Africa-Press – Eswatini. The Eswatini Communications Commission, through its Data Protection Authority (EDPA), has issued a formal warning to the Royal Science Technology Park (RSTP) for breaching the Data Protection Act, 2022, after the organisation unlawfully shared confidential personal information with multiple recipients.
According to the EDPA’s enforcement notice, the case began when a complainant requested personal information from RSTP in 2024. After the request went unanswered for two months, the complainant escalated the matter, copying the board chairperson. In October 2024, RSTP responded by emailing the documents — but also sent a separate email copying seven people, including RSTP staff and external recipients, without the complainant’s consent.
The information disclosed reportedly contained sensitive personal data relating to three individuals. The EDPA found that RSTP’s explanation that it assumed the copied individuals were family members was “irrational and untenable,” as the recipients’ email addresses clearly identified them as staff members and others outside the complainant’s request. The regulator concluded that RSTP’s actions amounted to a significant violation of the Act.
It cited failures to take reasonable measures to protect data, notify the complainant and the EDPA of the breach, and limit access to authorised personnel only. The HR staff member responsible was found negligent in handling the information.
As part of the enforcement action, RSTP has been ordered to:
● Issue a written apology to the complainant within 48 hours;
● Ensure all unauthorised recipients delete the email;
● Conduct a Data Protection Impact Assessment for its HR department;
● Develop and implement robust data protection policies, including incident management protocols;
● Train employees regularly on data protection compliance. The enforcement notice will remain in effect for one year. If RSTP commits a similar breach during this period, further action could follow. The organisation has three months to submit a progress report to the EDPA and retains the right to appeal the decision.
ESwatini Communications Commission’s Chief Executive Mvilawemphi Dlamini signed the notice, emphasising that organisations processing personal and sensitive data at scale have a “greater obligation” to ensure adequate safeguards are in place to prevent unlawful access or disclosure.
Eswatini Communications Commission’s Menzi Dlamini said taking action against RSTP that is owned by the very Ministry responsible for overseeing it, demonstrates a notable commitment to impartiality and the rule of law.
“This decision highlights the regulator’s independence and willingness to uphold compliance standards regardless of institutional affiliations, thereby reinforcing public trust in the enforcement process. By acting against a state-linked entity, the regulator sent a strong message that accountability applies equally to public and private actors, strengthening governance, transparency, and confidence in the regulatory authority,” Dlamini said.
swazibridge
For More News And Analysis About Eswatini Follow Africa-Press
