Protection of Personal Information Act (Act 4 of 2013)
South Africa's comprehensive data protection law, closely modelled on EU GDPR principles. Establishes 8 conditions for lawful processing: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. Covers responsible party obligations, information officers, data subject rights, transborder data flows, enforcement by the Information Regulator, and criminal offences. Mandatory for all public and private bodies processing personal information in South Africa.
AC (9) AU (5) CA (4) CM (8) CP (4) IA (4) IR (8) MA (2) MP (4) PE (3) PL (2) PM (4) PS (5) PT (8) RA (5) SA (2) SC (6) SI (9) SR (4)
AC Access Control
| Control | Name | POPIA References |
|---|---|---|
| AC-01 | Access Control Policies and Procedures | s19 |
| AC-02 | Account Management | s19 |
| AC-03 | Access Enforcement | s19 |
| AC-04 | Information Flow Enforcement | s19s72 |
| AC-05 | Separation Of Duties | s19 |
| AC-06 | Least Privilege | s10s19 |
| AC-07 | Unsuccessful Login Attempts | s19 |
| AC-08 | System Use Notification | s18 |
| AC-16 | Automated Labeling | s26-27s28-33 |
AU Audit and Accountability
CA Security Assessment and Authorization
CM Configuration Management
| Control | Name | POPIA References |
|---|---|---|
| CM-01 | Configuration Management Policy And Procedures | s19 |
| CM-02 | Baseline Configuration | s19 |
| CM-03 | Configuration Change Control | s19 |
| CM-06 | Configuration Settings | s19 |
| CM-07 | Least Functionality | s19 |
| CM-08 | Information System Component Inventory | s17 |
| CM-12 | Information Location | s10s14s17 |
| CM-13 | Data Action Mapping | s13s15s17s8 |
CP Contingency Planning
IA Identification and Authentication
IR Incident Response
| Control | Name | POPIA References |
|---|---|---|
| IR-01 | Incident Response Policy And Procedures | s19s22 |
| IR-02 | Incident Response Training | s22 |
| IR-04 | Incident Handling | s19s22 |
| IR-05 | Incident Monitoring | s22 |
| IR-06 | Incident Reporting | s22s73-99 |
| IR-07 | Incident Response Assistance | s22 |
| IR-08 | Incident Response Plan | s22 |
| IR-09 | Information Spillage Response | s22 |
MA Maintenance
MP Media Protection
PE Physical and Environmental Protection
PL Planning
PM Program Management
PS Personnel Security
PT Personally Identifiable Information Processing and Transparency
| Control | Name | POPIA References |
|---|---|---|
| PT-01 | Policy and Procedures | s13s26-27s5s8s9 |
| PT-02 | Authority to Process Personally Identifiable Information | s11s57-59s9 |
| PT-03 | Personally Identifiable Information Processing Purposes | s13s15s26-27 |
| PT-04 | Consent | s11s34-35s5s69 |
| PT-05 | Privacy Notice | s12s13s18s5s69s70 |
| PT-06 | System of Records Notice | s23-24s25s5 |
| PT-07 | Specific Categories of Personally Identifiable Information | s10s15s26-27s28-33s34-35 |
| PT-08 | Computer Matching Requirements | s71 |
RA Risk Assessment
SA System and Services Acquisition
SC System and Communications Protection
SI System and Information Integrity
| Control | Name | POPIA References |
|---|---|---|
| SI-01 | System And Information Integrity Policy And Procedures | s16s19 |
| SI-02 | Flaw Remediation | s19 |
| SI-03 | Malicious Code Protection | s19 |
| SI-04 | Information System Monitoring Tools And Techniques | s19 |
| SI-06 | Security Functionality Verification | s16 |
| SI-07 | Software And Information Integrity | s16s19 |
| SI-10 | Information Accuracy, Completeness, Validity, And Authenticity | s16 |
| SI-12 | Information Output Handling And Retention | s14 |
| SI-18 | Personally Identifiable Information Quality Operations | s16s23-24 |