South Africans rightly care deeply about the privacy of children. That concern sits at the heart of the Protection of Personal Information Act (Popia) and must be taken seriously by government, regulators and courts alike. However, privacy protection is weakened — not strengthened — when the concept of personal information is unduly restricted.
Recent litigation involving the minister of basic education and the information regulator has brought this issue into sharp focus. As ICT and data-governance lawyers practising in South Africa, we are concerned that the court’s reasoning on pseudonymised information [personal information that can no longer be attributed to a specific data subject without the use of additional information] did not sufficiently engage with the real-world context in which matric results are written, known, shared and re-identified.
This matters because Popia does not protect information in the abstract. It protects information where a person is identifiable by reasonably foreseeable means. Context is therefore not optional, it is the test.
International courts have recognised this clearly. In the 2025 European Single Resolution Board (SRB) litigation, pseudonymised data was shared with Deloitte for a limited auditing purpose. In determining whether the data was “personal data” in Deloitte’s hands, the court emphasised several decisive contextual factors: the data was disclosed to a single professional recipient; Deloitte had no legal or practical access to the re-identification key; Deloitte was contractually bound not to attempt re-identification; and there was no reasonably foreseeable lawful way for Deloitte to identify the data subjects. In that setting, the court accepted that pseudonymised data could fall outside the scope of “personal data” in the hands of the recipient, Deloitte.
The matric-results context is fundamentally different.
First, consider access. Matric results published using examination numbers are not disclosed to a confined, professional audience. They are released to the general public at large — including learners, parents, peers, neighbours, journalists and social media users.
Second, contractual and legal constraints. Unlike Deloitte, the general public has no contractual obligation not to re-identify learners. There is no enforceable legal duty on a learner, parent or friend to “forget” an examination number or to refrain from connecting it to a name.
Third, foreseeability of re-identification. Re-identification of matric numbers is not hypothetical or technologically sophisticated; it is designed into the examination process itself. Learners see their own numbers on scripts. They sit next to classmates. They observe seating arrangements. They glance at papers while entering or leaving exam halls. Parents are given the numbers. Schools distribute them. The system assumes — and requires — that the learner and family know the number. To suggest that public re-identification is not reasonably foreseeable in this context is to ignore how matric exams actually work.
This is the critical distinction. In the SRB case, re-identification was legally and practically remote. In the matric context, re-identification is ordinary, expected and inevitable. The same legal label — “pseudonymised” — cannot produce the same outcome in two radically different factual environments.
Popia itself points us in this direction. It asks whether information can be used, manipulated or linked by a reasonably foreseeable method to identify a person. That inquiry is contextual, not theoretical. It must consider who receives the information, under what conditions, and with what realistic capabilities. Popia also requires [section 2(b)] that the Information Regulator and courts consider international precedent such as the SRB case above.
Our focus is on ensuring that courts and regulators apply Popia coherently and credibly. If pseudonymised data is treated as non-personal in tightly controlled professional settings, but also treated as non-personal when released to the entire public without adequate safeguards, the law loses internal consistency.
Privacy law must be principled to be effective. Context is not a loophole; it is the mechanism by which the law distinguishes safe data use from harmful exposure. In the case of matric results, that contextual analysis deserved closer attention and it was certainly not “fanciful” to argue, as the Information Regulator did, that personal information would be available to someone other than the data subject.
So why does all this matter? As soon as the court holds that the information is not “personal information”, then everything — the entire 148 pages of Popia — no longer applies. This means that every single safeguard built into Popia to protect privacy falls away. This even includes situations of data sharing and cross-border data transfer [where personal information is sent overseas to other countries who may have poor privacy protections].
In this context we call upon the Information Regulator to appeal the judgment by January 8 2026 as failure to do so will mean South Africa will be fundamentally out of step with international data protection practice and will be a significant blow to South African’s data privacy.
Signed,
- Paul Esselaar, Esselaar Attorneys, co-author of Overthinking the Protection of Personal Information Act.
- Professor Sizwe Lindelo Snail ka Mtuze — adjunct professor, Nelson Mandela University and former member Information Regulator.
- Lucien Pierce, telecoms and technology lawyer, co-author of Cyberlaw IV: The Law of the Internet in South Africa.
The counter argument:
The full court’s judgment on the publication of matric results should be welcomed without hesitation. For those working in data governance in South Africa, it delivers something of exceptional value: clarity. It affirms a realistic and workable understanding of identifiability under the Protection of Personal Information Act (Popia), decisively rejects speculative routes to re-identification, and restores a sense of proportionality to privacy law.
