1) Promotion of Access to Information Act (PAIA) 

• The Promotion of Access to Information Act PAIA came into operation on 9 March 2001.

In terms of the Constitution and PAIA, all people in South Africa, including non-nationals, can request information from public and private bodies.

Effective as from 1 January 2022, all Public and Private Bodies must have their PAIA Manuals available at their principal place of business and their official website (if any).

Access to information and the protection of certain types of personal information rights in South Africa are entrenched in the Constitution and are mainly regulated by the Promotion of Access to Information Act (PAIA) and the Protection of Personal Information Act (POPI). 

 2) Protection of Personal Information Act (POPIA). 

The POPI Act applies to every business in South Africa (even international companies that does business in South Africa) that collects, uses, stores or destroy personal information from a data subject (the natural or legal entity to whom the information belongs), whether or not such processing is automatic.

• The Protection of Personal Information Act (POPIA) of 2013 came into effect on the 1st of July 2020, but companies had one year grace period to fully implement the POPI Act requirements – since 1 July 2020 until 30 June 2021 – to comply.

ALL entities must be POPIA compliant – mandatory since 1 of July 2021 – or face harsh penalties.

“Failure to comply with certain provisions of POPIA may result in the Information Regulator (IR) imposing an administrative penalty of up to R10 million as of 1 July 2021 or to imprisonment for a period not exceeding 10 years, or to both a fine and such imprisonment.”

Businesses are thus compelled by law to compile, submit and streamline certain documents on an ongoing basis.

The Information Regulator

• The Information Regulator is an independent body that monitors and enforces compliance with the Protection of Personal Information Act (POPIA) in South Africa.
• It has extensive powers to investigate and fine responsible parties who violate the Act.
• The Information Regulator’s ability to issue fines and act against violations is a key aspect of its role in enforcing data protection and privacy laws.
• On the 3rd of June 2023, the Information Regulator issued an infringement notice to the Department of Justice and Constitutional Development, ordering it to pay a R5 million fine for a data leak.
• This proactive enforcement approach is designed to create a strong incentive for organisations to prioritise data protection and take the necessary steps to prevent data breaches.
• It’s thus important for organisations to be aware of the Information Regulator’s powers and to comply with the provisions of POPIA to avoid potential fines and other enforcement actions.