Ensemble EHS
Back to Compliance Hub
POPIA

Protection of Personal Information Act

Act 4 of 2013 regulates how personal information must be processed, including employee health and safety data.

Authority
Information Regulator of South Africa
Applicability
All organizations processing personal information
Penalties
Fines up to R10 million and/or imprisonment up to 10 years
Last Updated
2021 (Effective Date)

Key Requirements

1

Lawful Processing

Process personal information only with consent or other lawful basis, ensuring accountability and transparency.

2

Purpose Specification

Collect personal information for specific, explicitly defined, and lawful purposes related to OH&S management.

3

Data Minimization

Collect only personal information that is adequate, relevant, and not excessive for OH&S purposes.

4

Security Safeguards

Implement appropriate technical and organizational measures to protect personal information from unauthorized access.

5

Data Subject Rights

Respect employees' rights to access, correct, and delete their personal information where applicable.

6

Notification of Security Breaches

Notify Information Regulator and affected data subjects of security compromises without unreasonable delay.

Reporting Requirements

Report TypeDeadlineForm/Document
Security Breach NotificationWithout unreasonable delayNotification to Information Regulator
Data Subject RequestsWithin 30 days of requestPOPIA Request Response
Processing OperationsPrior to processing (if required)Prior Authorization Application
Privacy Impact AssessmentBefore high-risk processingPIA Report

Downloads & Resources

POPIA Act 4 of 2013 (Full Text)

PDF1.4 MB

POPIA Compliance Manual for EHS

PDF1.1 MB

Consent Form Template

Word128 KB

Privacy Impact Assessment Template

Excel384 KB

Automate Your POPIA Compliance

Ensemble automatically tracks deadlines, generates required reports, and ensures you never miss a compliance obligation.

Schedule a DemoView All Regulations