Introduction
On 1 July 2021, South Africa’s Protection of Personal Information Act — POPIA — came into full effect. Every organisation that processes personal information about South African citizens became legally required to comply. The penalties for non-compliance are serious: administrative fines of up to R10 million, and in cases of deliberate or reckless contraventions, criminal prosecution of responsible parties.
Most South African madrasahs, Hifz schools, and Darul Ulooms are not POPIA compliant. This is not a matter of bad intent — it is a matter of awareness. Few South African Islamic institutions have received guidance on what POPIA means for them specifically. This guide provides that guidance — clearly, practically, and in the context of how South African Islamic schools actually operate.
What Is POPIA and Does It Apply to Islamic Schools?
POPIA — the Protection of Personal Information Act 4 of 2013 — is South Africa’s primary data protection law, equivalent in intent and structure to the European Union’s GDPR and the United Kingdom’s UK GDPR. It governs how organisations collect, use, store, and share personal information about living individuals.
Does it apply to Islamic schools?
Yes — unambiguously. POPIA applies to any “responsible party” that processes personal information in South Africa. A responsible party is any person or organisation that determines the purpose and means of processing personal information. Every madrasah, Hifz school, and Darul Uloom:
- Collects personal information about students (names, dates of birth, addresses)
- Collects personal information about parents and guardians (names, contact details)
- Stores and uses this information for educational administration purposes
- May share this information with teachers, committee members, or external parties
This makes every Islamic school a responsible party under POPIA, regardless of its size, income, or formal registration status.
The exemption question:
POPIA does provide some limited exemptions — for purely personal or household activities, for example. Running a madrasah is not a personal or household activity. There is no exemption in POPIA for religious organisations, charities, community groups, or small institutions. POPIA applies.
What Personal Information Do Islamic Schools Hold?
Take stock of what your madrasah actually holds. Most Islamic schools hold far more personal information than they realise:
Student data:
- Full name, date of birth, gender
- Home address and neighbourhood
- Parent/guardian names, phone numbers, email addresses
- Medical information (allergies, chronic conditions, medication)
- Qur’anic progress records (documenting a child’s educational journey)
- Attendance records (documenting a child’s whereabouts)
- Assessment results and teacher comments
- Fee payment history and outstanding balances
- Any safeguarding or welfare notes
Staff data:
- Full name, ID number, address, contact details
- Employment history and qualifications
- Bank details (for salary payment)
- Police clearance certificate details
- Any disciplinary matters
Parent data:
- Names and contact details
- Financial information (fee payment history)
- Any communication records
All of this is personal information under POPIA. All of it must be handled in accordance with POPIA’s requirements.
The Eight Conditions of Lawful Processing
POPIA establishes eight conditions that must be met for personal information to be processed lawfully. For Islamic schools, these translate as follows:
1. Accountability: The madrasah (as responsible party) is accountable for ensuring compliance. Appoint a named Information Officer who owns this responsibility.
2. Processing limitation: Collect only the personal information you actually need for running the madrasah. Don’t collect data you have no use for. Don’t use data for purposes other than those you stated when collecting it.
3. Purpose specification: Be clear about why you are collecting each piece of data. “For the administration of Islamic education, including attendance, academic progress, fee management, and parent communication” is a valid and specific purpose.
4. Further processing limitation: Don’t use personal information for purposes incompatible with the original purpose. Student attendance records collected for safeguarding must not be used for marketing purposes.
5. Information quality: Keep your records accurate and up to date. Outdated phone numbers, wrong addresses, old medical information — these are POPIA failures.
6. Openness: Tell people (parents, students, staff) what personal information you hold about them and why. This is done through a privacy notice.
7. Security safeguards: Protect personal information from unauthorised access, loss, or disclosure. Encrypted storage. Access controls. No personal data in unprotected WhatsApp groups.
8. Data subject participation: People have rights over their personal information — to access it, correct it, and in some circumstances request its deletion. Your madrasah must be able to respond to these requests.
The WhatsApp Problem — Why Every Madrasah Must Read This
This section is the most important in this guide for most South African Islamic schools.
Every South African madrasah uses WhatsApp for parent communication. Most of them have class groups with 30–120 parent members. Teachers post attendance updates, progress notes, photographs of students, and other student-specific information in these groups. This is a direct, daily POPIA violation — and it is happening in almost every madrasah in the country.
Why WhatsApp group sharing violates POPIA:
When a teacher posts “Ahmed was absent today” or “Class 4’s results — Ahmed 85%, Fatima 72%, Hassan 60%…” in a parent WhatsApp group, they are disclosing personal information about specific children to every other parent in that group. Those parents did not consent to receiving each other’s children’s personal information. The parents of Ahmed, Fatima, and Hassan did not consent to their children’s information being shared with 80 other people. This is a disclosure of personal information without lawful basis — a POPIA violation.
