POPIA Compliant PAIA Manual
Company Manual for Accessing Information (“Manual”)
This Manual has been prepared in terms of section 51 of the Promotion of Access to Information Act 2 of 2000 (“PAIA”) and updated in the light of the Protection of Personal Information Act 4 of 2013 (“POPIA”).
- Introduction
- This manual is for the Company.
- Purpose of PAIA
- PAIA is an act that was passed to give effect to the constitutional right, held by everyone in South African, of access to information which is held by the State or by another person and which is required for the exercise or protection of any right. Where a request is made in terms of PAIA, the body to which the request is made is obliged to give access to the requested information, except where the Act expressly provides that the information may or must not be released.
- It is important to note that PAIA recognises certain limitations to the right of access to information, including, but not exclusively, limitations aimed at the reasonable protection of privacy, commercial confidentiality, and effective, efficient and good governance, and in a manner which balances that right with any other rights, including such rights contained in the Bill of Rights in the Constitution.
- POPIA was enacted in November 2013, to promote the protection of personal information processed by public and private bodies. POPIA amended certain provisions of PAIA, balancing the need for access to information against the need to ensure the protection of personal information.
- Information manual
- One of the main requirements specified in PAIA is the compilation of an information manual that provides information on both the types and categories of records held by a private body. This document serves as Company’s information manual. This Manual is compiled in accordance with section 51 of PAIA and the Schedule to POPIA. It is intended to give a description of the records held by and on behalf of Company; to outline the procedure to be followed and the fees payable when requesting access to any of these records in the exercise of the right of access to information, with a view of enabling requesters to obtain records which they are entitled to in a quick, easy and accessible manner.
- This Manual is available for public inspection at the physical address of Company, recorded in paragraph 4 below, free of charge; and on this website, free of charge; and on request by any person (along with payment of a prescribed fee).
- The Manual is available from the designated Information Officer, whose details appear below.
- The responsibility for administration of, and compliance with, PAIA and POPIA have been delegated to the Information Officer.
- Requests pursuant to the provisions of PAIA and/or POPIA should be directed to the Information Officer as follows Sian Fields (sian@sianevans.co.za):
- Information Regulator’s Guide
- An official Guide has been compiled which contains information to assist a person wishing to exercise a right of access to information in terms of PAIA and POPIA. This Guide is made available by the Information Regulator (established in terms of POPIA).
- Automatic disclosure
- A private body may, on a voluntary basis, make available a description of categories of records that are automatically available without a person having to request access in terms of PAIA.
- The only fee for access to these records may be a prescribed fee for reproduction.
- Types and categories of records
- A requester may also request information that is available in terms of other legislation, such as (the below is not an exhaustive list):
- Competition Act 89 of 1998;
- The Companies Act 71 of 2008;
- The Labour Relations Act 66 of 1995;
- Employment Equity Act 55 of 1998;
- Basic Conditions of Employment Act 75 of 1997;
- Compensation for Occupational Injuries and Diseases Act 130 of 1993;
- Financial Intelligence Centre Act 38 of 2001;
- Income Tax Act 58 of 1962;
- Occupational Health and Safety Act 85 of 1993;
- Unemployment Insurance Act 63 of 2001;
- Value-added Tax Act 89 of 1991; and
- Consumer Protection Act 68 of 2008.
- A requester may also request information that is available in terms of other legislation, such as (the below is not an exhaustive list):
- Subject Categories of Records
The information is classified and grouped according to records relating to the following subjects and categories:
- Personnel Records: "Personnel"refers to any person who works for or provides services to or on behalf of Company and receives, or is entitled to receive, remuneration and any other person who assists in carrying out or conducting the business of Company. It includes, without limitation, directors (executive and non-executive), all permanent, temporary and part-time staff, as well as contract workers.
- Personal records provided by personnel include:
- Records provided by a third party relating to Personnel;
- Conditions of employment and other Personnel-related contractual and quasi-legal records, including job applications;
- Internal evaluation records and other internal records;
- Correspondence relating to, or emanating from, Personnel (internal and external to the organization); and
- Training schedules and material;
- Payment records (and beneficiary payments), including banking details.
- Client Related Records: "Client"refers to any natural or juristic entity that receives services from Company.
- Client related records include:
- Records provided by a client to a third party acting for or on behalf of Company;
- Records provided by a third party (for example, records from a reseller);
- Records generated by or within Company relating to its clients;
- Transactional records;
- Correspondence with a client that is implicitly or explicitly of a private or confidential nature
- Records pertaining to a client retrieved from “other sources”, such as any credit bureau or credit providers industry association.
- Private Body Records which include but are not limited to records pertaining to Company’s own internal affairs:
- Financial records;
- Operational records;
- Information technology;
- Communication;
- Administrative records, such as contracts and service level agreements;
- Product records;
- Statutory records;
- Internal Policies and procedures; and
- Human resources records.
- Other Party Records:
- Records held by Company pertaining to other parties, including without limitation, financial records, correspondence, contractual records, records provided by the other party (for example third party beneficiaries or employees of a client), and records third parties have provided about Company's contractors / suppliers.
- Company may possess records pertaining to other parties including, but not limited to, contractors, suppliers, and service providers and such other parties may possess records that can be said to belong to Company.
- Processing details
- In terms of POPIA, data must be processed for a specified purpose. The purpose for which data are processed by Company will depend on the nature of the data and the particular data subject. This purpose is ordinarily disclosed, explicitly or implicitly, at the time the data are collected.
- Purpose of Processing
- Personnel data
- Company processes personnel data for business administration purposes. For example, personnel data are processed for payroll purposes. Personnel data are also processed to the extent required by legislation and regulation. For example, Company discloses employees’ financial information to the Commissioner for the South African Revenue Service, in terms of the Income Tax Act 58 of 1962 and employee’s sensitive personal information in terms of the Employment Equity Act 55 of 1998.
- Client related data
- Company processes client related records as an integral party of its commercial services. For example Company processes client related records during the client application and onboarding processes and for provision of a service.
- This list of processing purposes is non-exhaustive.
- Third party data
- Company processes third party records for business administration purposes.
- Other party data
- Company processes “other party” records for business administration purposes. For example, Personnel data may be processed in order to effect payment to contractors and / or suppliers.
- In performing these various tasks, Company may, amongst others, collect, collate, process, store and disclose personal information.
- Categories of Data Subjects. Company holds information and records on the following category of data subject:
- Employees / Personnel of Company;
- Clients of Company;
- Any third party with whom Company conducts its business services;
- Contractors of Company;
- Suppliers of Company;
- Service providers of Company.
This list of categories of data subjects is non-exhaustive.
- Recipients To Whom Personal Information Will Be Supplied
- Depending on the nature of the data, Company may supply information or records to the following categories of recipients:
- Statutory oversight bodies, regulators or judicial commissions of enquiry making a request for data (i.e. the Information Regulator in terms of POPIA);
- Any court, administrative or judicial forum, arbitration, statutory commission, or ombudsman making a request for data or discovery in terms of the applicable rules (i.e. the Competition Commission in terms of the Competition Act 89 of 1998);
- South African Revenue Services, or another similar authority;
- A contracted third party who requires this information to provide services;
- Third parties with whom Company has a contractual relationship for the retention of data (for example, a third party hosting services);
- Research/ academic institutions;
- Auditing and accounting bodies (internal and external);
- Anyone making a successful application for access in terms of PAIA.
- Depending on the nature of the data, Company may supply information or records to the following categories of recipients:
- Planned Transborder Flows Of Personal Information
- Company may transfer personal information to a third party who is in a foreign country in order to administer certain services, but may only do so subject to the provisions of POPIA. Thus internal cross-border transfers, as well as external cross-border transfers of information are envisaged, subject to the provisions of POPIA.
- Security Measures
- Company takes extensive information security measures to ensure the confidentiality, integrity and availability of personal information in Company’s possession. Company takes appropriate technical and organizational measures designed to ensure that personal data remain confidential and secure against unauthorized or unlawful processing and against accidental loss, destruction or damage.
- Grounds for Refusal of Access to Records
- Company may refuse a request for information on the following basis:
- Mandatory protection of the privacy of a third party who is a natural person, which would involve the unreasonable disclosure of personal information of that natural person;
- Mandatory protection of the commercial information of a third party, if the record contains:
- Trade secrets of that third party;
- Financial, commercial, scientific or technical information which disclosure could likely cause harm to the financial or commercial interests of that third party; and
- Information disclosed in confidence by a third party to Company, if the disclosure could put that third party at a disadvantage in negotiations or commercial competition.
- Mandatory protection of confidential information of third parties if it is protected in terms of any agreement or legislation;
- Mandatory protection of the safety of individuals and the protection of property;
- Mandatory protection of records which would be regarded as privileged in legal proceedings;
- The commercial activities of Company, which may include:
- Trade secrets of Company;
- Financial, which, if disclosed, could put Company at a disadvantage in negotiations or commercial competition;
- A computer program which is owned by Company and which is protected by copyright.
- Requests for information that are clearly frivolous or vexatious, or which involve an unreasonable diversion of resources shall be refused.
- Company may refuse a request for information on the following basis:
- Access procedure
- A requester is any person making a request for access to a record of, or held by, Company. The requester is entitled to request access to information, including information pertaining to third parties, but Company is not obliged to grant such access. Apart from the fact that access to a record can be refused based on the grounds set out in paragraph 15 above, in order to successfully access information the requester must fulfil the prerequisite requirements for access in terms of PAIA, including the payment of a request and access fee.
- Access Request Procedure
- A requester requiring access to information held by Company must complete the prescribed Access Request Form, available here: https://www.justice.gov.za/forms/paia/J752_paia_Form%20C.pdf, submit it to the Information Officer at the physical address or electronic mail address recorded in paragraph 5 and pay a request fee (and a deposit, if applicable).
- In order to facilitate a timely response to requests for access, all requesters should take note of the following when completing the Access Request Form:
- The Access Request Form must be comprehensively completed.
- Proof of identity is required to authenticate the identity of the requester. Therefore, in addition to the access request form, requesters will be required to supply a copy of their identification document.
- Every applicable question must be answered. If a question does not apply “N/A” should be stated in response to that question. If there is nothing to disclose in reply to a particular question "Nil" should be stated in response to that question.
- The Access Request Form must be completed with enough particularity to enable the Information Officer to identify:
- The record(s) requested;
- The identity number of the requester;
- The form of access required if the request is granted;
- The postal address or fax number of the requester.
- The requester must also state that he or she requires the information in order to exercise or protect a right, and clearly state the nature of the right to be exercised or protected. In addition, the requester must clearly specify why the record is necessary to exercise or protect such a right.
- If a request is made on behalf of another person, then the requester must submit proof of the capacity in which the requester is making the request to the reasonable satisfaction of the Information Officer.
- If an individual is unable to complete the prescribed form because of illiteracy or disability, such a person may make the request orally.
- The requester will be informed in writing whether access has been granted or denied. If, in addition, the requester requires the reasons for the decision in any other manner, he must state the manner and the particulars so required.
- Payment Of Fees
- Payment details can be obtained from the Information Officer and can be made either via a direct deposit, by bank guaranteed cheque or by postal order. Proof of payment must be supplied when the Access Request Form is submitted.
- The prescribed fee is set out below in Annexure 1.
- Note that the requester may lodge a complaint to the Information Regulator or an application with a court against the tender or payment of the request fee.
- If the search for, and the preparation of, the record for disclosure would, in the opinion of the Information Officer, require more than 6 hours, the requester may be required to pay as a deposit one third of the access fee (the fee which will be payable if the request is granted).
- Note that the requester may lodge a complaint to the Information Regulator or an application with a court against the tender or payment of the deposit.
- If a deposit has been paid in respect of a request for access which is subsequently refused, then the Information Officer must refund the deposit to the requester.
- The requester must pay the prescribed fee before any processing, or any further processing, can take place.
- Third Party Notification
- Company must take all reasonable steps to inform a third party to whom or which a requested record relates if the disclosure of that records would –
- involve the disclosure of personal information about that third party;
- involve the disclosure of trade secrets of that third party; financial, commercial, scientific or technical information (other than trade secrets) of that third party, the disclosure of which would be likely to cause harm to the commercial or financial interests of that third party; or information supplied in confidence by a third party, the disclosure of which could reasonably be expected to put that third party at a disadvantage in contractual or other negotiations; or to prejudice that third party in commercial competition;
- constitute an action for breach of a duty of confidence owed to a third party in terms of an agreement; or
- involve the disclosure of information about research being, or to be, carried out by or on behalf of a third party, the disclosure of which would be likely to expose the third party, a person that is or will be carrying out the research on behalf of the third party, or the subject matter of the research, to serious disadvantage.
- Company will inform the third party as soon as reasonably possible, but in any event, within 21 days after that request is received.
- Within 21 days of being informed of the request, the third party may-
- make written or oral representations to the Information Officer why the request for access should be refused; or
- give written consent for the disclosure of the record to the requester.
- Company will notify the third party of the outcome of the request. If the request is granted, adequate reasons for granting the request will be given.
- The third party may lodge a complaint to the Information Regulator or an application with a court against the decision within 30 days after notice is given, after which the requester will be given access to the record after the expiry of the 30 day period.
- Company must take all reasonable steps to inform a third party to whom or which a requested record relates if the disclosure of that records would –
- Notification of Decision
- The Information Officer will, within 30 days of receipt of the request, decide whether to grant or decline the request and give notice with reasons (if required) to that effect.
- The 30 day period, within which Company has to decide whether to grant or refuse the request, may be extended for a further period of not more than 30 days if the information cannot reasonably be obtained within the original 30 day period. For example, the time period may be extended if the request is for a large amount of information, or the request requires Company to search for information held at another office of Company.
- The Information Officer will notify the requester in writing should an extension be required. The requester may lodge a complaint to the Information Regulator or an application with a court against the extension.
- Remedies Available for Refusals for a Request for Information
- All complaints, by a requester or a third party, can be made to the Information Regulator or a court, in the manner prescribed below.
- The requester or third party, as the case may be, may submit a complaint in writing to the Information Regulator, within 180 days of the decision, alleging that the decision was not in compliance with the provisions of PAIA.
- The Information Regulator will investigate the complaint and reach a decision - which may include a decision to investigate, to take no further action or to refer the complaint to the Enforcement Committee established in terms of POPIA. The Information Regulator may serve an enforcement notice confirming, amending or setting aside the impugned decision, which must be accompanied by reasons.
- An application to court maybe brought in the ordinary course. For purposes of PAIA, any reference to an application to court includes an application to a Magistrates’ Court.
ANNEXURE 1: PRESCRIBED FEES
- The fee for a copy of the manual as contemplated in regulation 9(2)(c) is R1,10 for every photocopy of an A4-size page or part thereof.
- The fees for reproduction referred to in regulation 11(1) are as follows:
- For every photocopy of an A4-sized page or part thereof: R1,10
- For every printed copy of an A4-sized page or part thereof held on a computer or in electronic or machine-readable form: R0,75
- For a copy in a computer-readable form on:
- stiffy disc R7,50
- compact disc R70,00
- For visual images:
- a transcription of visual images, for an A4-size page or part thereof 40,00
- For a copy of visual images R60,00
- For an audio record:
- For a transcription of an audio record, for an A4-size page or part thereof R20,00
- For a copy on an audio record R30,00
- The request fee payable by a requester, other than a personal requester, referred to in regulation 11(2) is R50,00.
- The access fees payable by a requester referred to in regulation 11(3) are as follows:
- Fees are:
- For every photocopy of an A4-size page or part thereof R1,10
- For every printed copy of an A4-size page or part thereof held on a computer or in electronic or machine-readable form R0,75
- For a copy in a computer-readable form on:
- stiffy disc R7,50
- compact disc R70,00
- For a transcription of visual images:
- for an A4-sized page or part thereof R40,00
- For a copy of visual images R60,00
- For a transcription of an audio record:
- For an A4-size page or part thereof R20,00
- For a copy of an audio record R30,00
- To search for and prepare the record for disclosure, R30,00 for each hour or part of an hour reasonably required for such search and preparation.
- For purposes of section 54(2) of the Act, the following applies:
- Six hours as the hours to be exceeded before a deposit is payable; and
- one third of the access fee is payable as a deposit by the requester.
- The actual postage is payable when a copy of a record must be posted to a requester.
- Fees are:
- Deposits
- Where Company receives a request for access to information held on a person other than the requester himself/herself and the Information Officer upon receipt of the request is of the opinion that the preparation of the required record of disclosure will take more than 6 hours, a deposit is payable to the requester. The amount of the deposit is equal to 1/3 of the amount of the applicable access fee.
Please note: In terms of Regulation 8, Value Added Tax (VAT) must be added to all fees prescribed in terms of the Regulations. Therefore, the fees reflected above are VAT inclusive.