Home / Insights / POPIA-Compliant Workplace Investigations

POPIA-Compliant Workplace Investigations: How to Investigate Without Creating a Second Legal Problem

Back to Insights
POPIA investigation chart showing R10 million administrative fine risk, 5 percent typical revenue loss to fraud, 12 median months before detection and 4 compliance steps.

A workplace investigation is lawful under POPIA when it rests on a recognised legal basis, is limited to its purpose, and stays out of genuinely private spaces. Get any of those wrong and the investigation itself becomes a second legal problem: a POPIA breach carries an administrative fine of up to R10 million (Information Regulator, via Bowmans), and unlawful interception of communications under RICA is a criminal offence carrying a fine of up to R2 million or ten years in prison (Michalsons). This guide sets out how to investigate internal wrongdoing without handing the person you are investigating a privacy claim against you.

Read more on our workplace investigations services.

TL;DR: Investigating misconduct is a lawful purpose under POPIA, but the method must stay proportional and purpose-limited. RICA prohibits intercepting communications unless an exception applies, usually consent or the business exception with notice. Get it wrong and you risk a POPIA fine up to R10 million (Information Regulator, via Bowmans) plus criminal liability under RICA.

What do POPIA and RICA require of a workplace investigation?

They require a lawful basis before you gather personal information, and lawful authority before you intercept a communication. POPIA (Act 4 of 2013) sets out eight conditions for the lawful processing of personal information, and section 11 lists six grounds that can justify it (Information Regulator).

Investigating a well-founded allegation of misconduct generally falls within the legitimate-interest ground, provided the investigation stays proportional to the suspected wrongdoing. Those six grounds include the data subject's consent, the performance of a contract, compliance with a legal obligation, protection of a legitimate interest of the data subject, and the legitimate interests of the responsible party (Information Regulator; Termly summary of POPIA).

RICA sits alongside POPIA and governs the interception of communications specifically. The Regulation of Interception of Communications Act 70 of 2002 came into force on 30 September 2005, and its default position is that all interception is prohibited unless it falls within an exception (goLegal). An employer that monitors email or calls outside those exceptions risks criminal liability, not just a civil complaint.

For the wider compliance picture, see our note on POPIA compliance for South African employers.

Timeline of key POPIA and RICA milestones RICA came into force on 30 September 2005, POPIA enforcement began on 1 July 2021, and the Information Regulator issued its first POPIA fine in July 2023. 2005 RICA in force 2021 POPIA enforced 2023 First POPIA fine
Regulatory timeline. RICA in force 30 September 2005 (goLegal); POPIA enforcement from 1 July 2021 (Information Regulator); first POPIA fine July 2023 (Bowmans).

When can an employer monitor or intercept communications?

An employer can monitor where consent applies, where the business-purpose exception applies, or where the employer is a party to the communication. RICA prohibits interception in section 2 and allows the business exception in section 6, the route most employers rely on (Department of Justice; Michalsons).

The business exception does not require separate written consent, but the monitoring must genuinely relate to business operations. That condition does real work. A broad "we can read anything" claim rarely survives scrutiny once the method reaches well beyond what the business actually needs.

Consent and notice are what make monitoring defensible. Adequate notice is usually given through a monitoring clause in the employment contract, an IT and communications policy that sets out the scope of monitoring, and system login banners warning that activity may be recorded (Vermeulen Law). Without any of that, the monitoring is far harder to justify, and evidence gathered from it can be challenged.

Talk to us about a defensible employee monitoring policy before you rely on it.

When monitoring is lawful under RICA Monitoring may be lawful where there is consent, a business-purpose exception under section 6, or where the employer is a party to the communication; otherwise interception is prohibited under section 2. Consent given? Business exception (s6)? Party to the message? Monitoring may be lawful If none apply: prohibited (RICA s2)
Decision view of RICA's section 2 prohibition and section 6 business exception (Department of Justice; Michalsons).

Where are the hard limits?

The hard limits are genuinely private spaces and disproportionate covert surveillance. The right to privacy sits in section 14 of the Constitution, which underpins both POPIA and RICA, so surveillance of private areas such as restrooms is prohibited (Constitution of South Africa, s14).

