You must comply with the Promotion of Access to Information Act 2 of 2000 (PAIA) because it applies to all organisations in South Africa. The word cloud on the right provides an overview of the PAIA. From the word cloud you can see that:

  • the most important theme is access
  • the main role players are the requester on the one hand and a public or private body on the other hand
  • it is all about access to information held in records
  • a requester needs to request access

In terms of the Promotion of Access to Information Act, all private bodies (entities mentioned above as defined in PAIA) and public bodies (mainly state departments and state administrations as defined in PAIA) must give access to their records if a party requests a record in terms of PAIA. It is accordingly important to:

  1. understand what a record is;
  2. know what record is requested;
  3. know when you must give access to a record;
  4. know when you may refuse access to a record; and
  5. have the necessary procedures in place to comply with PAIA.

Actions you can take

  • Find out more about it by reading the rest of this article, attending a workshop or buying a book on it.
  • Comply with it by getting practical legal solutions.

Background on the Promotion of Access to Information Act

PAIA gives effect to section 32 of the Constitution which provides for the right of access to:

  • any information held by the state;
  • any information that is held by another person and that is required for the exercise or protection of any right.

PAIA aims to bring a balance between the interests and rights of:

  1. the requester of a record; and
  2. the public or private body (business) that holds the record.

There are many issues or areas to which PAIA could apply.

The implications of PAIA for business


PAIA defines a record to be any recorded information that a business holds in any form or medium (our definition). For purposes of PAIA records also include records that third parties created (now under the control of the business).

It is very important to note and understand that records include email and other recorded electronic communications.

Access to records

The most important implication of PAIA is that a party may request a business to allow him access to records that the business holds – under the circumstances that PAIA allows for. A requester must meet the following requirements to get access:

  1. To get access to records of private bodies a requester must establish that “that record is required for the exercise or protection of any rights” (section 50). “rights” in this context is not defined by PAIA and is subject to interpretation. You may ask whether “rights” include all legal rights – constitutional, statutory and common law rights, or whether it only refers to constitutional (or fundamental) rights. In my view the wider interpretation of “rights” is more probable. It is relatively easy to comply with this requirement. A requester for access to records of public bodies has a general or automatic right in terms of section 11.
  2. A requester must comply with the procedure that PAIA stipulates – the request must be in the format that the Regulations specify and the requester must pay the prescribed fees to the business. Again, relatively easy to comply with.
  3. There must not be any grounds for refusal (as determined in PAIA). An example of a ground of refusal is an “unreasonable disclosure of personal information about a third party”. The refusal grounds attempt to create a balance between the rights of the requester to access information on the one hand, and the rights of the body that holds the information and third parties, on the other hand. This third requirement may in certain cases be a bit more difficult to overcome.

PAIA Manual

A further implication is that you must compile a manual that contains certain information that PAIA specifies. The manual should explain to the public (1) how they can request access to information that you hold and (2) which information you hold. A public body must go even a step further and include in the manual (3) “a description of all remedies available in respect of an act or failure to act by the body“.

In terms of PAIA “Each manual must be made available as prescribed“. The Regulations under PAIA determine that a manual must be available on the web site of a business.

Information Audit and Information Management Policies

A business will not be able to comply with PAIA unless it knows what records it holds. You therefore need to conduct an audit on the information which you currently hold. Businesses need to determine the subjects and categories of information they hold.

You will also need to review your Information Management Policies to ensure that information or records that come into existence in the future fall within the subjects and categories you determined in the audit. You should also consider very carefully which information you want to keep and which you want to destroy. E-mail falls within the definition of a “record“, so your Electronic Communication Policy must tie in with the Information Management Policy.

Automatically Available Information

The information audit will also help you establish the categories of records that you will automatically make available without a person having to request access in terms of the Promotion of Access to Information Act. This may save a lot of valuable time. This obligation is compulsory for public bodies and optional (but advisable) for private bodies.

Human Infrastructure

All businesses need to designate and appoint suitable people to deal with and implement the provisions of PAIA.

PAIA provides that each public body must “designate such number of persons as Deputy Information Officers as are necessary to render the public body as accessible as reasonably possible for requesters of its records” (Section 17).

The head of the private body, as defined in PAIA, is the person designated and responsible to ensure that the business implements the provisions of PAIA. The head is entitled to appoint and authorise persons to perform the relevant tasks. In terms of PAIA these people must perform several important functions, one of which is to decide on whether access to information should be granted or not. Businesses should therefore train the relevant people properly.


You should consider the implications of the Promotion of Access to Information Act carefully.

The Promotion of Access to Information Act has far reaching implications for organisations. You should consider implementing an Access to Information Policy. The Access to Information Policy should tie in closely with both the Electronic Communications Policy and the Information Management Policy of the organisations.  This is very important – in terms of PAIA it is an offence to destroy, damage or conceal a record in order to deny a requester access to it.

More important from a business perspective, if you don’t comply with the Promotion of Access to Information Act, you may very well end up:

  • giving information to parties that you should not be giving and facing damages claims as a result;
  • opposing applications for access in court.

Litigation is expensive and time consuming – avoid it if possible.