Alison Lee

Alison Lee





New Directive applicable to employers who employ more than 50 employees.

To all of you who are not aware of the updated COVID-19 OHSA Directions for Certain Workplaces, please carry on reading, as these Directions place important and additional obligations on employers who employ more than 50 employees. (The previous Directive referred to employers who employed more than 500 employees)

Quick summary

Employers must:

Risk Assessment:

  •  prepare a risk assessment and workplan, which has to be shared with Trade Unions, Inspectors and SHE Committees or Representatives;
  • submit a record of its risk assessment, together with a written policy concerning the protection of the health and safety of its employees from COVID-19, as contemplated in section 7(1) of the Occupational Health and Safety Act, 1993 (“OHSA”) to its SHE committee; and the Department of Employment and Labour within 21 days of the commencement of the Directions, i.e. by 21 October 2020.

COVID-19 Testing Reports:

  • provide screening and testing data to the National Institute for Occupational Health, including each employee’s vulnerability status;
  • details of the COVID-19 screening for employees who are symptomatic;
  • details of employees who test positive for COVID-19; the number of employees identified as high-risk contacts within the workplace if a worker has been confirmed as being positive; and details on the post-infection outcomes of those testing positive, including the return to work assessment outcome.

The data concerning each employee’s vulnerability status must be submitted once in respect of each employee and the remaining data must be submitted as soon as possible before Tuesday of each week in respect of the data collected in the previous calendar week commencing Sunday.

Employers must inform their employees of the submission of this data and advise them of their adherence to the Protection of Personal Information Act, 2013.

Alternatively, submit the data to an employer’s association if the association has entered into an agreement with the National Institute for Occupational Health to receive, process and submit the data to the Institute, and the association has undertaken to submit the data on behalf of the employer.

Reduce the mandatory self-isolation and self-quarantine period for employees from 14 days to 10 days, save for Health workers with high risk exposure who must remain in quarantine for seven days, which can, by agreement with the worker, be reduced to five days.

Note that employees are allowed to refuse to perform any work if such work poses an imminent and serious risk of exposure to COVID-19 and such employee may not be victimised as a result.

Establish an internal dispute resolution procedure to handle COVID-19 related disputes and if the dispute cannot be resolved such matter must be referred to the inspector for resolution.

In order to assist all THE LEGAL TEAM and Lee’s Compliance Subscribers, we have prepared an updated COVID-19 OHSA Policy and related presentation on the new directive, which includes the required POPIA Privacy notice.

Click here to access if you are a subscriber.


Employment and Labour, Department of- R. 1031 Labour Relations Act, 1995: Consolidated Direction on Occupational Health and Safety Measures in certain workplaces – GGN43751 1 OCTOBER 2020




The Covid-19 restrictions

 The Covid-19 global pandemic has caused disruptions to economies around the world and it is no surprise that the South African economy has not been spared. While the most devastating effects of the disease have been the number of infections (over 38 million worldwide) and number of deaths (over one million), its economic consequences cannot be understated.

In South Africa, the impact on many businesses has been catastrophic and the hospitality sector in particular, has felt the brunt of the disease. Suddenly and out of nowhere, bookings were being cancelled and the very existence of hotels, pubs and restaurants, came under threat. As a natural consequence, businesses turned to their insurers for assistance. The insurance sector braced itself as the South African government took steps to deal with the pandemic, which in turn has had an impact on the way insurers have dealt with claims.

The aim of this article is to examine how insurers in South Africa have dealt with claims presented to them for losses suffered by policyholders during the Covid-19 pandemic.

South Africa is currently undergoing a national lockdown which has caused by the outbreak of the disease in the country. The lockdown, which had been preceded by a number of restrictions, began on 27 March 2020, and has progressively eased over the last six months, as South Africa’s Covid-19 curve flattened.

The government has promulgated various regulations under the Disaster Management Act 57 of 2002 to regulate and enforce the national lockdown through various stages or levels. As of mid-October 2020, South Africa is currently at Level 1 of the lockdown.

