Griessel Consulting 1
Promotion of Access to Information Act PAIA Regulations and Manual Introduction The Information Officer of an organisation has a dual duty as it relates to the access to information held and processed by the entity Whilst the Protection of Personal Information Act POPIA has been in the forefront of people s minds in recent months it is important not to forget the duties of the Information Officer in respect of PAIA There are a number of offences and penalties for non compliance listed in the Act Whilst POPIA deals with the protection of personal information specifically PAIA is much broader in that it deals with access to any information held by an organisation There are prescribed procedures and conditions for a person to apply for access to information under PAIA and there are also prescribed grounds on which such requests may be granted or refused Information officers will have to be aware of these provisions and deal with such requests in conjunction with their duties under POPIA It is also important to take note of the fact that whilst some smaller private bodies may have been exempted from having to publish a Manual in terms of PAIA this exemption expired on 31 December 2021 This means that all organisations have to compile and publish a PAIA Manual containing certain prescribed information about the entity as from 1 January 2022 The head of a private body will be held accountable for this duty with potential criminal liability attached to non compliance The Information Regulator has taken over administration and enforcement of PAIA from the Human Rights Commission as from 1 July 2021 It has consequently published new PAIA Regulations 27 August 2021 as well as templates for compiling a PAIA Manual 3 September 2021 The PAIA Regulations The main purpose of the Regulations is the alignment of the previous PAIA regulations under the HRCSA with POPIA under the purview of the Information Regulator Amongst other things the Regulator is obliged to publish a Guide on how to use PAIA or rather updating the one published by the HRCSA previously to enable the right of people to realise their right of access to information This Guide was subsequently published during October 2021 and provides information on procedures formats remedies etc to assist people to exercise their rights and obligations in terms of the Act A copy thereof must be kept by the Information Officer and be made readily available to people upon request Griessel Consulting 2
The Regulations further provide for procedures and forms regarding requesting access to information held by a responsible party and various related functions payment of fees appeals and complaints The Regulations also contain further duties for Information Officers Compile keep and update a description of the categories of records that are voluntarily disclosed or automatically available this is optional for private bodies Assist requesters of access to information and communicate the appropriate decisions to them Respond to complaints about such decisions received via the Information Regulator within 20 working days and cooperate with its investigation PAIA Manual The templates published by the Information Regulator are aimed at assisting responsible parties to develop their own PAIA Manuals as is required in terms of Section 51 of the Promotion of Access to Information Act Under POPIA Regulations and the Regulator s guidelines it is the responsibility of the Information Officer of an entity to develop monitor maintain and make available the entity s PAIA Manual Contents A PAIA Manual details the processes to be used by data subjects requesting information from a private body and indicates what type of records are held by the particular organisation In line with POPIA a PAIA Manual must now also contain details regarding the data collection and processing methods of the organisation as it relates to personal information This includes the categories and types of personal information collected by a responsible party how the personal information collected is processed and what the purpose is for such processing the recipients or categories of recipients to whom the personal information collected may be supplied any planned transborder flows of personal information and the security measures undertaken by a responsible party to ensure the confidentiality integrity and availability of the information to be processed Griessel Consulting 3
If an organisation has made an effort with their POPIA compliance in particular by conducting a proper activity and data flow mapping exercise then the information to populate these items in the PAIA Manual should be easily available Availability The PAIA Manual must be made available on the entity s website and at its principal place of business during office hours to any person upon request and upon payment of a reasonable amount and to the Information Regulator upon request A copy of the PAIA Manual no longer has to be submitted to the Regulator as a matter of course The PAIA Manual must include a reference to the Guide on how to use PAIA referred to above Conclusion All organisations and Information Officers should ensure that they have a PAIA Manual available and that this has been updated to include the new provisions around POPIA They should also be prepared for inspection visits from the Regulator s office and demands to see and inspect the organisation s printed PAIA Manual This is an easy area for the Regulator to demonstrate its enforcement intentions with very little risk or room for legal challenges relating to such inspections Either the organisation has a PAIA Manual or not and the manual is either compliant or not Judith Griessel Updated August 2022 Griessel Consulting 4