When a law firm sends a client's financial disclosure affidavit to the Master's Office, or when a medical practice couriers a patient's HIV test results to a pathology laboratory, that courier becomes a data processor under the Protection of Personal Information Act (POPIA). If the courier loses the parcel, leaves it unattended, or allows unauthorized access, the law firm or medical practice — not the courier — faces the complaint to the Information Regulator.
This is not theoretical. In 2024, a Johannesburg law firm was reprimanded by the Information Regulator after a courier left a box of client files at an incorrect reception desk, where they were accessible to the public for four hours. The firm had not verified the courier's data handling processes. The fine was modest, but the reputational damage was significant.
This guide provides a practical compliance checklist that every law firm, medical practice, and any organisation handling personal information should use before booking a courier. These questions apply to any courier you consider — use them as a standard procurement requirement.
In This Guide
What Is POPIA and Why Does It Apply to Couriers?
The Protection of Personal Information Act 4 of 2013 (POPIA) is South Africa's data protection law, closely modelled on the European Union's GDPR. It regulates how organisations collect, use, store, and share personal information. "Personal information" is defined broadly: any information relating to an identifiable living person, including names, ID numbers, addresses, medical records, financial details, biometric data, and even opinions about a person.
When you give a courier a document containing personal information, the courier becomes an operator (data processor) under POPIA Section 1. The law says the responsible party (you, the law firm or medical practice) must ensure that any operator who processes personal information for you establishes and maintains the security measures required by POPIA Section 19.
In plain terms: if your courier mishandles personal information, you are responsible. This makes courier selection a compliance decision, not just an operational one.
Key POPIA Sections Relevant to Couriers
- Section 19: Security safeguards — you must ensure your operators protect personal information.
- Section 20: Information processed by operator — operators may only process personal information with your knowledge and authorisation.
- Section 21: Security measures on operators — you must have a written contract with operators ensuring they establish proper security.
- Section 22: Notification of breach — you must notify the Information Regulator and affected individuals if personal information is compromised.
Question 1: Do Your Couriers Sign Confidentiality Agreements?
Every courier who handles documents containing personal information should sign a confidentiality and non-disclosure agreement (NDA) before being assigned to your deliveries. This is POPIA's most basic requirement: your operator must be contractually bound to protect the information they process for you.
What to ask: "Can you provide a signed confidentiality agreement for every courier who will handle our documents?" The answer should be yes, and they should be able to produce the agreements on request. A generic "all our staff sign NDAs" statement is not enough — ask for evidence.
Red flag: If the courier uses gig-economy drivers or subcontractors who have not signed NDAs directly with the courier company, there is a gap in your compliance chain. The subcontractor is also an operator, and your contract with the main courier does not automatically bind them.
Question 2: Is There a Data Processing Agreement in Place?
POPIA Section 21 requires that when you engage an operator to process personal information on your behalf, you must have a written contract in place that requires the operator to establish and maintain security safeguards. This is your Data Processing Agreement (DPA).
A DPA should specify:
- Exactly what personal information the courier will process and for what purpose.
- The security measures the courier must maintain (tamper-evident bags, GPS tracking, locked vehicles, etc.).
- That the courier may only process the information according to your instructions.
- That the courier must notify you immediately of any breach or suspected breach.
- What happens to personal information when the contract ends — it must be returned or securely destroyed.
- Your right to audit the courier's security measures.
What to ask: "Do you provide a formal Data Processing Agreement that covers POPIA Section 21 requirements?" If the courier does not know what a DPA is, or offers only a standard service terms and conditions document, that is a compliance gap.
Question 3: How Is Personal Information Protected in Transit?
POPIA Section 19 requires "appropriate, reasonable technical and organisational measures" to protect personal information. For courier services, this translates to physical security measures during transport.
Minimum physical security standards for personal information in transit:
- Documents must travel in tamper-evident sealed bags or locked containers. A plain envelope in a courier's backpack is not sufficient.
- Courier vehicles must be lockable, and couriers must not leave parcels unattended in vehicles while making other deliveries.
- Personal information must not be visible to other passengers or left in shared transport.
- Digital tracking must be available so you can verify the parcel's location at all times.
