Skip links
flag of south africa with its bothe information laws showing as popia vs paia

POPIA vs PAIA: Navigating South Africa’s Data Privacy Legislation  

It makes sense that business owners would feel overburdened and confused by the plethora of abbreviations they constantly come across, especially considering the current hype around POPIA and the implementation date passed on July 1, 2021.   

Because Protection of Personal Information Act No. 4 of 2013 (“POPIA”) and Promotion of Access to Information Act No. 2 of 2000 (“PAIA”), both considered information laws of South Africa, have a unique relationship.  

While POPIA is concerned with privacy and avoiding information disclosure, PAIA is primarily a law about access to information.   

It is critical to realize that these two regulations ensure proper information management and processing rather than in opposition to one another.  

Now the question arises, “What is the difference between the two Acts?  

In this article, we have discussed some significant differences between POPIA and PAIA; keep reading to know more and stay updated.  

What is POPIA?  

Section 7(2) of the Constitution mandates that the state respects, protects, promotes, and fulfills the rights outlined in the Bill of Rights.   

Section 14 of the South African Constitution establishes the right to privacy as a fundamental constitutional right.   

Several legal regulations are pertinent to the right to privacy.   

The Protection of Personal Information Act 4 of 2013 (POPIA) is another significant document concerning data protection.  

On November 19, 2013, POPIA was signed into law.   

A part of the law went into effect on April 11, 2014.   

As of July 1, 2021, the remaining law provisions are now fully operational due to the establishment of the Information Regulator.   

POPIA provides the Information Regulator teeth, granting it broad authority to investigate and penalize at-fault parties.   

The Information Regulator will receive complaints from data subjects and have the authority to act on their behalf.   

The Promotion of Access to Information Act, 2 of 2000 (PAIA) and POPIA regulations and enforcement are the responsibility of the Information Regulator.  

What is PAIA?  

PAIA stands for Promotion of Access to Information Act and became operational on March 9, 2001.  

Regarding the Constitution, PAIA relates to another right that ensures the right to access information, particularly where that information is necessary to exercise or protect any rights.   

By implementing the right to access information, PAIA seeks to promote a culture of accountability and transparency in both public and private entities.  

A few limitations apply to this right, such as the grounds for refusal stated by PAIA.  

A request for access to a record that contains personal information about the requester is not included in a request for a record from a public body.   

On the other hand, when an access request is made by a private body, it comes with a record that contains personal information about the person making the request, i.e., the requester or the person on whose behalf the request has been made.    

When considered collectively, POPIA and PAIA uphold the constitutional right to privacy while incorporating reasonable limitations to balance the right to privacy and accessibility of information.    

Personal Information as per PAIA and POPIA  

According to the PAIA, “Personal Information” refers to data that can identify a natural person, such as names, home addresses, photos, and other details. However, information on a person who passed away more than 20 years ago is not included.   

On the other hand, under POPIA, “personal information” refers to data about an identifiable, living person, when relevant, an identifiable, existing juristic person.  

Business Obligations and Data Subject Rights under POPIA and PAIA  

Under PAIA (as amended by Schedule 1 to POPIA), public and private entities must create a manual for an individual to gain access to the information the body holds and outline the minimal standards that must be met.   

Everyone’s constitutional right to privacy is upheld under POPIA.   

It protects personal data processed by public and private bodies and establishes minimal standards for such processing under specific conditions.   

Under the Protection of Personal Information Act (POPIA), individuals subject to personal data have certain rights.   

These rights include the right to ask the responsible party to confirm, at no cost to the individual, whether the responsible party has personal information about the individual.   

Additionally, the individual may request from the responsible party a record, or a description of the personal information held by the responsible party about the individual, including details about the identities of any third parties or groups of third parties who have or had the information.   

The responsible party may not refuse to give the data subject access to this information unless it has grounds for refusal, as stated in PAIA.  

Who is responsible for ensuring compliance with these laws?  

The responsible party, which can be a public or private body, or any individual who decides, either independently or in tandem with others, the purpose and means of processing personal data, should designate an Information Officer within their organization to promote compliance with these regulations, handle requests from the public, and notify the Information Regulator of any breaches involving personal data.   

A business’s Chief Executive Officer, owner, equivalent executive, or any individual formally appointed by the company will serve as its Information Officer.  

It should be someone aware of and actively involved in the information processing methods used by the business.  

It is critical to understand the Information Officer’s responsibilities, which are covered in further detail in POPIA Sections 55 and 56.   

These responsibilities consist of:   

  • To encourage the company to comply with the requirements for lawfully processing personal data.  
  • Responding to requests made to the company under POPIA.  
  • Collaborating with the Regulator on inquiries about the business carried out per POPIA Chapter 6.  
  • Ensuring that the company complies with POPIA’s regulations.  

Registration of the Information Officer with the Information Regulator is required under POPIA.  

The process of registering your information officer consists of two steps: first, the information officer must be appointed within the company, which can be done through a director’s resolution;   

Second, the appointment must be registered with the information regulator.   

Before beginning their responsibilities under PAIA and POPIA, Information Officers must register with the Information Regulator under Section 55(2) of POPIA. Registration is a prerequisite for the information officers to carry out their tasks.   

How do you know if your company should have a PAIA manual?  

Recently, the Minister of Justice and Correctional Services published a notification exempting some organizations from the requirement to create a PAIA manual.   

You are exempt from creating a manual if, as defined by the Companies Act, your business is private and does not operate in any of the sectors or industries mentioned below.  

You must create a manual if you are a private company that operates in any sectors or industries mentioned below and employs 50 or more people.  

You must create a manual if your private company operates in any of the sectors or industries below and your annual revenue is at least as high as the amount in those industries. 

Industry or Sector Turnover Threshold 
Agriculture R6 million 
Mining and Quarrying R22,5 million 
Manufacturing R30 million 
Electricity, Gas and Water R30 million 
Construction R15 million 
Retail and Motor Trade and Repair Services R45 million 
Wholesale Trade, Commercial Agents and Allied Services R75 million 
Catering, Accommodation, and other Trade R15 million 
Transport Storage and Communications R30 million 
Finance and Business Services R30 million 
Community, Special and Personal Services R15 million 

Upon request, the Information Officer will give copies of the manual to anybody who pays a fee that the Regulator will periodically set.  

It is crucial to remember that if any part of these acts is violated, your company could face an administrative fee, or that person could receive an imprisonment sentence.   

Thus, it is advised that the company designate an individual with similar levels of responsibility, like the Chief Executive Officer, as the Information Officer to ensure compliance with these laws.   

Conclusion  

While POPIA and PAIA are related to information governance, they focus on different aspects of data management. POPIA focuses on protecting privacy, while PAIA stresses transparency and easy access to information. Despite their differences, these Acts protect constitutional rights and establish necessary standards for information processing, with companies required to designate Information Officers to ensure compliance. By understanding and adhering to the nuances of POPIA and PAIA, businesses can navigate the complex field of data regulation, ensuring they maintain ethical data practices while remaining legally compliant.