Subscribe to industry newsletters


Inside the Information Regulator's PAIA manual

On 3 November 2021, the Information Regulator (the Regulator) published its manual as required by the Promotion of Access to Information Act, 2000 (PAIA). The manual sets out the types of information held by the Regulator and how to obtain or apply for access to them.
Image source: © iqoncept –
Image source: © iqoncept – 123RF.com

An organogram of the structure of the Regulator and the functions performed by its divisions and units are included in the manual. The manual identifies Mosalanyane Mosala and Varsha Sewlal as the Regulator's information officer and deputy information officer, respectively. Requests for access to information are to be made to the information officer in the manner prescribed in the manual, which largely mirrors section 18 of PAIA and section 23 of the Protection of Personal Information Act, 2013. The manual provides that the decisions of the information officer/s in this regard may be appealed and sets out the relevant procedure and prescribed forms to do so.

The manual also sets out the various categories of records held by the Regulator and identifies those categories which the Regulator may refuse access to, such as confidential client communications and internal communiqués. Categories of information which are available without having to request access are also identified.

The nature and extent of all processing of personal information undertaken by the Regulator is described in the manual. Specific categories of data subjects and the personal information that the Regulator processes about them are identified, along with the purposes of all processing. The manual includes details of the third parties to whom it transfers data subjects' personal information, such as complainants, service providers, regulatory authorities, law enforcement agencies and the Courts. The Regulator states that it currently does not intend to transfer any personal information offshore.

The manual provides some useful insights into the information security measures taken by the Regulator, which include access control; data encryption; data backups; and anti-virus and anti-malware solutions (among others).

Let's do Biz