What the judgment does move away from — rightly — is a set of hyper-protective assumptions that have become common in academic and regulatory discourse. These assumptions treat privacy as if it were always endangered by data sharing, and identifiability as if it were triggered by mere imagination. That approach leads to overreach, legal uncertainty and an ever-expanding regulatory perimeter. The court was correct to reject arguments premised on conjecture, such as imagined scenarios of unusual diligence or contrived reconstruction, and to characterise them as fanciful.
Crucially, the judgment makes clear that pseudonymised data placed in the public domain is, in general, non-personal in nature. Where direct identifiers have been removed and no unusual or highly distinctive features render identification realistically possible, the data falls outside Popia’s scope. This is not a weakening of privacy protection; it is a principled articulation of its limits.
The broader implications of this approach are both healthy and far-reaching, particularly for health research. Researchers who share data responsibly should welcome this judgment. It confirms that, once names and other identifiers are removed, data can be shared far more freely without triggering the full regulatory apparatus of Popia. This reduces unnecessary friction, lowers compliance costs, and enables socially valuable research to proceed with greater confidence. Importantly, it avoids the need for repeated, hyper-granular, analyses every time data is shared.
In this respect, the judgment marks a deliberate and welcome departure from developments elsewhere. As highlighted by my esteemed colleagues Esselaar et al, European courts have required detailed, fact-intensive scrutiny of the specific recipient, contractual arrangements, and technical safeguards in each individual case before determining whether pseudonymised data remains regulated. While such an approach may be defensible within those legal systems, it comes at a high cost. It entrenches legal uncertainty and risks turning routine data sharing into a litigation-prone exercise. There is no principled reason for South Africa to imitate this hyper-regulatory model.
South Africa’s privacy framework need not mirror Europe’s to be credible or robust. Popia is a constitutional statute, rooted in proportionality and practical reasonableness. The full court’s judgment reflects those values. It protects privacy where identification is genuinely foreseeable, while permitting data use where it is not. That balance is not a flaw; it is the statute working as intended.
For these reasons, the judgment should be supported rather than resisted. It offers a pragmatic, principled foundation for data governance in South Africa — one that safeguards privacy without paralysing socially valuable data use, and one that gives researchers, institutions, and regulators something they all need: legal certainty.
- Donrich Thaldar, Professor of Law, University of KwaZulu-Natal
Friendship vs national interest for Hill-Lewis
The moment has arrived for the executive mayor of Cape Town, Geordin Hill-Lewis, to make an unequivocal choice. He must decide whether to protect a personal friendship or to safeguard his party and, by extension, the national interest. The upcoming DA leadership contest shouldn’t be a difficult choice to make for party members, it’s between what is right and what is wrong.
Since assuming office, Hill-Lewis has consistently presented himself as a disciplined party loyalist, frequently extolling what South Africa could become if governed “the DA way”. That refrain now demands substance. It requires a candid, mature conversation with his long-time associate, John Steenhuisen, and a clear acknowledgement that leadership is inseparable from personal probity.
The controversy surrounding the misuse of party credit facilities for private fast-food purchases is not trivial. It goes to the heart of judgment, restraint and ethical fitness. Resources entrusted for official duties were instead treated as personal entitlement, an error akin to leaving a child unsupervised in a confectionery store, save that the consequences here are political and profoundly public.
Leadership, like judicial office, demands the capacity to act without fear or favour, even when the subject is a close ally. One cannot credibly lead a political party if one is unwilling or unable to hold friends accountable.
This question carries particular weight given the DA’s position as the second-largest party in parliament and a key partner in the government of national unity, with real influence over national budgeting and policy direction. The quality of its leadership therefore matters deeply to the country.
Mayor Hill-Lewis has previously indicated that he would not contest the DA’s leadership while Mr Steenhuisen remained a candidate. Circumstances have now changed. His colleague has, by his own conduct, called his suitability into question. The mayor must therefore reconsider his stance. I have no doubt in my mind that John Steenhuisen is a wonderful man, but not when it comes to managing the country’s finances.
The choice before Geordin Hill-Lewis is stark: to preserve the integrity and future of the DA, or to shield a friend from the consequences of his actions. It is a decision that will define his political legacy, and one for which he will inevitably be judged.
— Rozario Brown, Cape Town
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.