Effectively managing the disclosure of (personal) information in your business is not a nicety, but a necessity. It may be the difference between maintaining your ‘’competitive edge’’, untainted reputation, and the failure of your business.

Although many commonly applied business practices, such as the entering into confidentiality agreements, and imposing restraints of trade on employees, serve to protect some aspects of confidential information, these are by no means the only available solutions to be relied on in isolation. Not anymore!

Moreover, the Protection of Personal Information Act 4 of 2013 (“POPI Act”) has also created a framework within which data should be collected, processed, used and ultimately destroyed. This means the abovementioned long standing practices should be aligned.

But what about  the disclosure of information or matters of a generally unlawful nature?




The POPI Act is aimed at regulating the use of and the safeguarding of personal information.

It is a simple fact that every business, in some way or form, stores personal information, whether it be employment records for staff or client information needed to open an account. In some instances, even suppliers are vetted by way of investigating certain types of personal information.

It is thus a set of regulations that every business must consider seriously, become compliant and by so doing save themselves from a potential a R 10 million fine or ten years’ imprisonment.

So, what should businesses know about POPI?


1. What is personal information?

Personal information is any information which includes a person’s name (including a juristic person, such as a company), contact details, religion, sexual orientation, personal views, private correspondence, health records, employment records, financial records, etc.


2. Lawful processing of information

In this context, processing means any activity or operation relating to personal information of a data subject (natural or juristic person). Businesses must ensure that processing is done in a lawful manner, which means:


a) Ensuring compliance with POPI;
b) Processing information in a reasonable manner not unlawfully infringing on the right to privacy;
c) Purpose of collection of the information must be both lawful and related to a lawful function or activity;
d) The information collected must be comparable with the purpose of its collection;
e) The information provided must accurate, complete, updated and not mis-leading;
f) The person to whom the information belongs must be aware of all matters pertaining to the information;
g) Take certain steps to ensure that the integrity of the personal information is protected and not lost, destroyed or unlawfully acquired;
h) The person whose information is being held may question any aspect of the information.


3. Policies regulating collection, storage of information and its release should be drafted for every business.

Businesses should assess the degree to which they are processing personal information, whether it is necessary and, if so, put measures in place so as to guide all team members and ensure compliance.


So, what about unlawful disclosures? Or Whistle blowing

The Protected Disclosures Act 26 of 2000 (“PDA”), also aptly referred to as the Whistle Blowers Act, makes

provision for employees to report unlawful or irregular conduct by employers and fellow employees, while providing for the protection of employees who “blow the whistle”.


Generally, the PDA is designed to protect employees that have reason to believe information reasonably shows:

 I. A criminal offence;
II. Noncompliance with any legal obligation or a miscarriage of justice;
III. Endangerment of health or safety or damage to the environment; and/or
IV. The conspiracy to or “cover-up” of any of the above.

Notably, Section 159 of the Companies Act 71 of 2008, as amended, also extends the ambit of protection for whistle blowers to independent contractors, service providers and trade union shop stewards.

However, if an employee or any other whistle blower reports wrongdoing incorrectly, the disclosure made will not be protected. This means that the whistle blower’s identity will become known, the information reported disclosed and in the case of an employee, he/she may even face potential dismissal. In addition, he/she (or any other whistle blower for that matter) may also face a potential damages claim (or other civil action), if the disclosure breached a confidentiality agreement, or otherwise resulted in the business suffering damages.

 As such, having appropriate measures in place, is not just in the best interests of the business, its reputation and general preservation, but also in the interests of employees, contractors and stewards.



In addition to implementing appropriate policies, confidentiality and restraint of trade agreements, it is of the utmost importance that businesses instil and maintain certain core values. The most important of these is zero tolerance for fraud, or any unethical conduct as a whole. The message for zero tolerance should be consistently enforced, regardless of who is involved.  In addition, in my view, a continued emphasis that both employees and management must at all times to act in the interests of the business.

Furthermore, implementing internal disclosure policies and procedures aligned not only to POPI but should also comply with the standards set by the Companies Act and in the King IV Report on Corporate Governance for South Africa, 2016.

An appropriate segregation of duties between designated officers is advisable to include, in order to ensure that the merits of potential complaints and disclosures are fairly and objectively determined before the whistle is actually blown or required to be.

A team of qualified professionals should assist in the establishment of these policies and procedures.