Beyond the legal issue, it is a practical one: once information is posted in a WhatsApp group, the madrasah has no control over what happens to it. Screenshots are taken. Messages are forwarded. Student information circulates beyond the group without the school’s knowledge or consent.
What WhatsApp is acceptable for under POPIA:
General announcements that contain no personal student information — school closures, timetable changes, Ramadan schedule, event invitations — are acceptable in a parent group WhatsApp because they do not disclose individual personal information.
What WhatsApp is not acceptable for:
Any message that identifies a specific student by name alongside any personal information about them — attendance status, academic results, Qur’anic progress, fee status, welfare matters. This applies even to apparently innocuous messages: “Well done to Ahmed for completing Juz 10!” posted to the group discloses Ahmed’s educational progress to every other parent.
The solution:
Individual parent communication for all student-specific information. Each parent receives information about their own child through a secure, individual channel — a parent portal, a direct message, or a one-to-one WhatsApp message from the teacher to that specific parent. Not a group broadcast.
Your POPIA Obligations: A Practical Checklist
Work through this checklist for your madrasah:
Governance:
Privacy notice:
Data security:
Data minimisation:
Retention:
Data subject rights:
Breach response:
The Information Officer: Who Must Be Appointed
POPIA requires every responsible party to appoint an Information Officer. For most madrasahs, this will be the principal or a senior committee member.
The Information Officer’s responsibilities:
- Ensuring the madrasah complies with POPIA
- Dealing with requests from data subjects (parents requesting access to their child’s data)
- Working with the Information Regulator if required
- Ensuring staff understand their POPIA obligations
The Information Officer must be registered with South Africa’s Information Regulator (inforegulator.org.za). Registration is online and is required under the POPIA Regulations.
Your Privacy Notice: What It Must Say
A privacy notice is a document (one to two pages is sufficient for most madrasahs) that tells parents and students what personal information you hold about them and what you do with it.
Your privacy notice must cover:
- Who you are (the madrasah’s name, address, contact details, Information Officer’s name)
- What personal information you collect (list the categories: student data, parent data, etc.)
- Why you collect it (purpose: administration of Islamic education)
- How you store and protect it (encrypted digital system, access controls)
- Who you share it with (teachers, committee — and that you do not share it with third parties for commercial purposes)
- How long you keep it (reference your retention schedule)
- What rights parents and students have (access, correction, deletion in appropriate circumstances)
- How to contact you with POPIA-related queries
Issue the privacy notice at enrolment and make it available on request. For new enrolments, have the parent sign or acknowledge receipt of the notice.
Data Security: Practical Requirements for Islamic Schools
POPIA requires “appropriate, reasonable technical and organisational measures” to secure personal information. For a South African madrasah, this means:
Digital records in encrypted, access-controlled systems: Not unprotected Google Sheets accessible to anyone with the link. Not Excel files on a shared USB drive. Not personal Google Drive accounts. A purpose-built system with encryption and role-based access.
No personal student data in uncontrolled messaging platforms: WhatsApp does not provide institutional access control. The madrasah cannot control who screenshots group messages, who forwards them, or where they end up. Student-specific data does not belong in WhatsApp groups.
Teacher access limited to their own students: A teacher should be able to access records for the students they teach — not for the whole school. This limits the damage of any accidental or deliberate data disclosure.
Physical records stored securely: Paper files (if any are retained) in a locked cabinet, accessible only to authorised personnel.
Staff POPIA awareness: Every staff member who handles personal information should understand their POPIA obligations — at minimum, that student data is confidential, that WhatsApp groups are not appropriate for student-specific information, and that data should not be shared with anyone outside the institution without authorisation.
Data Retention: How Long to Keep Records
POPIA requires that personal information not be retained longer than necessary for the purpose for which it was collected. A reasonable retention schedule for a South African madrasah:
| Record Type | Recommended Retention Period | Reason |
| Student educational records | 7 years after student leaves | Potential disputes; historical reference |
| Fee payment records | 7 years after payment | SARS and financial audit requirements |
| Attendance records | 3 years after student leaves | Safeguarding reference period |
| Safeguarding / welfare records | Until the child’s 25th birthday | Children’s Act requirement for serious matters |
| Staff employment records | 7 years after employment ends | Labour law requirements |
| Police clearance records | Duration of employment + 1 year | Safeguarding audit trail |
| General correspondence | 3 years | Reference period |
After the retention period, records should be securely destroyed — paper shredded, digital records permanently deleted.
