Prior to the promulgation of the Protection of Personal Information Act 4 of 2013 (POPIA), the only real legislation available for the access to information was the Promotion of Access to Information Act, 2 of 2000 (PAIA). Enacted to redress the previous culture of legislative obscurity promoted by the previous political regime, PAIA set out to encourage and enforce the principles of fairness, equality, and transparency enshrined in the Constitution of the Republic of South Africa 108 of 1996. It is then necessary to understand the relationship between POPIA and PAIA and what this entails exactly.
PAIA and POPIA make mention of one another, with the former preceding the latter by more than a decade. Acting as a juridical seesaw, they balance the constitutional right contemplated in section 32 for the access to information held by the state or any body, juristic or natural, with section 14 which guarantees the right to privacy. They are two sides of the same coin, simultaneously advancing and limiting the rights observed in the constitution.
For your company’s purposes, what you need to know is simply that both acts provide for the access to records in what is often referred to as a section 51 manual. This manual, read together with section 17 of POPIA, requires a “responsible party”, duly defined under POPIA, to maintain a record of all processing operations within its remit. POPIA has affixed an additional dimension of information to be provided in your manual.
Gone are the days when you needed to register your PAIA Manual with the South African Human Rights Commission, previously tasked with its regulation. POPIA has since established the Information Regulator, in terms of section 39, whose duty and authority now extend to the PAIA Manual and its administration. The Information Regulator “is independent and is subject only to the Constitution and to the law and must be impartial and perform its functions and exercise its powers without fear, favour, or prejudice”. The Regulator is, however, accountable to the National Assembly.
As of 31st December 2021, everybody is now obligated to keep a PAIA Manual, making the previous qualifications such as nature or size of your business irrelevant. Those formerly exempt were sole proprietors, close corporations (CC), body corporates, common law associations, public universities and the majority of Small and Medium Enterprises; with certain employment and turnover thresholds.
Your POPIA and PAIA Manual (“the manual”) should provide an overview of the records held by your company and how these records may be accessed. This manual needs to be made available in print at your main offices as well as on your website, should you have one. The manual is prepared with the rights granted under POPIA in mind, particularly how a data subject may have access to, object to and/or request the correction of any their personal information held by your company.
Given that POPIA is a principled act, a record of industry specific legislation that interact with and potentially override POPIA’s provisions should be contained within the manual. In other words, all legislation that is contrary to POPIA will take preference i.e. while POPIA stipulates that data should be destroyed or made unidentifiable upon completion of a contract or transaction, the Basic Conditions of Employment Act 75 of 1997 states that employee information and records be kept for 3 years post-employment. In such a scenario, POPIA will take a backseat and allow for the retention of documents under this lawful justification. The bottom line is that those with a SARS-avoidant attachment style cannot employ POPIA as a defense against a looming audit.
The logistics of the request process have been prescribed by PAIA insofar as how and to whom the request should be made. All things POPIA related have been designated to the Information officer who is regarded as the responsible party, and as such is tasked with handling requests. The request should be made in writing, detailing the identity of the requestor, the precise records needed, and level of access required. Should the requestor be illiterate or have a disability which precludes a written request, it may be completed orally to the satisfaction of the Information Officer. Upon receipt of the request the responsible party has 30 days in which to respond, an extension from the previous 7 days. The information officer may ask for an extended 30 days, in writing, if the request or search for information warrants additional time. PAIA makes it clear that requests thar are plainly vexatious or designed to divert resources unnecessarily in order to obtain records may be refused on that basis. Declined requestors have recourse through the courts in terms of section 56(3) (c) and 78 of PAIA and relief may be sought within 180 days of the refusal.
Now for the not half-bad news, PAIA has prescribed the fees for requests, meaning that each time a data subject makes out a request, you may collect a non-refundable R140, which could be added to your POPI-Pizza fund. However, it is important to understand that not all requests are equal and as such you do not pass begin, you do not collect R140. There are those who are exempt from filling out a PAIA request, namely legal bodies like the Department of Labour and data subjects with a lawful interest i.e. a court order mandating the surrender of records. In addition, the PAIA request process and accompanied fees do not apply to data subjects wanting confirmation, correction, or deletion of their personal information.
When processing information in terms of a PAIA request, it is important that the principles of minimal exchange of personal data be heeded. As a rule of thumb, put your trust in your LabourNet consultants’ advice and drafting expertise when compiling your PAIA Manual and processing requests.
For more information on the above topic, please contact the LabourNet Helpdesk at
0861 LABNET (0861 522638).
Not yet a LabourNet client, but would like to know more about our service and products?
Email us: firstname.lastname@example.org