OK so now that the POPIA deadline has passed don’t forget about PAIA!
While most of us may have been focussing on implementing our action plans to ensure that we are compliant with the Protection of Personal Information Act (POPIA), we should also consider the Promotion of Access to Information Act (PAIA).
It is important to consider the difference between these two laws
In short, the objective of POPIA is to give effect to the constitutional right of privacy whereas PAIA is essentially an access law to give effect to the constitutional right to access to information. It is worthwhile noting that PAIA is also not restricted to personal information. Both these laws are complimentary.
Some further context includes:
- POPIA affords the right to protection against the unlawful collection, retention, dissemination and use of personal information. It governs processing personal information in a responsible way.
- PAIA provides a right of access to information held by private and public bodies.
Who governs what?
The Information Regulator was originally empowered to monitor and enforce compliance with POPIA. The PAIA mandate was originally held by the South African Human Rights Commission (SAHRC). However, effective 30 June 2021 the Information Regulator now also has the responsibility for regulatory mandate functions relating to PAIA. Thus, the Information Regulator now assumes powers for both POPIA and PAIA.
Should every private and public body have a PAIA manual?
The short answer is YES!
The exemption that was in place to exempt smaller private bodies to develop and implement a PAIA manual expired on 30 June 2021 but was further extended to 31 December 2021. This means that effective 1 January 2022 all public and private bodies MUST have their PAIA manuals available (either at their principal place of business or their website).
Considerations
A further consideration, over and above the implementation of POPIA, is to follow a pragmatic approach to PAIA and POPIA. This includes the drafting and implementation of a PAIA manual, identifying the most appropriate senior person to appoint as your information officer, and implementation of these requirements in group structures. Lastly, you may want to consider how to streamline and simplify your approach to ensure that these provisions enable consumers to act on their constitutional rights to access and privacy.
Focus efforts on fixing the basics, protect what matters for your business and be ready to react when required.