Company Governance & Policies
in South Africa

The Protection of Personal Information Act 4 of 2013 is not a single policy; it is a governance framework. Section 55 designates the head of every private body as the default Information Officer, with personal responsibility for compliance, for developing a compliance framework under the Information Regulator's Guidance Note, and for dealing with Promotion of Access to Information Act requests. Sections 8 to 25 set out the eight conditions for lawful processing: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. Each condition translates into a policy artefact — an internal privacy policy, a retention schedule, a data-mapping register, a consent log, a subject-access-request workflow, and a s.21 operator register. Section 22 compels notification of the Information Regulator and affected data subjects "as soon as reasonably possible" after the Responsible Party has reasonable grounds to believe a security compromise has occurred — a test the Regulator has interpreted strictly since the Dis-Chem and Experian findings. Administrative fines under s.109 reach R10 million; criminal penalties under s.107 include imprisonment for up to ten years. The documents in this pillar — privacy policy, POPIA data-protection policy, IT acceptable-use policy — together constitute the "appropriate, reasonable technical and organisational measures" required under s.19(1).

Section 76 of the Companies Act 71 of 2008 imposes on every director a fiduciary duty to act in good faith, for a proper purpose, in the best interests of the company, with the degree of care, skill, and diligence reasonably expected of a person with their knowledge and experience. The section codifies the common-law duties and introduces the business-judgment rule as a safe harbour where the director has acted on rationally available information. Section 77 then converts a breach into personal liability — for any loss, damage, or costs sustained by the company as a result. Section 24 compels every company to keep specified records at its registered office for seven years: MOI, securities register, minutes of shareholder meetings, resolutions, directors' declarations of interest, and annual financial statements. Sections 28 to 30 require that those financial statements be prepared under the applicable financial-reporting standard and, for public interest companies, independently audited. Section 159 protects whistleblowers who report contraventions in good faith, complementing the Protected Disclosures Act regime. The governance policies in this pillar — from the Code of Ethics to the Anti-Bribery and Corruption Policy — operationalise those statutory duties in documents directors can point to when the business-judgment rule is tested.

The Occupational Health and Safety Act 85 of 1993 imposes a non-delegable duty on every employer to provide and maintain a working environment that is safe and without risk to the health of its employees and of any other person who may be affected by its activities. Section 8 sets out the general duty, sections 9 to 10 extend it to non-employees and the self-employed, section 13 compels the employer to keep employees informed of health and safety hazards, sections 14 to 15 impose reciprocal duties on employees, and sections 16 to 17 deal with the appointment of CEO and 16(2) assignees who carry delegated responsibility. The hidden trap for most South African businesses is s.37(2), which makes the employer vicariously liable for the acts or omissions of an employee of a mandatary (contractor) unless a written agreement is in place recording the arrangements and procedures for ensuring compliance. Without a s.37(2) mandatory agreement, a contractor injury becomes the employer's criminal liability. An Occupational Health and Safety policy, a s.16(2) letter of appointment, a Substance Abuse policy, and the s.37(2) template together constitute the "reasonably practicable" steps defence under s.8 — without them, the employer is effectively strict-liable for workplace incidents.

The Protected Disclosures Act 26 of 2000 was substantially amended in 2017 to extend its reach beyond the narrow employee-employer relationship to include workers, contractors, agents, and former employees. Section 3 prohibits "occupational detriment" — dismissal, disciplinary action, demotion, transfer, or harassment — against a disclosure made in good faith through a prescribed channel to an employer, legal adviser, member of Cabinet, or the Public Protector. A whistleblowing policy is the statutory mechanism by which an employer meets its obligation under s.3A to provide an internal disclosure channel and to protect the discloser. Layered on top, the Prevention and Combating of Corrupt Activities Act 12 of 2004 creates a general offence of corruption in ss.3 and 4 (accepting or giving gratification in exchange for an act or omission) and, critically, s.34 compels any person in a position of authority who knows or ought reasonably to have known of a corruption offence involving R100,000 or more to report it to the Directorate for Priority Crime Investigation. Failure to report is itself a criminal offence. An Anti-Bribery and Corruption policy, a whistleblowing policy, and a gifts-and-hospitality register together operationalise both statutes and create the documentary paper trail that demonstrates the "reasonable steps" defence under PRECCA s.34.

Governance also requires living compliance artefacts — documents that must be kept current and produced on demand to lenders, tender issuers, and acquirers. The Compensation for Occupational Injuries and Diseases Act 130 of 1993 requires every employer to register with the Compensation Fund, pay an annual assessment, and obtain a Letter of Good Standing under s.80; without it, many procurement departments and construction principal contractors will not contract, and the employer remains liable for employee compensation claims. The Unemployment Insurance Act 63 of 2001 compels monthly UIF contributions (1% employer, 1% employee) and a UI-19 declaration on every termination; a UIF Compliance Certificate evidences that obligations are current. The Income Tax Act overlays the Tax Compliance Status pin — a SARS mechanism that every B-BBEE audit, tender, and supplier-onboarding process now relies on. The Employment Equity Act 55 of 1998 (as amended in 2022) imposes new sector targets from 2025 and requires every designated employer to submit an EEA2 report annually; non-compliance disqualifies bidders from public-sector tenders under s.53. The Skills Development Levies Act 9 of 1999 compels a 1% levy and a Workplace Skills Plan submission to the relevant SETA. Each document in this pillar is a statutory deliverable, not a "nice to have".