Responding to Data Access Requests
Under POPIA, parents have the right to request access to the personal information you hold about their child. You must respond within a reasonable time (30 days is the standard expectation).
When a parent makes a data access request:
- Confirm the identity of the requester (they must be the parent or guardian on record)
- Identify what records you hold about their child
- Provide copies of those records in a readable format
- If you hold any records you are withholding (e.g., safeguarding records — you may have grounds to withhold certain information that could harm a third party), explain this
Ilmify’s data export function allows you to produce a complete export of a student’s records — progress history, attendance, fee records — in CSV format in minutes. This makes responding to data access requests straightforward.
Data Breaches: What to Do If Things Go Wrong
A data breach is any unauthorised access to, disclosure of, or loss of personal information. Examples relevant to madrasahs:
- A teacher’s phone containing student records is lost or stolen
- Student records are accidentally sent to the wrong parent
- A WhatsApp group message containing student information is forwarded outside the group
- Your database is accessed by an unauthorised person
What to do immediately:
- Contain: Stop the breach if it is ongoing (change passwords, revoke access, contact WhatsApp to report if a group is compromised)
- Assess: Determine what information was compromised and how many people are affected
- Notify the Information Regulator if there is a real risk of harm to the affected individuals (Section 22 of POPIA requires this)
- Notify affected individuals (parents) if the breach poses a high risk of harm
- Document everything: The breach, the response, the notification — keep a breach register
Most madrasah-level breaches — a phone lost briefly and recovered, an accidentally forwarded message — do not require Information Regulator notification unless there is a real risk of harm to those whose data was disclosed. When in doubt, notify.
Consequences of Non-Compliance
POPIA’s enforcement body — the Information Regulator — has the power to:
- Issue compliance notices requiring specific action within a defined timeline
- Issue enforcement notices if compliance notices are ignored
- Impose administrative fines of up to R10 million
- Refer cases to the National Prosecuting Authority for criminal prosecution of responsible parties (individuals, not just institutions) — with penalties including imprisonment
In addition to regulatory consequences, non-compliance creates civil liability: a person whose personal information has been mishandled can sue for damages under POPIA.
The Information Regulator is actively building enforcement capacity in 2025–2026. Community organisations, including religious institutions, are not exempt from enforcement action.
How Ilmify Supports POPIA Compliance
Ilmify’s infrastructure is designed to meet the data protection requirements that POPIA imposes on South African Islamic schools.
Encrypted cloud storage: All student and parent data stored in AES-256 encrypted cloud infrastructure. Data is not accessible to anyone who does not have an authorised account.
Role-based access control: Teachers see only their own students. The principal sees all. Financial data accessible only to the treasurer role. Pastoral records restricted to the principal and designated pastoral lead. This limits data exposure and creates a POPIA-aligned access structure.
Individual parent portal: Each parent accesses their own child’s information through a unique, password-protected login. No shared screens. No group access. No WhatsApp group disclosure of individual student information. The parent portal directly replaces the POPIA-non-compliant use of WhatsApp for student-specific communication.
Audit trail: Ilmify maintains a complete log of who accessed which records and when. This audit trail is essential for demonstrating POPIA compliance to the Information Regulator if a complaint or investigation arises.
Data export for access requests: When a parent submits a data access request, a complete export of their child’s Ilmify records can be produced in minutes — in CSV format, covering all progress history, attendance, and fee records. Responding to POPIA access requests takes minutes, not days.
Retention tools: Ilmify supports retention schedule implementation — student records can be archived and then permanently deleted after the applicable retention period without manual file management.
Privacy notice template: Ilmify provides a South African madrasah privacy notice template that Information Officers can adapt for their institution — covering all required POPIA elements in accessible language for parents.
POPIA-compliant by design — encrypted storage, individual parent portal, full audit trailSee how Ilmify protects your South African madrasah’s data
Conclusion
POPIA compliance for South African Islamic schools is not optional, not complicated, and not expensive. It requires four things: understanding what personal data you hold, protecting it properly, telling parents what you do with it, and giving them individual rather than group access to information about their own children.
The WhatsApp class group — the default communication system for almost every South African madrasah — is the most significant daily POPIA violation in the Islamic educational sector. Replacing it with an individual parent portal is the single most impactful compliance step most madrasahs can take.
Ilmify provides the infrastructure — POPIA-compliant data storage, individual parent portal, role-based access control, and audit trail — that makes compliance straightforward rather than burdensome.
See how Ilmify supports POPIA compliance for South African Islamic schools
Related articles:
