Montana Data Company
POPIA Compliance

How to Build a PAIA Manual for Your Business

A PAIA manual is a legal requirement most South African businesses have never heard of. Here's what it is, who needs one, what it must contain, and how to build it step by step.

6 August 20268 min readMontana Data Company · Compliance Team

The PAIA manual is one of the most consistently overlooked compliance requirements in South African business. Unlike POPIA — which has received significant awareness through compliance campaigns, legal commentary, and media coverage — the Promotion of Access to Information Act manual requirement is almost entirely unknown among SME owners and managers.

Yet it is a legal obligation that applies to virtually every South African private body, and non-compliance exposes your organisation (and your Information Officer personally) to enforcement action. Here is everything you need to know to build one.

What Is a PAIA Manual?

The Promotion of Access to Information Act (PAIA), Act 2 of 2000, gives South Africans the right to access records held by public and private bodies — a constitutional right derived from Section 32 of the Constitution. PAIA requires every private body (which includes any company, close corporation, partnership, trust, or sole trader) to prepare a manual that tells the public how to exercise this right.

The PAIA manual is, in essence, a reference document that answers the question: "If I want to access records your organisation holds, how do I do it, and what do I need to know?"

Its relevance to POPIA is direct: POPIA's openness condition (Condition 6) requires responsible parties to maintain and publish documentation that enables data subjects to exercise their rights, and compliance with PAIA's manual requirement is part of satisfying that condition.

Who Needs a PAIA Manual?

Every private body. PAIA Section 51 applies to all private bodies regardless of size, turnover, or industry. A sole trader, a two-person partnership, a startup, and a JSE-listed company all have the same obligation.

The distinction is in what you must do with the manual once it exists:

  • Private bodies with fewer than 50 employees: Must prepare the manual and make it available upon request. No submission to a government body is required, but the manual must be prepared and maintained.
  • Private bodies with 50 or more employees: Must prepare the manual and submit it to the South African Human Rights Commission (SAHRC). The SAHRC maintains a register of submitted manuals.

Both categories must make the manual available to anyone who requests it, and must publish it on their website if they have one.

What Must a PAIA Manual Contain?

PAIA Section 51 prescribes the content of the manual. It must include:

1. Contact Details of the Information Officer

The manual must identify the organisation's Information Officer (the person designated to handle access requests), including their name, position, and contact details. This must be kept up to date — an outdated contact in the manual creates practical problems when a request arrives.

2. Description of the Organisation

A brief description of the organisation: its legal name, registration details, the nature of its business, and its physical and postal address.

3. Categories of Records Held

A description of the categories of records held by the organisation that are available without a formal PAIA request (i.e., publicly available records), and the categories that are available upon request.

This section requires you to have done at least a basic data inventory — you cannot describe your records if you do not know what you hold. Common categories include:

  • Personnel and HR records
  • Client and customer records
  • Financial and accounting records
  • Correspondence
  • Contracts and agreements
  • Regulatory and compliance records
  • Operational and project records

4. Description of Records Available Without Request

Some records must be made available to the public automatically, without requiring a formal PAIA request. These typically include your privacy policy, your PAIA manual itself, and any records required to be made publicly available by other legislation.

5. Access Request Procedure

A step-by-step description of how to submit a formal access request, including:

  • The prescribed form (Form C, available from the SAHRC website)
  • Where to submit the form (the Information Officer's address)
  • The request fee (currently R50 for a private body, plus reproduction and access fees)
  • The timeframe for response (30 days from receipt, with a possible 30-day extension)
  • The grounds on which a request may be refused
  • The appeal and review process if a request is refused

6. Remedies for Refusal

A description of the remedies available to a requester if access is refused, including the internal appeal process (if any) and the right to approach the Information Regulator or court for review.

7. Subjects Held

A description of the subjects on which the body holds records — in other words, the categories of individuals and entities about whom you hold personal information. This directly connects to your POPIA data inventory.

Step-by-Step: Building Your PAIA Manual

Step 1: Appoint and Register Your Information Officer

Your PAIA manual must identify a registered Information Officer. If you have not yet registered your Information Officer with the Information Regulator, do this first. Registration is free and takes approximately 20 minutes on the Regulator's online portal.

Step 2: Conduct a Basic Data Inventory

You need to know what records you hold before you can describe them. For SMEs, this does not need to be exhaustive — a high-level inventory by category (HR, clients, financial, correspondence, contracts) is sufficient for PAIA manual purposes.

Step 3: Download the SAHRC Template

The South African Human Rights Commission provides a template for the PAIA manual that structures the required content. Download the current template from the SAHRC website and use it as your framework. Do not start from a blank page — the template ensures all required sections are covered.

Step 4: Populate Each Section

Work through each section of the template using the information from your data inventory and the procedural information described above. Be accurate and specific — a manual that describes categories of records you do not actually hold, or that provides an incorrect contact for the Information Officer, is worse than no manual.

The access request procedure section can be completed with reference to PAIA's prescribed requirements — the form, fee, and timeline are specified in the Act and its regulations, so this section is largely standardised.

Step 5: Have It Reviewed

For SMEs, a legal review by a POPIA-familiar attorney is advisable before finalising the manual — not because the drafting is complex, but because an attorney can confirm that the records description accurately reflects your processing activities and that the access procedure is correctly stated.

Step 6: Publish and Submit

Publish the manual on your website. If your organisation has 50 or more employees, submit it to the SAHRC through their online portal. Keep a copy on record with a version date.

Step 7: Maintain and Update

The manual is a living document. When your Information Officer changes, update the manual and resubmit if required. When you add significant new categories of records (a new CRM system, a new employee benefit scheme), update the relevant sections. Review the manual annually as part of your POPIA compliance review cycle.

What Happens If You Do Not Have One?

PAIA non-compliance is enforceable by the Information Regulator. A person who is refused access to records, or who cannot determine how to submit a request because no manual exists, can complain to the Regulator. The Regulator can investigate, issue enforcement notices, and impose penalties.

More practically: the absence of a PAIA manual is visible evidence of non-compliance that any client, auditor, or regulator can verify. As POPIA enforcement matures and due diligence processes increasingly include data protection assessments, the absence of a PAIA manual will become a flag in supplier and partner assessments.

The good news is that building a PAIA manual is not a significant undertaking. For most SMEs, the manual can be prepared in a day using the SAHRC template. The harder prerequisite — the data inventory — is work that needs to be done for POPIA compliance anyway. The manual is a direct output of that process.

PAIAPOPIAComplianceSouth AfricaInformation Officer
Back to all articles

More in POPIA Compliance

POPIA Compliance

What Is POPIA and Does It Apply to My Business?

POPIA is South Africa's data privacy law — and it applies to almost every business that processes personal information. Here's what it requires, who it covers, and what the penalties look like.

POPIA Compliance

POPIA Fines: What Are the Real Penalties?

POPIA carries fines of up to R10 million and 10 years imprisonment — but what does enforcement actually look like? Here's an honest breakdown of POPIA penalties and how they're applied.

POPIA Compliance

POPIA vs GDPR: Key Differences Every Global Business Must Know

If your organisation handles data from both South African and EU residents, you're subject to two separate frameworks. Here's where POPIA and GDPR align — and where they diverge.

Monty

Montana Data Assistant

Hi, I'm Monty, your Montana Data Company assistant. How can I help you today?