As South Africa’s public services go digital, municipalities have become custodians of large amounts of highly sensitive information. Beyond essential services like water, electricity and waste management, local governments now carry an even greater responsibility — protecting personal data. Despite this, only 51 out of 257 municipalities submitted their mandatory data protection and access to information reports in 2024.

The Protection of Personal Information Act (POPIA) sets strict, non-negotiable rules for how personal data must be collected, stored, used and secured. Non-compliance not only breaches legal obligations — it undermines public trust. “Having the right laws in place is important, but that’s just the starting point. Real protection happens when POPIA and cybersecurity work hand-in-hand — you can’t separate the two. POPIA tells you what needs to be protected, but it’s solid cybersecurity that actually does the protecting,” says Calin Cloete, Enterprise Security Solutions Lead at ESET Southern Africa.

POPIA casts a wide net, applying to all public and private bodies — municipalities included. The act mandates the prompt reporting of data breaches to the Information Regulator and immediate notification of affected individuals. To comply, municipalities must appoint Information Officers, develop Promotion of Access to Information Act (PAIA) manuals, register their data processing activities and maintain secure systems. Despite these clear obligations, compliance remains worryingly low — underscoring the ongoing gap between policy and practice.

“This alarming lack of compliance paints a troubling picture. When municipalities don’t have basic IT governance or strong internal controls, they’re not just failing audits — they’re leaving systems like billing platforms and service portals wide open to attack. It’s not enough to have policies on paper. Municipalities need real, verifiable security measures to protect personal data. Without them, residents’ privacy and security are at risk,” says Cloete.

The consequences are far from abstract. In just the past three years, an alarming number of public institutions, including municipalities, have fallen victim to cyberattacks. Incidents have stretched across the country, bringing key services to a standstill from the KwaDukuza Local Municipality in KwaZulu-Natal to the City of Cape Town in the Western Cape.

“This year’s municipal by-elections across South Africa add another layer of complexity. Securing the digital systems that support these elections is essential. A cyberattack could compromise voter data or manipulate election information. With public confidence in institutions already fragile, even a minor security breach could have serious consequences for voter turnout and the perceived legitimacy of the results,” says Cloete.

Moving forward, digital responsibility must go beyond POPIA compliance to recognising that privacy and service delivery are fundamentally linked. By securing their digital infrastructure, municipalities can reinforce public confidence — whether people are accessing everyday services or participating in important events like elections. Cybersecurity is no longer just a background task, but a pillar of ethical, local leadership.