News / Legal Brief
The PAIA and POPIA dichotomy: What information are you requesting?
Dec 1,2021
Promotion of Access to Information Act, 2 of 2000
We have received numerous queries from clients seeking advice on attending to requests in terms of the Promotion of Access to Information Act, 2 of 2000 (“PAIA“) as well as the Protection of Personal Information Act, 4 of 2013 (“POPIA“).
What is evident is the tendency of both requesters/data subjects and private/public bodies (PAIA) or responsible parties (POPIA) to conflate or misinterpret the rights which may be exercised in terms of PAIA and POPIA. This results in requests being brought in terms of the incorrect legislative provision, for example where a POPIA request is brought disguised as a PAIA request or vice versa which can in effect invalidate the request.
POPIA
POPIA gives effect to section 14 of the Constitution of the Republic of South Africa, 1996 (“the Constitution“), which provides that everyone has the right to privacy. It does this whilst balancing the right to privacy against competing rights and interests, particularly the right to access to information. But also, in terms of POPIA a data subject has a number of rights including the right to –
- request a responsible party to confirm, free of charge, whether or not the responsible party holds personal information about the data subject;
- request from a responsible party the record or description of the personal information about the data subject held by the responsible party, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information;
- request a responsible party to correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, outdated, incomplete, misleading, or obtained unlawfully; and
- request a responsible party to destroy or delete a record of personal information about the data subject that the responsible party is no longer authorised to retain.
From the above, we see that POPIA requests deal with a person’s personal information meaning information about a data subject that another person (responsible party) holds or controls.
In terms of section 23(4)(a) of POPIA, a responsible party may or must refuse, as the case may be, to disclose any information requested in terms of POPIA. These are the same grounds for refusal of access to records as contained in PAIA (see Part 2, Chapter 4 and Part 3, Chapter 4).
When exercising a right in terms of POPIA, a data subject request should relate to personal information about them or about a third-party data subject on whose behalf the request is made.
Read more about POPIA: A Guide to the Protection of Personal Information Act of South Africa.
PAIA
PAIA gives effect to section 32 of the Constitution, which provides that everyone has the right to access information held by the State, as well as information held by a private body when such privately-held information is required for the exercise and protection of rights. This fosters a culture of transparency and accountability in both public and private bodies as defined in PAIA. It further upholds the constitutional values of participation and accountability.
Accordingly, section 11 of PAIA provides that a requester must be given access to a record of a public body provided that they comply with all the procedural requirements prescribed by PAIA and no grounds for refusal apply. Section 11(2) further provides that a request for a record excludes a request for access to a record containing personal information about the requester.
Section 50 of PAIA
Section 50 of PAIA provides for the right to access records of private bodies specifically. In terms of this provision, access to a record of a private body must be granted if that record is required for the exercise or protection of any right along with satisfying the procedural requirements and absence of grounds for refusal. Being able to exercise or protect any right as enabled by a PAIA request means that persons can lean on a broader spectrum of rights that are not necessarily linked to section 32 of the Constitution.
This is in contrast to a POPIA data subject access request which provides for specific instances or reasons on which a request can be made. Further, a request in terms of section 50 of PAIA includes a request for access to a record containing personal information about the requester or the person on whose behalf the request is made.
A distinction must be made to emphasise that requests in terms of PAIA relate to the records of a public or private body from which the request is made. In other words, it is not necessarily personal information that a requester is concerned with but rather any recorded information held by or under the control of the public or private body. This broadens the scope of information that can be requested under PAIA. Moreover, any person can bring a request in terms of PAIA.
PAIA provides a list of reasons or grounds on which a request for access to a record may or must be refused. This is important as the request can only be refused on the basis of one of these listed grounds. In short, there are two different types of grounds for refusal in terms of PAIA. Mandatory grounds and discretionary grounds. The mandatory grounds are as follows:
Mandatory grounds
- Mandatory protection of privacy of third party who is a natural person;
- Mandatory protection of certain records of the South African Revenue Service;
- Mandatory protection of commercial information of third party;
- Mandatory protection of certain confidential information, and protection of certain other confidential information, of a third party;
- Mandatory protection of safety of individuals, and protection of property;
- Mandatory protection of police dockets in bail proceedings, and protection of law enforcement and legal proceedings;
- Mandatory protection of records privileged from production in legal proceedings; and
- Mandatory protection of research information of third party, and protection of research information of public or private body.
The above mandatory grounds are somewhat the same for public and private bodies, except for the mandatory protection of certain records of the South African Revenue Service, police dockets in bail proceedings, law enforcement and legal proceedings, which are only applicable to public bodies.
Consequently, both requesters/data subjects and public/private bodies must be aware of what requests can be brought in terms of which legislation as well as under which circumstances. Should it be that a person is seeking to exercise rights in terms of POPIA, which are limited to data privacy and protection, then a request should be made in terms of POPIA in the form prescribed by the regulations thereof, or section 50 of PAIA where applicable.
However, where the request relates to the records of a public or private body then it should be made in terms of section 11 or 50 of PAIA and the form as specified in the PAIA Regulations, considering that persons may rely on a broader spectrum of rights which they seek to protect to justify their requests for records.
PAIA requests have escalated recently. Clearly understanding how to deal with these requests is undoubtedly important.
by Ahmore Burger-Smidt, Director and Head of Data Privacy and Cybercrime Practice and member of the Competition Law Practice; and Nyiko Mathebula, Candidate Attorney