Information Governance for South African Municipalities

South African municipalities hold an extraordinary range of personal information: rates and property records, indigent registers, grant recipient data, employee records, contractor information, and community service data. POPIA applies in full to municipalities as responsible parties, and PAIA imposes additional public access obligations. The combination creates a complex information governance environment that most municipalities are under-resourced to manage.

POPIA Obligations for Municipalities

Municipalities are responsible parties under POPIA for all personal information they process. This includes:

• Ratepayer and property owner records (names, ID numbers, addresses, financial information)
• Indigent register data (highly sensitive, including personal financial circumstances)
• Employee and contractor records
• Community service recipients (social housing, grants, utility assistance)
• Persons who submit complaints, applications or requests to the municipality
• Council members and political office bearers

The Information Officer of a municipality is typically the Municipal Manager. However, the Information Officer role under POPIA requires specific activities — including registration with the Information Regulator and active management of information governance — that cannot simply be added to an already stretched executive role without dedicated support.

PAIA and the Public Access Framework

Municipalities are also subject to PAIA, which gives citizens the right to access records held by public bodies. This creates a specific governance requirement: municipalities must be able to locate and retrieve records on request within the statutory timeframes.

A municipality that cannot locate records in response to a PAIA request faces both reputational damage and potential legal challenge. A well-organised document management system is not just good governance — it is a legal obligation under PAIA.

Common Information Governance Failures in Local Government

• Personal information held in unstructured spreadsheets on shared drives without access controls
• Paper-based processes not captured in digital systems, creating gaps in the audit trail
• Former employee access credentials not revoked promptly
• Contractor and service provider agreements without data processing clauses
• No retention schedule for municipal records
• WhatsApp groups used for operational communication including sharing personal information
• No formal data breach response procedure

WhatsApp in Municipal Operations

WhatsApp has become a de facto operational communication tool in many municipalities. Operational use of WhatsApp creates specific governance risks:

• Personal information shared in group chats is stored on personal devices of all group members
• Leaving employees take group chat history with them when they depart
• No audit trail of decisions made or information shared
• Personal information of community members shared without proper authorisation

Municipalities should implement a clear policy on the use of WhatsApp for official communications and should provide approved alternatives for operational communication that maintain an auditable record.

Indigent Register and Social Grant Data

Indigent registers and social assistance data represent some of the most sensitive personal information in local government. They contain information about individual financial circumstances, family composition, and dependency on state assistance. This data requires heightened protection:

• Access limited to staff with a specific need
• Encrypted storage
• No sharing with third parties without written data processing agreements
• Clear retention policy aligned with grant programme duration

Infrastructure for Municipal Information Governance

Building information governance capacity in a municipality requires investment in:

1. A dedicated Information Officer (or Deputy Information Officer with time allocated to IG)
2. A POPIA manual and PAIA manual (both legally required)
3. A data mapping exercise covering all systems and processes that handle personal information
4. Access control reviews for all digital systems
5. Staff training, particularly for frontline staff who interact with community members
6. A document management system or at minimum a structured shared drive with clear naming conventions and access controls
7. A data breach response procedure aligned with POPIA notification requirements

Working With Limited Resources

Many municipalities face severe resource constraints. A phased approach is more sustainable than trying to implement everything at once:

Phase 1 (immediate): Register the Information Officer, develop the POPIA manual, identify the highest-risk data processing activities.

Phase 2 (3-6 months): Implement basic access controls on high-risk systems, conduct a data mapping exercise, introduce a breach notification procedure.

Phase 3 (6-12 months): Staff training rollout, document management improvements, third-party agreement review.

A structured assessment is the most efficient way to understand the current state and prioritise the phases effectively.