The Information Regulator (IR) has reminded private and public bodies that requests for information must be made on Form 2 (or one that corresponds substantially with it) and not on the repealed Form A.
The Regulator issued a notice to this effect on 28 August. The IR said it is concerned about the continued use of the repealed Form A by private and public bodies, notwithstanding a notice issued by the IR in 2021 communicating the new PAIA form.
The use of the incorrect form amounts to non-compliance with Regulation 7.1 of the Regulations relating to the Promotion of Access to Information, 2001. This non-compliance hampers the constitutional right of access to information and the IR’s ability to investigate complaints.
The IR’s notice of last month is addressed to “All information officers, heads of private bodies and deputy information officers”. It is not aimed at any single organisation; rather, it serves as a sector-wide warning that the Regulator’s tolerance for procedural defects under the Promotion of Access to Information Act (PAIA) has run its course, said Era Gunning, an executive at ENS’s banking and finance practice.
“The upshot is simple: every information officer should immediately ensure that outdated Form A is purged from internal and public-facing systems and replaced with Form 2,” Gunning wrote in an article this week.
Click here to download Form 2 from the IR’s website.
“The notice underscores the Regulator’s power, in terms of section 77H of PAIA, to initiate own-motion compliance assessments and site inspections,” she said, adding that her practice has seen an uptick in:
- questionnaires requesting copies of PAIA and Protection of Personal Information Act (POPIA) policies;
- spot checks of PAIA manuals published on company websites; and
- formal inspection visits where officials request sample request files, refusal letters, and records of decision-making.
“In short, the Regulator is no longer confining itself to reactive complaint-handling; proactive audits are rapidly becoming the norm.”
Gunning said the IR expects holistic compliance with the entire PAIA/POPIA ecosystem.
Based on her practice’s experience, the deficiencies flagged during inspections include:
- PAIA manuals that have not been updated to reflect POPIA’s commencement or the 2021 Regulations;
- incomplete section 17 records of requests granted/refused;
- failure to publish an internal process for handling data subject access requests under POPIA; and
- outdated contact details for information officers or deputy information officers.
“Each of these gaps, individually or cumulatively, can attract remedial directives, compliance notices, or administrative fines,” Gunning said.
She recommends that information officers:
- Verify that the published PAIA manual, access to information policy, and privacy notice are internally consistent and incorporate Form 2.
- Ensure that help-desk staff, reception personnel, and in-house legal teams know where to locate the correct form and how to process it within the statutory timeframes.
- Conduct refresher sessions for executives and records managers on PAIA refusal grounds, POPIA’s conditions for lawful processing and cross-border disclosures.
- Keep audit trails showing the date on which the PAIA manual was last reviewed and publicised, because the Regulator routinely asks for this during inspections.
