PAIA MANUAL & POPIA COMPLIANCE CLIENT GUIDANCE

IMPORTANT DISCLAIMER

This document is intended for general information and guidance purposes only and does not constitute legal advice.

PAIA and POPIA compliance requirements may differ depending on the nature, size, industry, operational structure, and information processing activities of each organisation.

Businesses should obtain legal advice tailored to their specific circumstances, regulatory environment, contractual obligations, and operational risks.

Certain industries may also be subject to additional legislation, sector specific regulations, professional rules or regulatory requirements relating to information governance, confidentiality, cybersecurity, retention obligations and data protection

1. INTRODUCTION

South African businesses are required to comply with both:

• the Promotion of Access to Information Act, 2000 (“PAIA”); and
• the Protection of Personal Information Act, 2013 (“POPIA”).

These laws impose obligations on organisations relating to:

• access to information;
• protection of personal information;
• lawful processing of data;
• data security;
• transparency; and
• accountability.

Failure to comply may expose a business to:

• regulatory investigations;
• administrative fines;
• civil claims;
• reputational damage; and
• operational risk.

This document explains:

1. what a PAIA Manual is;
2. what POPIA compliance requires;
3. the legal obligations of businesses;
4. the practical implementation steps; and
5. the documents and policies typically required.

2. WHAT IS A PAIA MANUAL?

A PAIA Manual is a legally required document that explains:

• what information a business holds;
• how information may be requested;
• how requests are processed;
• the categories of records available; and
• contact details of the Information Officer.

The PAIA Manual serves as a guide to the public and data subjects regarding access to information held by the organisation.

Private bodies conducting business in South Africa are required to maintain a PAIA Manual in accordance with section 51 of PAIA. The Information Regulator has also issued PAIA guidance notes and template manuals for private bodies.

A complaint PAIA Manual typically includes:

• Information Officer details;
• categories of records held;
• categories of records automatically available
• procedures for requesting accesses;
• prescribed forms and fees;
• grounds upon which access can be refused;
• available remedies
• applicable legislation; and
• contact details of the Information Regulator.

The PAIA Manual should:

• be updated regularly;
• be available at the organisation’s principal place of business;
• be made available upon request;
• where applicable be published on the organisations’ website.

3. PURPOSE OF POPIA

POPIA regulates how personal information is collected, stored, processed, shared, and destroyed.

The purpose of POPIA is to:

• protect personal information;
• prevent misuse of data;
• ensure lawful processing;
• protect privacy rights; and
• require businesses to implement appropriate security safeguards.

POPIA applies to almost all organisations that process personal information, including:

• companies;
• close corporations;
• trusts;
• NGOs;
• schools;
• medical practices;
• professional firms; and
• online businesses.

Personal information includes:

• names;
• identity numbers;
• addresses;
• telephone numbers;
• email addresses;
• banking details;
• employee records;
• customer information;
• biometric information; and
• online identifiers.

POPIA establishes conditions for the lawful processing of personal information, namely:

• accountability;
• processing limitation;
• purpose specification;
• further processing limitation;
• information quality;
• openness;
• security safeguards; and
• data subject participation.

4. LEGAL REQUIREMENTS UNDER POPIA

Businesses must ensure that personal information is processed:

• lawfully;
• reasonably;
• transparently;
• securely; and
• only for legitimate business purposes.
  

Key compliance obligations include:

4.1 Appointment of an Information Officer

Every organisation must appoint an Information Officer who is by default the CEO / MD / director of the Company.

The Information Officer is responsible for:

• POPIA compliance;
• PAIA compliance;
• handling information requests;
• monitoring internal processes;
• managing data breaches; and
• liaising with the Information Regulator.

The Information Officer must be registered with the Information Regulator through the Regulator’s eServices portal before formally performing their duties.

4.2 Development of Internal Policies

Businesses should adopt written policies governing:

• data protection;
• privacy;
• employee data handling;
• record retention;
• information security;
• data breach management; and
• access to information requests.

4.3 Consent and Lawful Processing

Organisations must ensure there is a lawful basis for collecting and processing personal information.

This may include:

• consent;
• contractual necessity;
• legal obligations;
• legitimate interests; or
• operational requirements.

Businesses must also:

• notify individuals when collecting information;
• explain the purpose of collection;
• limit collection to necessary information only;
• avoid excessive or unlawful processing; and
• ensure transparency regarding data processing activities.

4.4 Security Safeguards

Reasonable technical and organisational measures must be implemented to protect information against:

• loss;
• unauthorised access;
• cyberattacks;
• misuse;
• unlawful disclosure; and
• destruction.

Typical safeguards include:

• password protection;
• antivirus systems;
• access controls;
• secure servers;
• encryption;
• confidentiality undertakings;
• employee training; and
• secure disposal of records.

4.5 Data Subject Rights

Individuals have rights relating to their personal information, including the right to:

• access their information;
• request corrections;
• object to processing;
• withdraw consent;
• request deletion where applicable; and
• lodge complaints.

Businesses must implement procedures to deal with these requests.

4.6 Data Breach Procedures

POPIA requires organisations to take action if personal information is compromised.