The lockdown has resulted in all persons being confined to their homes, and businesses, other than those initially designated as essential services, required to cease operations. As the country proceeded through the stages or levels of lockdown, various restrictions have been eased allowing more businesses to recommence trading.

The timeline of the spread of the disease and the government’s response has become significant in the various court cases that have been launched dealing with business interruption (BI) claims brought and rejected under the various policies.

On 30 January 2020, the World Health Organization declared Covid-19 a public health emergency of international concern and on 11 March 2020 declared it a pandemic. The first positive case in South Africa was confirmed by President Cyril Ramaphosa on 5 March. Ten days later, the President announced a National State of Disaster related to Covid-19 in terms of the Disaster Management Act, and the Head of the National Disaster Management Centre, acting in terms of the Act, classified the Covid-19 pandemic as a National Disaster.

On 18 March 2020, the Minister of Cooperative Governance and Traditional Affairs published regulations (the initial Covid-19 regulations) imposing a number of restrictions, including a travel ban in respect of certain countries, outlawing gatherings of more than 100 people and the closing of schools. Just days later, on 23 March, the President announced a 21-day national lockdown commencing at midnight on 26 March until midnight on 16 April. Following this announcement, on 25 March 2020, the regulations were amended effectively resulting in

  • every person was confined to their place of residence unless strictly for the purpose of performing any essential service, obtaining essential goods or services, collecting a social grant, or seeking emergency, lifesaving or chronic medical attention;
  • all businesses and other entities were required to cease operations during the lockdown except for any businesses or entities involved in the manufacturing, supply or provision of an essential good or service; and
  • any place not involved in the provision of an essential good or service had to remain closed for the duration of the lockdown.

On 9 April 2020, the President announced an extension of the lockdown until 30 April. On 29 April 2020, new regulations were promulgated allowing the Minister to declare various alert levels in order to manage the pandemic.

Since that date, there have been various amendments to the regulations as the country moved through various alert levels, the latest of which were promulgated on 21 September in order to take into account lockdown alert Level 1. Under the latest alert level, most businesses have recommenced trading albeit with restrictions relating to health and safety and the number of people permitted in the business premises at any one time and most restrictions on movement have been removed.


 The inevitable result of the pandemic and the government’s response has been the adverse economic effect on many businesses. As one would expect, these businesses have looked to their insurance policies for assistance in mitigating the economic affect that they have suffered.

The approach on insurers has been unprecedented in South Africa and the pandemic highlighted two categories of business interruption insurance that could possibly respond to claims made by policyholders relating to business interruption losses suffered by them due to Covid-19.

The first category identified is what has collegially become known as standard business interruption insurance which traditionally requires an underlying physical damage to or loss of property as a trigger. In South Africa, most business interruption policies relate to this type of insurance where a policyholder must prove physical damage to the business property covered under the policy, before being entitled to a claim for business interruption losses.

South African insurers have taken the view that Covid-19 does not cause physical damage to or loss of property and claims under this type of insurance have been rejected. We are aware that a different approach has been taken in other countries, such as the United States where Covid-19 has been found to render property exposed to the disease as unsafe and unfit for their intended use, thereby amounting to ‘physical property damage or loss’. Nevertheless, this approach has not been followed by South African insurers and is unlikely to be the position held by South African courts.

The second category of business interruption insurance identified is where a policy has an extension for infectious or contagious diseases. This category of cover has caused consternation throughout the sector as both insurers and policyholders have sought legal opinions on the interpretation of what would trigger a valid claim and how exclusions for pandemics ought to be applied.

Most clauses within this second category contain similar requirements, albeit in different language, the most typical being:

  • the insured peril being in the form of ‘notifiable disease’;
  • the insured peril occurring within a radial limit from the insured premises;
  • a consideration of proximate cause; and
  • any exclusions in respect of pandemics for the government’s response to such a national disaster.