- Couriers must not open, read, scan, or photograph documents containing personal information.
What to ask: "Describe the physical security measures you use when transporting documents containing personal information." The answer should include specific measures, not vague reassurances.
Question 4: What Proof of Delivery Documentation Is Provided?
Proof of delivery is not just a convenience — under POPIA, it is part of your accountability record. If a patient claims their medical records were never delivered to the lab, or a client alleges their settlement agreement never reached the opposing attorney, your proof of delivery is your defence.
POPIA-compliant proof of delivery should include:
- Digital signature of the recipient, captured on a secure device (not a scrap of paper).
- Photograph of the recipient and the document being handed over.
- GPS coordinates and exact timestamp of delivery.
- Unique tracking reference linked to your booking.
- Instant email confirmation to your practice with all documentation attached.
What to ask: "What exactly does your proof of delivery include, and how quickly do I receive it?" If the answer is "we send a WhatsApp photo" or "the driver calls to confirm," that is not POPIA-compliant documentation.
Question 5: Are Couriers Vetted and Background-Checked?
A courier with a criminal history involving fraud, identity theft, or data-related offences should not handle documents containing personal information. POPIA does not explicitly mandate criminal background checks, but Section 19's requirement for "reasonable" security measures implies that vetting personnel who handle sensitive data is a reasonable step.
What to ask: "Do you conduct criminal background checks on all couriers who handle sensitive or confidential deliveries? Can you confirm this in writing?" Also ask whether checks are repeated periodically — a clean record from 2019 does not guarantee current suitability.
Question 6: Is There a Chain of Custody for Sensitive Documents?
A chain of custody is a documented sequence of custody, control, transfer, analysis, and disposition of physical evidence. For legal and medical couriers, it proves that the document or specimen was handled only by authorised personnel from pickup to delivery.
A proper chain of custody record includes:
- Who collected the document from your office (name, ID, timestamp).
- Every transfer point — if the document is handed from a collection driver to a delivery driver, both must sign.
- Who delivered the document at the destination (name, ID, timestamp).
- Who received it (name, signature, timestamp).
- Seal numbers or tamper-evident identifiers at each stage.
What to ask: "Can you provide a full chain of custody report for every delivery, including handler names, timestamps, and seal numbers?" If the courier cannot produce this, you cannot prove compliance if challenged.
Question 7: How Is Data Disposed of After Delivery?
After delivery, the courier may retain certain information: your client's name, address, the fact that a delivery was made. POPIA requires that personal information is not kept longer than necessary for the purpose it was collected. Your DPA should specify what information the courier retains, for how long, and how it is securely destroyed when no longer needed.
What to ask: "What personal information do you retain after delivery, how long do you keep it, and what is your secure destruction process?" The answer should be specific: "We retain delivery records for 2 years for audit purposes, then shred physical documents and purge digital records from our systems."
Question 8: Does the Courier Have Cyber Insurance?
If the courier uses digital systems to record POD, track deliveries, or store your client data, those systems are vulnerable to cyber attack. If a courier's database is breached and your client information is exposed, who pays? Cyber insurance covers the financial consequences of data breaches, including notification costs, credit monitoring for affected individuals, and regulatory fines.
What to ask: "Do you carry cyber liability insurance, and what is the coverage limit? Does the policy cover breaches involving personal information we entrust to you?" Ask for a certificate of insurance.
Question 9: Can You Restrict Access to Specific Personnel?
For ultra-sensitive deliveries — a high-profile divorce settlement, a celebrity patient's medical records, a whistleblower's affidavit — you may want to restrict handling to named, trusted couriers only. A compliant courier should be able to designate specific personnel for specific clients and exclude others.
What to ask: "Can we request that only named, pre-approved couriers handle our sensitive deliveries?" If the courier assigns drivers randomly through an app, this may not be possible.
Question 10: What Happens in Case of a Data Breach?
POPIA Section 22 requires that if personal information is accessed or acquired by any unauthorised person, the responsible party must notify the Information Regulator and affected data subjects "as soon as reasonably possible." Your courier must have a breach notification protocol that meets this standard.