Where a data breach occurs, the organisation may be required to:

• investigate the incident;
• contain the breach;
• notify affected parties; and
• report the incident to the Information Regulator.

4.7 Cross Border Transfers of Information

Where personal information is transferred outside South Africa, organisations must ensure compliance with section 72 of POPIA.

This commonly arises where businesses utilise:

• cloud storage providers;
• international software platforms;
• overseas service providers;
• foreign email hosting systems; or
• international data processing platforms.

Appropriate contractual safeguards and security measures should be implemented where cross border transfers occur.

4.8 Record Retention and Destruction

Businesses should implement lawful retention and destruction procedures for both physical and electronic records.

Retention periods may be determined by:

• statutory obligations;
• contractual requirements;
• operational needs;
• tax legislation;
• employment legislation; and
• industry specific regulations.

Records should not be retained longer than necessary and should be securely destroyed where retention is no longer lawful or required.

5. STEPS REQUIRED TO IMPLEMENT POPIA COMPLIANCE

The following implementation process is generally recommended:

STEP 1 — POPIA & PAIA COMPLIANCE ASSESSMENT

Conduct an assessment of the organisation’s:

• current data practices;
• information systems;
• contracts;
• policies;
• security measures;
• employee procedures; and
• information processing activities.

The purpose is to identify compliance gaps and risks.

STEP 2 — APPOINTMENT & REGISTRATION OF INFORMATION OFFICER

The organisation should:

• formally appoint an Information Officer;
• appoint Deputy Information Officers where necessary; and
• register the Information Officer with the Information Regulator.

STEP 3 — DATA MAPPING & INFORMATION AUDIT

The business should identify:

• what personal information is collected;
• where it is stored;
• who has access to it;
• why it is processed;
• how long it is retained; and
• whether it is shared with third parties.

This process is critical for identifying risk areas.

STEP 4 — PREPARATION OF A PAIA MANUAL

A compliant PAIA Manual should be drafted and implemented.

The Manual typically includes:

• Information Officer details;
• categories of records held;
• request procedures;
• fees and forms;
• available records;
• applicable legislation; and
• Information Regulator details.

The PAIA Manual should be:

• adopted internally;
• published where necessary; and
• made available upon request.

STEP 5 — DRAFTING OF POPIA POLICIES & DOCUMENTATION

The organisation should implement the necessary compliance documentation, which may include:

• Privacy Policy;
• Website Privacy Notice;
• Employee Privacy Policy;
• Data Retention Policy;
• Information Security Policy;
• Data Breach Response Policy;
• Consent Forms;
• Operator Agreements;
• Confidentiality Undertakings; and
• Internal POPIA Compliance Policies.

STEP 6 — REVIEW OF CONTRACTS & THIRD-PARTY RELATIONSHIPS

Contracts with:

• service providers;
• operators;
• employees;
• consultants; and
• software providers

should be reviewed to ensure appropriate data protection obligations are included.

This is particularly important where third parties process information on behalf of the organisation.

STEP 7 — IMPLEMENTATION OF SECURITY MEASURES

Technical and operational safeguards should be implemented.

Examples include:

• restricted access controls;
• password management;
• secure cloud storage;
• cybersecurity measures;
• backup systems;
• physical security controls; and
• secure destruction procedures.

STEP 8 — STAFF TRAINING & AWARENESS

Employees should receive training on:

• POPIA obligations;
• confidentiality;
• phishing risks;
• handling customer information;
• reporting breaches; and
• internal compliance procedures.

Human error remains one of the largest causes of data breaches.

STEP 9 — IMPLEMENTATION & ONGOING MONITORING

Compliance is an ongoing process.

Businesses should:

• review policies regularly;
• update procedures;
• monitor risks;
• maintain compliance records;
• conduct periodic audits; and
• update documentation as operations evolve.

6. DOCUMENTS TYPICALLY REQUIRED FOR COMPLIANCE

The following documents are commonly implemented as part of a compliance programme:

7. CONSEQUENCES OF NON-COMPLIANCE

Non-compliance with PAIA and POPIA may result in:

• enforcement action by the Information Regulator;
• administrative penalties;
• legal proceedings;
• damages claims;
• criminal liability in certain circumstances;
• loss of customer trust; and
• reputational harm.

Businesses are therefore encouraged to implement proactive compliance measures.

8. RECOMMENDED APPROACH

To ensure practical and sustainable compliance, organisations should:

• conduct a compliance assessment;
• identify risk areas;
• implement compliant documentation;
• train employees;
• strengthen information security;
• review contracts and processes; and
• establish ongoing monitoring procedures.

Compliance should be treated as an operational governance requirement rather than a once-off administrative exercise.

9. CONCLUSION

PAIA and POPIA compliance are essential components of modern business governance in South Africa.

A properly implemented compliance framework assists businesses to:

• reduce legal risk;
• protect confidential information;
• improve customer trust;
• strengthen operational controls; and
• demonstrate responsible information management.

Implementing the required policies, procedures, and governance measures ensures that organisations are better positioned to meet regulatory obligations and respond effectively to evolving privacy and data protection requirements.