MBABANE – The Eswatini Communications Commission (ESCCOM), acting in its capacity as the Eswatini Data Protection Authority (EDPA), has launched an investigation into the Ministry of Home Affairs after photographs showing citizens’ national identity documents with personal details clearly visible were published online.
The development raised questions about compliance with the Data Protection Act No. 5 of 2022, legislation enacted to safeguard personal information and regulate how it is collected, processed, disclosed and protected in Eswatini.
The controversy emerged after images containing unblurred national identity documents were published on social media by the Ministry. The photographs exposed sensitive personal information, prompting concerns about whether the publication constituted a personal data breach and whether the ministry complied with its obligations under the law.
The Ministry of Home Affairs Communications Officer Mlandvo Dlamini when contacted about the data breach stated that he was not aware. This was despite that the post which is in possession of this publication had been posted about two weeks ago. He then stated that he was searching for the post in question. When called a few minutes later after he stated that he was still searching for the post and was going to call the reporter once he was done. However that call never materialized, what transpired thereafter was that the post was later deleted on X.
Responding to concerns Eswatini, ESCCOM Acting Chief Executive Officer Fikile Gama confirmed that the authority had not been aware of the incident before it was brought to its attention.
“The Data Protection Act primarily establishes a framework for the lawful collection, processing, disclosure, and protection of personal data. Within that Act, ESCCOM is designated as Eswatini’s Data Protection Authority (EDPA).
“As the EDPA, we are mandated to oversee and enforce compliance with the Act, to regulate the processing of personal data, and to protect the rights of data subjects. Regarding the referenced case, the EDPA was not aware of the incident and is of the considered view that the publication of these documents may amount to a personal data breach in circumstances where no lawful basis exists for the publication of the photographs,” said Gama.
The Data Protection Act, passed in 2022, designates ESCCOM as the national authority responsible for regulating the processing of personal information, investigating data breaches and enforcing compliance with data protection laws. The legislate on applies to both public and private entities that process personal information.
According to information published by the EDPA, all organisations that collect or process personal data, including government ministries, are required to comply with the Act and implement measures that ensure the confidentiality and security of personal information.
One of the key requirements under the Data Protection Act is the mandatory reporting of personal data breaches to the EDPA.
Gama confirmed that, as of the time of responding to questions, the Ministry of Home Affairs had not notified the authority about the incident.
“EDPA has not received any notification from the Ministry of Home Affairs regarding this incident. In terms of the Data Protection Act, all organisations (including the Ministry of Home Affairs) are required to notify the EDPA of any personal data breach within 72 hours. Failure to do so may constitute non-compliance with the Act.
“The Ministry is therefore obliged to assess the incident, determine whether a personal data breach has occurred, and, where applicable, ensure that the requisite notification is made to the EDPA in accordance with the law,” she said.
The 72-hour breach notification requirement is one of the central obligations imposed on data controllers under the Act and is intended to ensure that regulators can act swiftly to minimise harm arising from the exposure of personal information.
Gama stressed that government ministries are not exempt from the requirements of the Data Protection Act.
“The Ministry of Home Affairs, as a data controller, is governed by the Data Protection Act, including provisions relating to the lawfulness and duty to ensure confidentiality and security of personal data. The publication of citizens’ identity documents on public platforms without consent or another lawful basis may contravene these provisions and constitute unlawful processing, as well as a potential personal data breach under the Act.”
Data protection experts generally regard national identity documents as highly sensitive personal information because they contain details that can be used to identify individuals and may expose them to risks such as identity theft, fraud and unauthorised profiling if disclosed improperly.
The Data Protection Act requires organisations to process personal information lawfully and fairly, while ensuring that adequate safeguards are in place to prevent unauthorised access, disclosure or misuse of data. It also grants individuals various rights over their personal information.
Gama further confirmed that the EDPA has already begun a formal inquiry into the matter.
“EDPA has initiated an investigation into the incident and has formally written to the Ministry of Home Affairs in this regard. Should it be established that the Ministry has breached its obligations under the Data Protection Act, the Authority may take appropriate enforcement measures, including issuing directives and compliance or enforcement notices in accordance with the Act.”
Under the Act, ESCCOM has powers to investigate breaches, resolve complaints and impose sanctions or administrative measures where organisations fail to comply with data protection obligations.
While ESCCOM did not specify what penalties could ultimately apply in this case, the legislation provides for enforcement mechanisms aimed at ensuring compliance by data controllers and processors.
Gama also outlined the rights available to citizens whose personal information may have been exposed through the publication.
“Individuals, as data subjects, are guaranteed specific rights under the Data Protection Act. These rights include the right to request the deletion or erasure of their personal data, the right to have inaccurate or incomplete information corrected, and the right to be informed of the reasons for the publication or processing of their personal data.”
She added that affected individuals have the right to approach the regulator directly.
“Individuals may lodge complaints with the Eswatini Data Protection Authority (EDPA) through the prescribed channels, including via the official website at www.edpa.org.sz. Complaints may also be directed to the authority at data protection@esccom.org.sz or by contacting +268 2406 7000.”
The Act guarantees several rights to data subjects, including the right to be informed about how their information is being used and the right to seek remedies where personal information is processed unlawfully.
The incident comes at a time when Eswatini is increasingly embracing digital transformation across government and private sectors, resulting in larger volumes of personal information being collected, stored and processed electronically.
The Data Protection Act was introduced to align the country with international standards on privacy and data governance while balancing the need for information sharing and service delivery. The law applies to government departments, businesses, institutions and other entities that handle personal information.
ESCCOM has repeatedly urged organisations to ensure that personal information is processed lawfully and securely and that adequate safeguards are implemented to prevent unauthorised disclosures. The authority also operates a formal breach-reporting mechanism and complaint system for individuals who believe their privacy rights have been violated.
The outcome of the investigation into the Ministry of Home Affairs is likely to be closely watched, as it may become one of the most significant tests yet of Eswatini’s relatively new data protection regime and the extent to which public institutions can be held accountable for the handling of citizens’ personal information.
Discussion about this post