As the disease has progressed throughout the country (there are currently almost 700,000 confirmed cases of Covid-19 in South Africa), so too have the varying interpretations of these elements contained in the clause.

Arguments have ranged from whether the insured peril must be a local occurrence of the disease as opposed to a national pandemic, to the meaning of proximate cause and whether a government-imposed lockdown is an inevitable consequence of the national pandemic and its local outbreaks.

As at the time of writing this article, we are aware of three court cases brought against insurers in South Africa for an order that insurers are obliged to indemnify them under similar extensions.

In the first case of Café Chameleon CC v Guardrisk Insurance Company Ltd (case No 5736/2020, dated 26 June 2020), the applicant sought urgent declaratory relief to the effect that the respondent insurer was obliged to indemnify it in terms of an extension under the business interruption section of an insurance policy, for losses it suffered due to the closure of its restaurant following the government lockdown.

The insurer in that matter argued that the policy covered losses resulting from business interruption where the interruption was due to the notifiable disease occurring within the stipulated radius and did not cover losses as a result of other causes such as the lockdown.

The court rejected that argument and found that there was a clear connection between the Covid-19 outbreak and the government action that caused the interruption of the policyholder’s business. It therefore concluded that the insurer was liable to indemnify the policyholder for any loss suffered since 27 March 2020 resulting from the Covid-19 outbreak in South Africa which in turn resulted in the promulgation of the lockdown regulations.

Insurers have disagreed with the outcome and this judgment has been taken to appeal. The case is expected to be argued before the Supreme Court of Appeal in late November 2020.

Other cases brought by policyholders against their insurers have raised similar arguments and it remains to be seen whether the High Court hearing those arguments will arrive at a conclusion different to that of the Café Chameleon case.

In the meantime, the South Africa’s regulators in the form of the Financial Services Conduct Authority (FSCA) and the Prudential Authority (PA), who are entrusted with the regulation of insurers in South Africa, have also entered into the debate.

In a circular promulgated on 18 June 2020, the FSCA compared different claims that may be presented to insurers depending on the wording of the insuring clause in question and provide suggestions as to how such claims are to be treated. The FSCA then stated that insurers who did not deal with BI claims as referred to in that communication would be directed to do so in terms of the Financial Sector Regulation Act 9 of 2017.

Debates have been raging as to whether the FSCA is empowered to direct an insurer to interpret its contracts in a particular way in terms of this legislation but this issue has not been tested because several insurers entered into agreements with the FSCA that they would make interim relief payments to their policyholders in relation to business interruption claims.

In its press release of 24 July 2020, the FSCA stated that together with the PA, it had reached, ‘an understanding’ with non-life insurers in this regard. This understanding did not take the form of a binding directive that was in the nature of an agreement between the parties.

The understanding was that non-life insurers could make interim payments either on an interim basis pending legal certainty (through the court actions instituted) or in full and final settlement if insurers wished to do so.

Payments made by non-life insurers on this basis have caused reinsurers some concern, particularly relating to issues of aggregation of individual claims. As in other jurisdictions, most reinsurance contracts provide for aggregation of individual insured losses under certain conditions, mostly on the provision that payments by the underlying insurers have been made within the terms and conditions of the original policies. Some reinsurance contracts make provision for ex gratia payments to be aggregated only in circumstances where reinsurers have themselves consented to those payments in writing.

It is not clear whether reinsurers’ written consent to such interim relief payments was obtained in the course of the understanding reached by the underlying insurers with the Regulator, and whether those payments will be capable of aggregation.

Other reinsurance issues arise from the outbreak of the disease. The question has been raised globally whether in the context of a global catastrophe such as a global pandemic, underlying insurers can group multiple individual claims for the purposes of aggregation. In order to do so, a unifying factor that would bind the claims together would have to be identified. While in some policies such as accident and health policies, the direct cause of the loss and unifying factor can be established to be the disease, it may be more difficult to identify a unifying factor in respect of multiple outbreaks of the same disease within a country. The wider the spread of the disease in terms of time and place, the less likely a potential unifying factor can be found.

