Eswatini Daily News

SMVAF fined E150 000 for breaching Data Protection Act

ESCCOM Chief Executive Officer Mvilawemphi Dlamini

By Bahle Gama

THE Sincephetelo Motor Vehicle Accident Fund (SMVAF) has been fined E150 000 by the Eswatini Communications Commission (ESCCOM) for contravening the Data Protection Act.

This fine came as a result of the publication in one of the local newspapers on August 1 whereby SMVA published a five-page spread of personal information of about 1 700 road traffic accident survivors, titled “Notice: Medical Undertaking”. The ESCCOM is a regulatory authority established by the Eswatini Communications Commission Act, 2013 to regulate the electronic communications sector.

In March 2022, the Data Protection Act was passed to provide for the collection, processing, disclosure, and protection of personal information. Section 5 of the Act designates the Commission as the Eswatini Data Protection Authority (EDPA) charged with the responsibility to administer the Act and enforce compliance thereto.

ALSO READ: ESCCOM announced as Eswatini’s Data Protection Authority

Acting on the strength of Section 35 (2) ESCCOM as EDPA initiated an investigation into the publication of the notice which contained the claim number, full names of claimants, and the national identity number or Graded Tax Number. An analysis of the Notice led the EDPA to hold the prima facie view that the publication of the National Identity Numbers of the claimants was unlawful.

The disclosure of such information breached the data minimization principle enshrined in the Data Protection Act and served no purpose as the claimants were also advised in the same Notice to bring their National IDs for ease of verification.

Processing of personal data is regulated by section 9 of the Act which defines personal information as “information about an identifiable individual that is recorded in any form, including any unique identifying number, symbol or other particular assigned to the individual”.

The EDPA considered the matter in its totality and determined that SMVA breached the Data Protection Act by disclosing, without any lawful reason, 1 600 National Identity numbers and about 63 Graded Tax numbers of claimants in a newspaper circulating widely around the country and available also on on-line platforms.

The Act prescribes that age is personal information that is also protected against unlawful disclosure. In this instance, it is common cause that the National Identity Number of an individual is not just a number assigned to that individual but also reveals other protected aspects of personal information such as year, month and date of birth.

Sincephetelo Motor Vehicle Accident Fund (SMVAF) Building.


The disclosure of National Identity numbers exposed the claimants to identity theft and other potentially fraudulent activities carried out on their personal information because the Notice also contains the names of the claimants against the respective IDs.

The copies of the newspaper had already been widely distributed and in possession of members of the public locally and internationally through online platforms. The unlawful disclosure affected a large number of data subjects and thus the likelihood of harm to the claimants occasioned by the breach was considered significant by the EDPA.

SMVA was expected to notify the EDPA of a data breach in terms of Section 17 of the Act within 48 hours of receipt of the Enforcement Notice II, to notify the affected data subjects (claimants) of the data breach within 48 hours, and to forthwith cease publication or disclosure of the specified aspects of personal information, specifically the National Identity Numbers and/or Graded tax Numbers of the claimants.

The entity was also to direct the newspaper to destroy and de-identify the publicized identity and graded tax numbers of the claimants within 24 hours and further publish in the media an apology to the claimants whose ID and graded tax numbers had been disclosed to the public.

ALSO READ: World needs $2.7 trillion annually for net zero emissions by 2050-Wood Mackenzie

Further, to show cause within 48 hours why the EDPA should not impose an administrative fine as a sanction for the above-mentioned breach of the Act. Taking action in accordance with Section 35 (a) and (b) as read with Section 37 (b), the EDPA met with SMVA to receive representation on the matter and be guided on how to implement the EDPA’s directive enunciated in the Enforcement Notice.

Consequently, SMVA complied with the directives, and the Notice was re-issued in one of the local newspapers, this time without the disclosure of the National Identity numbers or Graded Tax Numbers of the claimants.

Pursuant to the directive to show cause why the EDPA should not impose an administrative fine as a sanction, SMVA submitted that the Notice was published with the sole intention of updating the records of the claimants for purposes of performing contractual obligations owed to them in respect of providing medical care as recommended by doctors. SMVA stated that the claimants had no reliable contact numbers and postal addresses, adding that the entity had inadvertently flouted the Act for the first time and was caused by a misapprehension of the Act rather than ignorance thereof.

In taking its decision, the EDPA said SMVA showed remorse by promptly taking action to engage with the EDPA for guidance on the Enforcement Notice issued. SMVA also acted on the Enforcement Notice within 24 hours of the issue thereof and has committed to training its staff on the pertinent provisions of the Act.

“In light of the foregoing, the EDPA in the exercise of its enforcement powers under Section 6(4)(b) of the Act, hereby imposes a fine of E150 000,” reads the E100 000 was suspended for a period of two years on condition that SMVA is not found to have breached the Act within the suspended period. E50 000 is expected to be paid within a period of 30 days from the date of the decision.

Exit mobile version