The Promotion of Access to Information Act 2 of 2000 (commonly known as PAIA) is South Africa’s access to information law and it enables people to gain access to information held by both public and private bodies. All organisations in South Africa must comply with it. In this blog, we’ll look at who regulates it, the risks of non-compliance, what action you need to take to comply with it, and why you should care about it.

You should consider the practical implications and impact of the Promotion of Access to Information Act (and its PAIA regulations) on your specific organisation carefully.

What does the Promotion of Access to Information Act deal with?

The word cloud provides an overview of PAIA.

  • The most important theme is access to information (ATI).
  • The main role players are the requester on the one hand and a public or private body on the other hand.
  • It is all about access to information held in records. 
  • A requester needs to request access.

In terms of the Promotion of Access to Information Act, all private bodies (entities mentioned above as defined in PAIA) and public bodies (mainly state departments and state administrations as defined in PAIA) must give access to their records, if someone requests a record in terms of PAIA. So it is important to:

  1. understand what a record is;
  2. know what record is requested;
  3. know when you must give access to a record;
  4. know when you may refuse access to a record; and
  5. have the necessary procedures in place to comply with PAIA.

A record of your processing activities

In South Africa section 17 of POPIA requires a responsible party to maintain a record of all processing operations (or activities or functions) under its responsibility in a PAIA manual. This means that POPIA requires you to provide additional information in your PAIA manual.

Actions you can take

The risks of non-compliance?

This is very important – in terms of PAIA, it is an offence to destroy, damage or conceal a record in order to deny a requester access to it. More important from a business perspective, if you don’t comply with the Promotion of Access to Information Act, you may very well end up:

  • giving information to someone that you should not be giving and facing damages claims as a result;
  • opposing applications for access in court.

Litigation is expensive and time-consuming – avoid it if possible.

Who regulates PAIA?

From 1 July 2021, it is the Information Regulator and before it, it was the SAHRC.

Why do we need the Promotion of Access to Information Act?

PAIA gives effect to section 32 of the Constitution which provides for the right of access to:

  • any information held by the state;
  • any information that is held by another person and that is required for the exercise or protection of any right.

PAIA aims to bring a balance between the interests and rights of:

  1. the requester of a record; and
  2. the public or private body (business) that holds the record.

There are many issues or areas to which PAIA could apply.

The status of PAIA

There was a draft Promotion of Access to Information Amendment Bill in 2015 but it was never introduced into Parliament. PAIA is amended by the Protection of Personal Information Act and will be amended by the Cybercrimes Act once it becomes effective.

The implications of PAIA

Records

PAIA defines a record as any recorded information that a business holds in any form or medium (our definition). For purposes of PAIA, records also include records that third parties created ( and are now under the control of the business). It is very important to note and understand that records include email and other recorded electronic communications.

Access to records

The most important implication of PAIA is that a person may request a business to allow him access to records that the business holds – under the circumstances that PAIA allows for. A requester must meet the following requirements to get access:

  1. To get access to records of private bodies a requester must establish that “that record is required for the exercise or protection of any rights” (section 50). “rights” in this context is not defined by PAIA and is subject to interpretation. You may ask whether “rights” include all legal rights – constitutional, statutory and common law rights, or whether it only refers to constitutional (or fundamental) rights. In my view, the wider interpretation of “rights” is more probable. It is relatively easy to comply with this requirement. A requester for access to records of public bodies has a general or automatic right in terms of section 11.
  2. A requester must comply with the procedure that PAIA stipulates – the request must be in the form specified in the PAIA regulations, and the requester must pay the prescribed fees to the organisation. Again, relatively easy to comply with.
  3. There must not be any grounds for refusal (as determined in PAIA). An example of a ground of refusal is an “unreasonable disclosure of personal information about a third party“. The refusal grounds attempt to create a balance between the rights of the requester to access information on the one hand, and the rights of the body that holds the information and third parties, on the other hand. This third requirement may in certain cases be a bit more difficult to overcome.

PAIA manual

A further implication is that you must compile a PAIA manual that contains certain information that PAIA specifies. The manual should explain to the public:

  1. how they can request access to information that you hold, and
  2. what information you hold.

A public body must go even a step further and include in the manual “a description of all remedies available in respect of an act or failure to act by the body“. In terms of PAIA, “Each manual must be made available as prescribed“. The PAIA regulations state that a manual must be available on an organisation’s website and place or business.

What is the PAIA manual deadline?

The PAIA deadline is 31 December 2021. From 1 January 2022, every body needs to have a manual. No one is exempt.

Information Audit and Information Management policies

A business will not be able to comply with PAIA unless it knows what records it holds. You therefore need to conduct an audit on the information which you currently hold. Businesses need to determine the subjects and categories of information they hold.

You will also need to review your Information Management policies to ensure that information or records that come into existence in the future fall within the subjects and categories you determined in the audit. You should also consider very carefully which information you must legally keep, and which you may destroy. E-mail falls within the definition of a “record“, so your Electronic Communication policy must tie in with the Information Management policy.

Automatically available information

The information audit will also help you establish the categories of records that you will automatically make available without a person having to request access in terms of the Promotion of Access to Information Act. This may save a lot of valuable time. This obligation is compulsory for public bodies and optional (but advisable) for private bodies.

Human infrastructure

All organisations need to designate and appoint suitable people to deal with and implement the provisions of PAIA. PAIA provides that each public body must “designate such number of persons as Deputy Information Officers as are necessary to render the public body as accessible as reasonably possible for requesters of its records” (Section 17). The head of the private body, as defined in PAIA, is the person designated and responsible to ensure that the business implements the provisions of PAIA. The head is entitled to appoint and authorise persons to perform the relevant tasks. In terms of PAIA, these people must perform several important functions, one of which is to decide on whether access to information should be granted or not. Businesses should therefore train the relevant people properly.