The Promotion of Access to Information Act No. 2 of 2000, as amended, (“PAIA”) regulates access to records held by both public and private bodies in South Africa. PAIA encourages openness and has the intention of establishing mechanisms or procedures which give effect to the right of access to information in a speedy, inexpensive, and easy manner. PAIA is applicable to all types of information, not merely personal information as some might think.

In terms of PAIA, all public and private bodies in South Africa need to compile a manual that contains, amongst other things, the postal and street address, phone number and e-mail address of the head of the entity; what records are available to an interested party without having to request access in terms of PAIA; a description of the records of the entity, which are available in accordance with any other legislation; and how to request records from the entity in terms of PAIA. Essentially, the manual must explain to the public how they can get access to the records held by the entity in terms of PAIA.

Sections 110 and 114(4) of the Protection of Personal Information Act No. 4 of 2013, as amended, (“POPIA”), provide for certain amendments to PAIA and the effective transfer of certain regulatory mandate functions previously performed by the South African Human Rights Commission (“SAHRC”) to the Information Regulator.

POPIA has effectively widened the scope of the information that the PAIA Manual must cover to include matters relating to the processing of personal information. One of the data processing principles under section 5 of POPIA is that of data subject participation, which allows for data subjects to access and correct their personal information held by a responsible party. The PAIA Manual should now provide for a data subject to be able to request this information from the entity.

Section 17 of POPIA requires a responsible party to maintain a record of all processing operations (or activities or functions) under its responsibility in a PAIA Manual. The PAIA Manual must deal with:

  • what personal information the entity processes;
  • to whom the personal information relates to;
  • the purpose for which the entity processes this personal information;
  • to whom the entity shares the personal information with; and
  • what information security measures the entity has in place to secure the personal information in its possession or under its control.

Up until 31 December 2021, certain exemptions issued by the Minister of Justice and Correctional Services allowed smaller private bodies to be exempt from compiling a PAIA Manual. From 1 January 2022, every entity must have a PAIA Manual – no exceptions.

There does seem to be a confusion about whether entities should have a POPIA Manual and whether this is the same document as a PAIA Manual. It is not. There is in actual fact no such thing as a POPIA Manual. The PAIA Manual is compiled in terms of PAIA and merely needs to include certain information as obligated in POPIA. This confusion might have arisen as a result of the Information Regulator taking over the PAIA functions, but it is still a separate manual.

Each entity must have its PAIA Manual available at its principal place of business and on its website (if the entity has one). In terms of sec 51(1) of PAIA, all previously compiled PAIA Manuals of both public and private bodies must be updated to include the aforementioned provisions relating to the processing of personal information in terms of POPIA.

From 30 June 2021 the Information Regulator took over the PAIA related functions from the SAHRC and it has made it clear that it plans on clamping down on entities that do not have PAIA Manuals on their websites and will be doing drop-ins at entities’ principal places of business to inspect the PAIA Manuals.

Compliance with a PAIA Manual, unlike general POPIA compliance, is likely to be  easier for the Information Regulator to police and for this reason, the risk of a fine emanating from non-compliance here will be bigger than the risk of a fine for general POPIA non-compliance.

The Information Regulator has also uploaded a “Guide on how to use the Promotion of Access to Information Act 2 of 2000” to its website in all the official languages. It is recommended that each entity keeps copies of these guides with its PAIA Manuals to ensure the public has access to it when requesting information.

On 06 October 2023, the Information Regulator issued a further Compliance Notice in terms of Section 83(3)(d) of PAIA. This notice is aimed at entities who have not updated their PAIA Manuals in line with PAIA as aforementioned, but also includes another mandatory form that should be included in your current PAIA Manual.

Your PAIA Manual must include:

  • Form 02: Request for Access to Record [Regulation 7]
  • Form 03: Outcome of request and of fees payable [Regulation 8]

If you do have an existing PAIA Manual, ensure you merge the mandatory forms to your Manual. The forms can be downloaded on the Information Regulator’s website.

Very important to remember – it is a criminal offence not to have a PAIA Manual if you are required to do so, and your entity may face fines for non-compliance.

Should you not have a PAIA Manual, or if your PAIA Manual has not been updated in terms of the provisions of POPIA or with the mandatory PAIA forms, contact us to assist you.