We have already unpacked what you need to know about the Protection of Personal Information Act (POPIA). In your role as a digital marketer, you also need to be aware of the requirements of the Promotion of Access to Information Act (PAIA). Let's take a more in-depth look into what this act requires.
Covered in this article:
What is PAIA About?
Key Requirements for Digital Marketers
The Implications of Non-compliance
What is PAIA About?
The Promotion of Access to Information Act gives effect to the Constitutional right of access to any information held by the State and any information that is held by another person, and that is required for the exercise or protection of any rights (as per Section 32 of the Constitution of the Republic of South Africa 1996). In addition, the Act provides that the Information Regulator (established in terms of the Protection of Personal Information Act, 2013) must exercise certain powers and perform certain duties and functions in terms of this Act. The aim of PAIA is to foster a culture of transparency and accountability while actively promoting a society where people have effective access to information, to enable them to fully exercise and protect all of their rights.
The act applies to the records of public and private bodies, regardless of when the records came into existence (records requested for the purpose of civil or criminal law proceedings are excluded from this definition) – all organisations in South Africa must comply with this act.
Terminology and Role-players
The act mentions specific terminology and role-players when it comes to information:
- Information Officer (IO) - in relation to a public body, means an Information Officer of Deputy Information Officer (DIO) as contemplated in terms of Section 1 or 17 of the PAIA
- Record – means any recorded information, regardless of form or medium, in the possession or under the control of a public or private body and whether or not it was created by such a public or private body.
- Requester – in relation to a public body this means any person (other than a public body - usually a government department or institution), or a person acting on his / her behalf, making a request for access to a record of that public body. In relation to a private body, the requester is any person, including a public body or official thereof, or a person acting on his / her behalf, making a request for access to a record of that private body.
- Public body – any department of the state or functionary / institution established through the Constitution or other legislation and performing a related public function.
- Private body – a natural person or partnership carrying on (either presently or in the past) any trade, business or profession, any former or existing juristic person or political party, excluding a public body.
Note that the POPI Act expands on these definitions. The PAIA should be read in conjunction with the POPI Act and related Regulations.
Access to Records of Public or Private Bodies
In terms Section 11, a requester must be given access to a record of a public body if:
- The requester complies with all procedural requirements of the Act relating to such a request; and
- Access to the record is not refused in terms of any grounds for refusal as contemplated in the Act.
Section 50 stipulates that a requester must be given access to any record of a private body if:
- That record is required for the exercise or protection of any rights;
- That person complies with the procedural requirements of the act relating to such a request; and
- Access to that record is not refused in terms of any grounds for refusal as contemplated in the Act.
In the case where the request for records of a private body is made by another public body, such a public body must be acting in the public interest.
A request for access includes a request for access to a record containing personal information about the requester. The right of access is not affected by the reasons the requester gives for requesting such access or the Information Officer's belief as to what the requester's reasons are for requesting such access. The request for access must be done in the prescribed manner, on the prescribed form and requires proof of identity of the requester or authorisation granted to the person acting on behalf of the requester. The requester has to provide details on:
- Particulars of the record requested including a reference number if available
- The type of record requested (whether in written or printed form, virtual images, sound, electronic or machine-readable form)
- The form of access (such as printed copy, printed transcription, record on a flash drive, compact disc or cloud storage)
- The manner of access - this includes whether it will be a personal inspection of the record at the registered address of the body holding the record, via post, courier, email or cloud share, as well as the preferred language of the record
- The right which is being exercised or protected by the requester and the reasons for the request, and
- The fees payable for such request, where applicable.
Key requirements for digital marketers
Previously, assessing the body's public interest score was necessary to determine whether one was exempt from compiling a PAIA Manual. As of 1 January 2022, no exemptions are granted - all bodies (whether public or private) must have a PAIA Manual. The Information Regulator provides guidelines, templates and procedures for making information electronically available.
