compliance to recognising that privacy and service delivery are fundamentally linked. By securing their digital infrastructure, municipalities can reinforce public confidence, whether people are accessing everyday services or participating in important events like elections. Cybersecurity is no longer just a background task, but a pillar of ethical, local leadership.
For more information contact ESET-SA,
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version