Security Incident and Reporting Policy

In terms of POPIA Section 22 and Information Security Best Practice

    1. Purpose

    This Policy establishes the procedures for identifying, reporting, managing and notifying security incidents, including Personal Information breaches, in accordance with the Protection of Personal Information Act, 2013 (POPIA).

    2. Scope

    This Policy applies to all employees, contractors, service providers and third parties who access or process information on behalf of Emergence Growth South Africa (“the Company”).

    3. Definition of a Security Incident

    A Security Incident includes any actual or suspected:

    • Unauthorised access, disclosure or use of Personal Information
    • Loss, theft or compromise of devices or data
    • System breach, malware or cyberattack
    • Human error resulting in data exposure

    4. Incident Identification and Reporting

    All users must:

    • Report any suspected or actual security incident immediately
    • Notify the Information Officer or designated contact without delay
    • Provide all relevant details of the incident

    Failure to report incidents may result in disciplinary action.

    5. Incident Response

    Upon notification, the Company will:

    • Contain and secure the incident immediately
    • Assess the nature and scope of the breach
    • Identify affected data and data subjects
    • Take remedial actions to mitigate harm
    • Record the incident in the Data Breach Register

    6. Notification (POPIA Section 22)

    Where there are reasonable grounds to believe that Personal Information has been accessed or acquired by an unauthorised person:

    • The Information Regulator will be notified as soon as reasonably possible
    • Affected Data Subjects will be notified as soon as reasonably possible
    • Notification will include:

    – Description of the breach
    – Possible consequences
    – Measures taken
    – Recommended actions for affected individuals

    7. Internal Escalation

    Incidents must be escalated to:

    • Information Officer
    • Senior Management (where required)
    • IT or Security personnel

    8. Roles And Responsibilities

    Information Officer:

    • Oversees incident response and reporting
    • Determines notification obligations
    • Liaises with the Information Regulator

    System Owners / IT:

    • Investigate and remediate technical issues
    • Maintain logs and audit trails

    Employees:

    • Protect information and report incidents
    • Follow security procedures

    9. Record Keeping

    All incidents must be:

    • Documented in the Breach Register
    • Retained for audit and compliance purposes

    10. Awareness And training

    All staff must receive training on:

    • Recognising security incidents
    • Reporting procedures
    • Data protection responsibilities

    11. Non-Compliance

    Failure to comply with this Policy may result in:

    • Disciplinary action
    • Legal consequences

    Updates to this Policy

    The Company reserves the right to amend this Policy at any time to ensure ongoing compliance with applicable legislation and best practices.

     

    Updated March 2026

    Ready to transform insights into action?
    Contact Emergence Human Capital to design, deploy, and drive meaningful change through intelligent employee engagement surveys.

    Office: +27 11 026 3442

    eMail: [email protected]

    https://emergencegrowth.com/hr-reward-services/hr-surveys-data-insights/