Covert monitoring is generally not allowed unless there's a strong legal justification, such as investigating suspected criminal activity, and even then it has to comply with the law rather than replace it. Recording someone in a bathroom or changing room crosses a line that no business interest can justify.

The regulatory trend is toward less invasive monitoring that stays proportional and tied to a defined purpose (Polity, 2025). An investigation that collects only what it needs, for a defined purpose, and documents why, is far easier to defend than a broad sweep of an employee's data.

Read our guidance on lawful covert surveillance thresholds.

How is a compliant investigation actually run?

A compliant investigation runs on a defined purpose, a proportional method, and a documented trail. POPIA's eight processing conditions require purpose specification, processing limitation, and security safeguards, so every step has to be justified, kept secure, and written down (Information Regulator).

In practice: establish the lawful basis before you gather anything, limit collection to what the suspected wrongdoing justifies, keep the personal information secure, and record each step so the method can later be shown to have stayed within the law. In our experience, the surveillance is rarely what fails. The paper trail is. A sound method nobody documented is almost impossible to defend after the fact.

Covert techniques, where justified, are used sparingly and lawfully, and the resulting evidence is corroborated rather than relied on alone. This is where a professional firm parts ways with the "camera and private investigator" operator: the operator hands you footage, while a compliant process hands you evidence that survives a POPIA challenge and a disciplinary hearing.

See our guide to evidence handling and chain-of-custody for internal investigations.

What does getting it wrong cost?

It can cost more than the fraud you were investigating. Occupational fraud already costs the typical organisation around 5% of revenue a year, with the median scheme running 12 months before detection (ACFE Report to the Nations, 2024). An unlawful method simply stacks a second loss on top of the first.

A POPIA breach carries an administrative fine of up to R10 million, and the Information Regulator issued its first such fine, R5 million against a public body, in July 2023 (Bowmans). Unlawful interception under RICA is a criminal offence carrying a fine of up to R2 million or imprisonment of up to ten years (goLegal).

There's a third cost that rarely makes the headline. A dismissal built on unlawfully obtained evidence can be challenged under section 188 of the Labour Relations Act 66 of 1995 (Department of Justice), so an unlawful method can lose you the disciplinary case as well as trigger a fine. You can win the surveillance and still lose the matter.

Maximum penalties under POPIA and RICA Bar chart comparing the R10 million POPIA administrative fine with the R2 million RICA criminal fine. R10m R2m POPIA fine RICA fine
Maximum penalties: POPIA administrative fine up to R10 million (Bowmans) versus RICA criminal fine up to R2 million (Michalsons).

Read our explainer on POPIA fines and Information Regulator enforcement.

Frequently asked questions

Can an employer read an employee's work email? Generally yes, where there's adequate notice through a contract or policy, or where the business exception in RICA section 6 applies, but not where the method is disproportionate or reaches into genuinely private communications (Michalsons).

For detail, see our guide to reading work email lawfully and monitoring employee communications.

Is covert surveillance ever allowed? Only with a strong justification such as suspected criminal activity, and even then it must comply with RICA and POPIA rather than ignore them. Recording in genuinely private spaces stays off-limits.

What happens if we get it wrong? You risk a POPIA administrative fine of up to R10 million and, for unlawful interception, criminal liability under RICA of up to R2 million or ten years, on top of potentially losing the disciplinary matter (Michalsons).

Disclaimer: This article is general information for South African employers and does not constitute legal advice. POPIA and RICA apply to specific facts in specific ways. Before conducting or acting on a workplace investigation, obtain advice from a qualified attorney.

Investigate the wrongdoing without becoming the next headline

The point of a workplace investigation is to resolve a loss, not to create a privacy claim against your own business. A POPIA breach can cost up to R10 million (Bowmans), so a compliant, proportional method protects the case and the company at the same time. To scope a lawful approach to a suspected internal loss, learn about our independent security and risk advisory, or discuss your situation in complete confidence.

Enquire Confidentially