South Africa’s Information Regulator conducts PAIA compliance assessments on public and private bodies in terms of section 77H of the Promotion of Access to Information Act (PAIA). PAIA plays a crucial role in an organisation’s transparency and accountability to the public. South Africa’s Information Regulator has certain responsibilities to monitor an organisation’s compliance with PAIA, including commencing PAIA compliance assessments. 

Recently, the regulator requested that the heads of all private bodies submit a PAIA section 83(4) report (PAIA report) to them through their portal. The deadline to submit the reports is 30 June every year. Public bodies also need to submit PAIA section 32 reports. All organisations must submit their report by the deadline. 

Private and public bodies need to submit their PAIA reports yearly

Suppose a private or public body fails to submit a report, or the report is not sufficiently complete or accurate. In that case, the regulator may launch an assessment into the organisation’s PAIA compliance. The regulator has already announced that it will assess political parties’ compliance soon. 

PAIA assessments

Section 77H of PAIA empowers the regulator to conduct PAIA assessments on organisations to determine whether a public or private body generally complies with the provisions of PAIA, especially with regards to policies and implementation procedures.

We think this is an example of the regulator’s intention to make sure high public interest entities are compliant. 

During the compliance assessment, the regulator may:

  1. Request information: The regulator can request relevant documents, policies, procedures and records from organisations. This is to assess if the organisation has proper systems to manage and respond to information requests.
  2. Inspect premises: The regulator may request that it visits an organisation’s premises to verify compliance with PAIA. This could mean examining physical records, observing information management practices, and evaluating the organisation’s overall commitment to promoting access to information.
  3. Interview staff: The regulator can interview an organisations to gather information about the processes and procedures followed when handling information requests. These interviews help determine the organisation’s level of compliance with PAIA.

What happens if the regulator finds that the organisation does not comply with its obligations under PAIA? In this instance, the regulator:

  • can provide guidance and recommendations to help organisations rectify the issues, 
  • issue enforcement notices, or 
  • take further legal action if necessary.

Ultimately, a PAIA assessment will impact an organisation’s business operations. These assessments could be significantly time consuming and resource intensive too. You’ll want to do what you can to prevent being assessed. 

Examples of a PAIA compliance assessment the Regulator has conducted

  • Social media platforms. In 2024 the regulator conducted PAIA compliance assessments into Google, Facebook and TikTok. The regulator’s assessments of the social media platforms are an indication of the extra-territorial reach of PAIA.
  • Law firms. The regulator conducted PAIA compliance assessments into seventeen law firms including the firms known as ‘the big five’ (Bowmans, Cliffe Dekker Hofmeyr, ENSafrica, Webber Wentzel and Werksmans).
  • Schedule 2 public entities. The regulator assessed Schedule 2 public entities including the Development Bank of Southern Africa, Eskom, Telkom SA, and Transnet.

Actions you can take regards a PAIA compliance assessment