Over and above this, the language of the reinsurance contract must be considered to determine whether a causative link is required (in the form of proximate cause) or whether a common factor which could be described as an event is required. As in other jurisdictions, the wording of a particular reinsurance contract and the particular circumstances of each case must be considered.

Ultimately, South Africa’s insurance sector remains shrouded in a cloud of uncertainty while it awaits the outcome of the various court cases instituted. Never in its history has the ‘Chamberlain Curse’ rung more true: ‘I think that you will agree that we are living in the most interesting times’.

Thanks Webber Wentzel- this is a great article.

This article was first published by the International Bar Association on 23 October 2020.

 by Maria Philippides, Patrick Holloway

Webber Wentzel






  Every organization should have a comprehensive enterprise risk management in place that addresses four categories:

1. Strategy: High-level goals aligning and supporting the organization’s mission;

2. Operations: Effective and efficient use of resources;

3. Financial reporting: Reliability of operational and financial reporting;

4. Compliance: Compliance with applicable laws and regulations.

Cyber risk transverses all four categories and must be managed in the framework of information security risk management, regardless of your organization’s risk appetite and risk sensitivity.


 Cyber risk is tied to uncertainty like any form of risk.

As such, we should use decision theory to make rational choices about which risks to minimize and which risks to accept under uncertainty.

In general, risk is the product of likelihood times impact giving us a general risk equation of: risk = likelihood x impact.

IT risk specifically can be defined as the product of threat, vulnerability and asset value: risk = threat x vulnerability x asset value.

What is a threat? A threat is the possible danger an exploited vulnerability can cause, such as breaches or other reputational harm. Threats can either be intentional (i.e. hacking) or accidental (e.g. a poorly configured S3 bucket, or possibility of a natural disaster). Think of the threat as the likelihood that a cyber-attack will occur.

What is a vulnerability? A vulnerability is a threat that can be exploited by an attacker to perform unauthorized actions. To exploit a vulnerability, an attacker must have a tool or technique that can connect to a system’s weakness. This is known as the attack surface. It’s not enough to understand what the vulnerabilities are, and continuously monitor your business for data exposures, leaked credentials and other cyber threats. The more vulnerabilities your organization has, the higher the risk.

What is asset value? Arguably, the most important element of managing cyber risk is understanding the value of the information you are protecting. The asset value is the value of the information and it can vary tremendously. Information like your customer’s personally identifying information (PII) likely has the highest asset value and most extreme consequences. PII is valuable for attackers and there are legal requirements for protecting this data. Not to mention the reputational damage that comes from leaking personal information.


Good news, knowing what information risk management is (as we outlined above) is the first step to improving your organization’s cybersecurity.

The next step is to establish a clear risk management program, typically set by an organization’s leadership. That said, it is important for all levels of an organization to manage information security, as vulnerabilities can come from any employee and it is fundamental to your organization’s IT security to continually educate employees to avoid poor security practices that lead to data breaches. This usually means installing intrusion detection, antivirus software, two-factor authentication processes, firewalls, continuous security monitoring of data exposures and leaked credentials, as well as third-party vendor security questionnaires.


 Cybersecurity risk management is an important part of the lifecycle of any project. Organizations need to think through IT risk, perform risk analysis, and have strong security controls to ensure business objectives are being met.

However Risk avoidance isn’t enough. Organizations with information security policies but no security programs to protect their IT systems have insufficient security management practices.

Without comprehensive IT security management, your organization faces financial, legal, and reputational risk.

In order to assist all THE LEGAL TEAM and Lee’s Compliance Subscribers, we have prepared a number of Cybersecurity and IT Risk assessments and questioners, which are essential activities which have to be performed in accordance with the provisions of section 19 and 20 of POPIA.

Click here to access if you are a subscriber.


DATA SECURITY- sections 19-21

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email