Information Regulator publishes a guide on how to use PAIA

The Information Regulator published, on 12 October, its guide on how to use the Promotion of Access to Information Act (PAIA), in each of South Africa’s 11 official languages.

The PAIA Guide has been published to fulfil the Information Regulator’s obligation as set out in section 10 of PAIA.

As the name suggests, the PAIA Guide acts as a tool to aid laypersons in their interpretation and use of the provisions of PAIA in exercising their constitutional right of access to information, Ahmore Burger-Smidt, director and head of data privacy and cybercrime practice at Werksmans Attorneys and candidate attorney Rebecca Hill.

A company’s PAIA Manual (see below) must include a reference to the PAIA Guide.

More specifically, they said the guide will assist data subjects on how to access their personal information in line with section 23 of the Act, which gives data subjects the right to:

Request a responsible party to confirm, free of charge, whether or not the responsible party holds personal information about them; and
Request from a responsible party the record or a description of the personal information about the data subject held by the responsible party, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information.

Furthermore, the PAIA Guide provides a data subject with assistance regarding:

The purpose of PAIA;
Learning the process to be followed to make a request for information;
Learning the types of information that can be requested in terms of PAIA; and
Understanding that the responsible party may refuse to grant the data subject access to the requested information upon certain grounds.

“The publication of the PAIA Guide in South Africa’s 11 different languages will further aid in allowing laypersons to exercise their rights in terms of PAIA under the guidance of a document written in their home language. However, how a layperson will fill out the necessary request for information forms (which are in English) and request such information from an entity remains unchanged,” said Burger-Smidt and Hill.

“PAIA itself has not been published in the 11 official languages which makes any further enquiries into the application of the provisions of PAIA, beyond those explained in the PAIA Guide, difficult for non-English speakers.”

Although the practice is to publish new pieces of legislation in English and in one other official language, more effort should be made to ensure that PAIA is made more accessible to all persons to which it applies, because it is the principal piece of legislation governing a person’s access to information rights, they said.

What should be in the PAIA Manual?

Burger-Smidt and Hill said a PAIA Manual details the processes for data subjects requesting information from a private body and indicates what type of records are held by the company.

In line with section 51 of PAIA, as amended by the Protection of Personal Information Act, a PAIA Manual must also contain details regarding the data collection and processing methods of a responsible party, Burger-Smidt and Hill said. This includes details about:

The categories and types of personal information collected by a responsible party;
How the personal information collected is processed and what the purpose is for such processing;
The recipients or categories of recipients to whom the personal information collected may be supplied;
Any planned transborder flows of personal information; and
The security measures undertaken by a responsible party to ensure the confidentiality, integrity and availability of the information to be processed.

They said the PAIA Manual, as prescribed in section 51 of PAIA, must be made available: