The clock is ticking - Update your PAIA manual to comply with POPIA
Authors: Natasha Jansen – Consultant & Zaakira Haffejee – Associate
With just a few weeks remaining until the one-year grace period for compliance with the Protection of Personal Information Act 4 of 2013 (POPIA) expires on 30 June 2021, organisations are racing against the clock to ensure that they meet the deadline.
In addition to the need to register Information Officers and submit applications for prior authorisation to the Information Regulator before the 30 June deadline, organisations must also be mindful of the impact of POPIA on information manuals published under the Promotion of Access to Information Act 2 of 2000 (PAIA).
PAIA facilitates access to information by enabling individuals and organisations to approach public and private bodies to request access to information that is required for the exercise and/or protection of any rights. On request, the public or private body is obliged to release such information held by them, unless PAIA expressly states that access can be refused on the grounds specified in the Act.
One of the main requirements of PAIA is the compilation of an information manual, generally referred to as a PAIA manual, in terms of section 14 (for public bodies) or section 51 (for private bodies), that provides information on the types and categories of records held by that body.
POPIA has amended certain provisions of PAIA, balancing the need for access to information against the need to ensure the protection of personal information, and organisations must ensure that their PAIA manuals are updated to reflect these amendments.
Under the amendments, an organisation’s information manual must, in addition to the existing disclosures required by PAIA, also include the following information relating to POPIA:
The purposes for which the organisation processes personal information;
A description of the categories of data subjects and the type of personal information collected by the organisation for each identified data subject category;
The recipients or categories of recipients that the personal information may be supplied to;
Planned trans-border flows of personal information; and
A general description (allowing for a preliminary assessment of the suitability) of the information security measures that will be implemented by the responsible party to ensure the confidentiality, integrity and availability of the personal information which it processes.
To a large extent, the amendments to PAIA are aimed at harmonising the provisions of POPIA and PAIA.
Updated PAIA manuals must be filed with the Information Regulator (who will take over the responsibility of regulating and monitoring PAIA compliance from the South African Human Rights Commission) before the 30 June 2021 deadline. The updated PAIA manual must also be available to the public on the organisation’s website and at their offices for inspection during normal business hours.
Certain organisations are exempt from compiling a PAIA manual. In December 2020, the Minister of Justice published a Notice exempting certain private bodies from compiling a PAIA manual for a period of six months from 1 January 2021. Private companies with less than 50 employees or with a turnover of less than the amounts stipulated per sector in the schedule to the notice are exempt from compiling a PAIA manual until 30 June 2021.
However, there is still some uncertainty on whether businesses who were previously exempt from having a PAIA manual will now be required to have one relating to the processing of personal information. It remains to be seen whether the Information Regulator will step in and provide some much-needed clarity.
Contact the Lawtons Africa Data Privacy and POPIA team for assistance with compiling or updating your organisation’s PAIA manual to align with the requirements of POPIA.
The Lawtons Africa Data Privacy and POPIA team is well placed to take clients through their entire data privacy compliance journey, providing training and awareness, data privacy gap assessments, legal advice around POPIA compliance measures, and drafting privacy-related documents, policies and agreements. Contact us for more information on how we can guide and assist you with effectively incorporating and implementing POPIA into your business.
Lawtons Africa is a South African law firm. With roots that grew out of seeds sown in down-town Johannesburg in 1892, our history features various changes and different names. Our team of lawyers, including directors, consultants, associates and candidate attorneys is highly qualified, market-recognised and skilled. For further information, visit www.lawtonsafrica.com