Purpose of a PAIA Manual
An organisation's PAIA manual is useful for the public to:
- Check categories of records held by the organisation which are available without a person having to submit a formal PAIA request
- Have a sufficient understanding of how to go about requesting access to a record of the body, by providing a description of the subjects on which the body holds records and the related categories of such records
- Access the relevant contact details of the Information Officer and Deputy Information Officer - these parties will assist the public with the records they intend to access
- Know the following:
- The description of records of the body which are available in accordance with any other legislation
- The description of the guide on how to use PAIA, as updated by the Information Regulator and how to access the guide
- If the organisation will process personal information, the purpose of such processing, and the description of the categories of data subjects and of information/categories of information relating to such subjects
- The description of the categories of data subjects and of the information/categories of information relating thereto
- The recipients or categories of recipients to whom the personal information may be supplied
- If the body has planned to transfer or process personal information outside South Africa and the recipients or categories of recipients to whom the personal information may be supplied
- Whether the body has appropriate security measures to ensure the confidentiality, integrity and availability of the personal information which is to be processed.
Contents required in the PAIA ManualThe manual must contain the key contact details for access to information of the body, which includes the full names, phone numbers, email addresses and fax numbers of the Information Officer (this is usually the CEO or Managing Director) and Deputy IO, as well as a general email address which the public can contact for access to information. The manual must also contain details of the body's national or head office.
The manual must further contain:
- Guidance on how to use PAIA and how to obtain access to the guide
- Categories of records which are available without a person having to request access thereto – for example, which records are available on the website vs which records are available on request
- A description of the records of the body which are available in accordance with other legislation – for example, the category of record being the Memorandum of Incorporation, and the applicable legislation being the Companies Act No 71 of 2008
- A description of the subjects on which the body holds records and categories of such - for example, the subjects may include Human Resources, and the categories of records may include HR policies and procedures, advertised posts and employee records
- Details regarding the processing of personal information include:
- The reasons for processing such personal information
- A description of the categories of data subjects and of the information/categories of information relating thereto – for example, customers and clients will be regarded as a category of the data subject, while the names, addresses, registration numbers and other details such as employment status and banking details will be the personal information of those customers/clients that may be subject to processing. In the case of employees (a category of the data subject), the personal information that may be processed includes the address, qualification, gender and race.
- The recipients/categories of recipients to whom the personal information may be supplied – for example, the ID number and names for criminal checks will be regarded as the category of information retained by the body; the recipients to whom such information may be supplied will be the SAPS
- Planned trans-border flows of personal information – here it is important to specify which country the personal information will be stored in
- A general description of information security measures to be implemented by the responsible party to ensure confidentiality, integrity and availability of information. Examples include Data Encryption, Anti-virus and Anti-malware Solutions.
The Implications of Non-Compliance
In terms of Section 90 of the Act, a person who with intent to deny a right of access under the Act, destroys, damages or alters a record; conceals a record; or falsifies a record is guilty of an offence. Offences are punishable by conviction to a fine or imprisonment for a period not exceeding two years.
The implications of non-compliance with the Promotion of Access to Information Act (PAIA) can be significant for public and private bodies in South Africa. Some of the consequences of non-compliance with PAIA include:
Legal action: If a public or private body fails to comply with PAIA, an affected party can approach the courts for relief. This could result in an order directing the body to comply with the provisions of PAIA, or an award of damages for loss suffered as a result of the non-compliance.
Reputational damage: Non-compliance with PAIA can harm the reputation of a public or private body. The public and other stakeholders may view the body as being uncooperative or unwilling to be transparent, which can negatively impact its credibility and trustworthiness.
Fines: The South African Information Regulator has the power to impose administrative fines on public and private bodies that are found to be in contravention of PAIA.
Prosecutions: In extreme cases, the Information Regulator may refer a matter for prosecution if it finds that a public or private body has intentionally or recklessly failed to comply with PAIA.
Therefore, it is important for public and private bodies in South Africa to take PAIA seriously and to ensure that they are compliant with its provisions. This will help to protect their rights, as well as the rights of the public, and will help to maintain the integrity and transparency of the information-holding system in South Africa.
We recommend that when it comes to legislative matters, you always seek professional legal advice.