Missing the PAIA reporting deadline is not an administrative slip – it can trigger inspections, enforcement action and potential POPIA exposure, with both financial and reputational consequences.
The Information Regulator has opened the 2025/2026 reporting cycle, requiring all Information Officers, heads of private bodies, and deputy information officers of public and private bodies to submit annual PAIA reports.
The submission window runs from 1 April to 30 June 2026, in terms of sections 32 and 83(4) of the Promotion of Access to Information Act (PAIA). Reports must be filed via the Regulator’s eServices portal, and submission will not be possible unless the relevant officials are properly registered.
The reporting process gives the Regulator visibility into how organisations handle access to information requests – allowing it to assess compliance, identify process gaps and determine where enforcement may be required.
Established under POPIA, the Regulator is mandated to monitor and enforce compliance with PAIA, placing reporting squarely within its supervisory framework.
Each year, however, the same question resurfaces: are private bodies actually required to submit these reports, or is it simply a request from the Regulator?
The answer matters – particularly as enforcement intensifies.
Where the confusion lies
At the heart of the uncertainty is a mismatch between the wording of the law, the regulator’s language, and how legal practitioners interpret the obligation in practice.
Section 83(4) of PAIA empowers the Information Regulator to “request” reports from private bodies on the number and nature of access-to-information requests they have processed. The use of the word “request” has led many organisations to assume that submission is discretionary.
The Regulator’s own notices reinforce this ambiguity. Private bodies are typically “requested” to submit reports, yet firm reporting deadlines are set, and a structured submission portal is provided – giving the process all the hallmarks of a mandatory compliance requirement.
Legal commentators are more definitive. Firms such as ITLawCo and Michalsons interpret the regulator’s request as creating a binding obligation in practice. Once the Regulator has exercised its power under section 83(4), private bodies are expected to comply – and failure to do so may invite regulatory scrutiny or enforcement action.
More recent guidance has sharpened this position further, making it clear that the annual submission is not a voluntary exercise, despite the permissive wording in the Act. The practical interpretation has shifted decisively toward compulsion.
The result is a familiar compliance grey area:
- On paper, the law appears to give the Regulator discretion to request reports.
- In practice, the Regulator has institutionalised an annual reporting regime.
- In interpretation, legal experts increasingly regard submission as mandatory.
The Regulator has already flagged concern about low submission levels, warning that non-reporting limits its ability to monitor implementation and may lead to stricter enforcement.
For private bodies, the prudent approach is to treat the PAIA annual report as a non-negotiable compliance requirement, regardless of the softer language used in official notices.
What PAIA requires
PAIA gives effect to a constitutional right: any person may request access to records held by a public or private body where those records are required to exercise or protect a right.
For businesses, this translates into operational obligations. They must be able to:
- receive and process requests submitted on the prescribed PAIA form;
- respond within statutory timeframes (typically 30 days, unless extended); and
- grant access, or provide lawful and properly motivated grounds for refusal.
PAIA regulates access to information, while POPIA governs the processing and protection of personal information. Both fall under the Information Regulator, and compliance with one does not replace obligations under the other.
Critically, compliance must be demonstrable. Organisations are expected to show operational readiness – the ability to deal with requests in practice, not merely on paper.
Who must comply
All public and private bodies in South Africa are expected to submit annual PAIA reports.
This includes companies, close corporations, financial services providers, retirement funds, and other entities.
Even where no requests were received during the reporting period, a nil return is still required.
Responsibility rests with the Information Officer – typically the CEO, managing director or business owner – who must be registered with the Information Regulator and ensure the organisation meets its reporting obligations.
While section 83(4) refers to the Regulator “requesting” reports, regulatory practice and legal interpretation treat submission as mandatory in effect, not discretionary.
What must be reported
The annual report covers the period 1 April to 31 March (for the current cycle, 1 April 2025 to 31 March 2026) and must be submitted via the Regulator’s eServices portal.
Organisations must disclose how they handled access to information requests, including:
- the number of requests received;
- how many were granted, partially granted or refused;
- the grounds for refusal;
- whether response deadlines were extended; and
- any internal appeals or complaints.
The report functions as a compliance snapshot, enabling the Regulator to assess how effectively organisations are giving effect to the right of access to information.
For many smaller entities, these figures may be zero – but submission remains compulsory.
Beyond the annual report: ongoing obligations
The annual submission is only one component of PAIA compliance.
Organisations are also required to maintain:
- a current PAIA manual (Section 51 manual) that sets out how records can be accessed;
- a registered Information Officer (and, where applicable, Deputy Information Officers); and
- internal processes to receive, track and respond to requests within statutory timeframes.
Regulatory oversight is increasingly holistic. Non-submission of the annual report may signal broader compliance gaps – particularly where organisations also lack proper documentation or functional request-handling processes.