What to ask: "What is your breach notification protocol? How quickly will you notify us if personal information is lost, stolen, or accessed by an unauthorised person?" The answer should be within 24 hours at most. If the courier does not have a written breach protocol, you cannot comply with your own POPIA notification obligations.
Your POPIA Courier Booking Checklist
Before booking any courier for deliveries containing personal information, run through this checklist. If any item is missing, you have a compliance gap that should be resolved before the booking proceeds.
Signed confidentiality agreement on file for every courier
Request copies and verify signatures are current.
Written Data Processing Agreement covering POPIA Section 21
Review with your legal advisor; do not accept generic Ts&Cs as a substitute.
Confirmed physical security measures for transit
Tamper-evident bags, locked vehicles, no unattended parcels.
Digital proof of delivery with signature, photo, GPS, and timestamp
WhatsApp photos and verbal confirmations are not POPIA-compliant.
Background checks confirmed for all handling personnel
Ask for written confirmation, not verbal assurance.
Chain of custody documentation available on request
You need this for audit and dispute resolution.
Data retention and destruction policy confirmed in writing
Know what they keep, for how long, and how they destroy it.
Cyber liability insurance certificate provided
Verify the policy covers data breaches involving your information.
Named-courier restriction available for sensitive matters
For high-profile or ultra-confidential deliveries.
Written breach notification protocol with 24-hour commitment
You cannot comply with POPIA Section 22 if your courier delays notification.
How UrgentGo Addresses Each POPIA Requirement
UrgentGo's legal and medical courier services are built with POPIA compliance as a foundational requirement, not an afterthought. Here is how each of the 10 questions above is answered by our service:
| POPIA Requirement | UrgentGo Compliance |
|---|---|
| Confidentiality agreements | All legal and medical couriers sign NDAs. Copies available on request. |
| Data Processing Agreement | Formal DPA provided to all business account holders covering POPIA Section 21. |
| Physical security in transit | Tamper-evident sealed bags, locked vehicles, no unattended parcels, GPS tracking. |
| Proof of delivery | Digital signature, recipient photo, GPS coordinates, timestamp — emailed instantly. |
| Courier vetting | Enhanced background checks for all personnel handling sensitive deliveries. |
| Chain of custody | Full audit trail with handler names, timestamps, seal numbers, and transfer records. |
| Data retention and destruction | Delivery records retained for 2 years then securely purged. Physical documents shredded. |
| Cyber insurance | Cyber liability insurance covering data breaches. Certificate available on request. |
| Named-courier restriction | Business accounts can request dedicated named couriers for sensitive matters. |
| Breach notification | Written breach protocol: notification within 4 hours of discovery, 24-hour maximum. |
What Happens If You Ignore POPIA Courier Compliance?
The Information Regulator can issue enforcement notices, fines, and in serious cases, refer matters for criminal prosecution. But the real risk for most law firms and medical practices is not the fine — it is the reputational damage, the client exodus, and the professional indemnity claim.
If a client's confidential settlement terms are leaked because a courier left documents at the wrong address, that client has grounds for a complaint to the Legal Practice Council and the Information Regulator. If a patient's HIV status is exposed because a medical record was lost by an unvetted courier, the patient has grounds for a complaint to the Health Professions Council and a damages claim.
POPIA compliance is risk management. The 10 questions above take 15 minutes to ask and may save your practice from a complaint that costs months to resolve and years of reputational recovery.
Quick POPIA Reminder
POPIA applies to every organisation that processes personal information — including sole practitioners and small clinics. There is no minimum size exemption. If you send documents containing names, ID numbers, addresses, medical records, or financial details via courier, POPIA applies to you.
Summary: Protect Your Practice Before You Book
- Recognise that your courier is a POPIA data processor, and you are responsible for their compliance.
- Demand signed confidentiality agreements from every courier who handles personal information.
- Insist on a formal Data Processing Agreement covering POPIA Section 21 requirements.
- Verify physical security measures: tamper-evident packaging, locked vehicles, GPS tracking.
- Require digital proof of delivery with signature, photo, GPS, and timestamp — not informal confirmations.
- Confirm background checks, chain of custody documentation, and data destruction policies.
- Ask for cyber insurance and a written breach notification protocol with clear timeframes.
- Use the checklist above as a standard procurement tool for every courier engagement.