PAIA regulates the constitutional right of ‘access to information’ held by public and private institutions, and stipulates conditions for how one may request access to this information.
“Everyone has the right of access to – (a) any information held by the state; and (b) any information that is held by another person and that is required for the exercise or protection of any rights.” Section 32(1) of South Africa’s Constitution.
PAIA Manual
Section 51 PAIA (which was profoundly amended by POPIA) requires all private companies to make a “Manual” available. This Manual essentially explains how people may request access to information held by companies. The exemption from this obligation expired on 31 December 2021. As of 1 January 2022, all public and private bodies must have their PAIA Manual available at their principal place of business, on their website, and to anyone who requests it.
PAIA versus POPIA
Access to information (PAIA) and protection of (personal) information (POPIA) are two opposite sides of the same coin. The former encourages transparency, openness and the free flow of data. The latter attempts to restrict that flow. The former is a founding principle in democratic societies where citizens need to be able to inform themselves. The latter is a founding principle of liberal societies where individuals autonomously control which information about them may be shared and used. Both rights may clash, and therefore need to be balanced with one another.
While there are some administrative and procedural requirements in terms of POPIA and PAIA, it is important to remember that these are not central to what they are trying to accomplish. What is central is their requirement to manage information respectful of the interests of data subjects and informed citizens.
How is PAIA different from POPIA?
1 / The information PAIA promotes the access to, is not necessarily “personal information” as defined in POPIA – it can be any information.
2 / In terms of POPIA as well as PAIA, a request to access “information” needs to demonstrate that this access is required to exercise or protect another right. It may seem bizarre that s25 POPIA refers to this condition in s53(2)(d) – after all, the right to access information about oneself is a right in itself, and does not need further justifications.
3 / A POPIA as well as a PAIA request to access information may or must be refused for a number of reasons, including the protection of third parties or confidential information (ss62 – 69 PAIA). Again, this reference in s23(4) POPIA may seem counterintuitive – how could a third party’s rights trump my personal right to have access to my personal information held by an institution?