What is the difference between PAIA and POPI?

What is the Difference between PAIA and POPI?

  • PAIA aims to promote the free flow of information (That should be public information)
  • POPI aims at to protect the flow of information (That should not be public domain, i.e. personal identity, contact details, residential addresses and many more….)

How can these Acts impact on you or your business?

PAIA (Promotion of Access to Information Act 2002):

  • PAIA is structured to allow for the application of section 32 of the Constitution of the Republic of South Africa.
  • The purpose of this legislation is to promote transparency, accountability and governance both in the private and public sectors

The need for a manual:

Manual Not Required

  • Does your business exceed R45million turnover per year?
  • Do you employ more than 50 people?
  • If you answer NO to both of these two questions, there is no need in the Retail Motor Industry for a manual to be prepared by you or for you. (note: other industries have varying values associated)

Manual Required

  • If you answer YES to either or both of the questions, you will be required to draft a PAIA manual known as a Section 51 Manual with the South African Human Rights Commission (SAHRC)
  • The manual must contain details of the business, such as the postal and street address, phone and fax number, and the electronic mail address of the head of the company, at the very least. The manual must also have sufficient details to facilitate a request for access to a record of the business, a description of the subjects in which the business holds records, and the categories of the records.
  • The Department of Justice and Constitutional Development, however, extended the exemption for certain private companies to compile a manual to 31 December 2020.

Who can request records from a business?

Anyone can ask for records from a private body (business), but the record must be needed for the exercise or protection of a right.

What kinds of information can be requested from a business?

  • The act defines a record as any recorded information that is in the possession or under the control of that business.
  • The act gives the right to request information from businesses. However, the right only exists to the extent that the record is required for the exercise and protection of rights.
  • The act gives the head of a private body(business) the right to refuse to disclose certain records in certain scenarios, for example the
  • Unreasonable disclosure of private information about a third party
  • Trade secrets
  • If the disclosure could reasonably expect to endanger the safety of an individual, etc.

POPI (Protection of personal information):

  • POPI is to protect personal information from being:
    • re-sold
    • causing inconvenience
    • damage
    • Loss or fraud related to the resale and use of that information.
  • POPI impacts on any personal information that is being gathered by companies. It clearly outlines:
    • The manner in which information should be stored
    • What care should be taken in dealing with that information
    • When that information has to be purged
    • Allows for no deviation from these rules.
  • The purpose of the Act is to protect personal information, to strike a balance between the right to privacy and the need for the free flow of, and access to information, and to regulate how personal information is processed.

Examples of “personal information” for an individual could include but limited to:

  • Identity and/or passport number
  • Date of birth and age
  • Phone number/s (including mobile phone number)
  • Email address/es
  • Online/Instant messaging identifiers
  • Physical address
  • Gender, Race and Ethnic origin
  • Photos, voice recordings, video footage (also CCTV), biometric data
  • Marital/Relationship status and Family relations
  • Criminal record
  • Private correspondence
  • Religious or philosophical beliefs including personal and political opinions
  • Employment history and salary information
  • Financial information
  • Education information
  • Physical and mental health information including medical history, blood type, details on your sex life
  • Membership to organisations/unions


  • The Act applies to anyone who keeps any type of records relating to the personal information of anyone, unless those records are subject to other legislation which protects such information more stringently.
  • It therefore sets the minimum standards for the protection of personal information.
  • It regulates personal information “PROCESSING” which includes:
    • Collecting,
    • Receiving,
    • Recording,
    • Organising,
    • Retrieving
    • Using such information
    • Disseminating
    • Distributing or making such personal information available.
    • The Act will also relate to records which you already have in your possession.

Modern technology makes it easy to access, collect and process high volumes of data at high speeds. This information can then be sold, used for further processing and/or applied towards other ends. In the wrong hands such ability can cause irreparable harm to individuals and companies.

To protect your right to privacy and abuse of your information, data protection legislation is necessary, even if it means imposing some social limits on society to balance the technological progress.

It is important to note, though, that this right to protection of “personal information” is not just applicable to a natural person (i.e. an individual) but any legal entity, including companies and also communities or other legally recognised organisations.

All of these entities are considered to be “data subjects” and afforded the same right to protection of their information.

So this means that while you as a consumer now have more rights and protection, you and your company/organisation are considered “responsible parties” and have the same obligation to protect other party’s personal information. As a company this would include protecting information about your

  • employees
  • suppliers
  • vendors
  • service providers
  • Business partners, etc.

Any company that keeps personal information is required to take steps to prevent the

  • Loss
  • Damage
  • Unauthorised destruction of the personal information.
  • Prevent unlawful access
  • Unlawful processing.

Businesses are required to identify all risks and establish and maintain safeguards against these identified risks.

As usual, ignorance of the law is no excuse. Incorporating PoPI into the day-to-day operations of your business will most likely require a significant amount of time and effort, including: educating and training staff, updating business processes and implementing or updating technology solutions.

The road to compliance:

  1. Conduct an audit of all systems to understand:
    1. what data is held,
    2. where it is held
    3. Identify where the gaps are.
  2. Determine what measures will be needed, whether interim or long-term, and then to put these in place accordingly.
  3. A full assessment of all internal systems users to ascertain what:
    1. profiles need to be added,
    2. What access permissions need to be modified, granted or taken away.
  4. Ensure there are proper policies and procedures in place for the dissemination of any information into and out of the company.

NOTE: It is important to make sure user management measures are in place and implemented properly throughout the organisation. If this is not managed properly, it can become a bit chaotic over time.


Should there be interference with a data subject’s protection of personal information, the aggrieved party may lodge a complaint with the Information Regulator. A negotiated settlement is one of the possible outcomes of the complaints procedure. The Regulator does not require a court order to institute a fine for negligence or non-compliance in favour of the aggrieved party in terms of POPI.

POPI further provides for civil remedies where the court may award amounts that, in its discretion, are just and equitable. Such amounts include:

  • Payment for damages as compensation for losses suffered by a data subject as a result of a breach of a provision of POPI
  • Aggravated damages
  • Interest, and
  • Costs on a scale as determined by the court.

For any party being convicted of an offence in terms of POPI.

  • A maximum period of imprisonment of 10 years
  • An undisclosed maximum fine can be levied.
  • The Regulator may institute administrative fines up to an amount of R10 million.

Please note the above is a brief analysis of two extremely complex pieces of legislation, and its purpose is to provide a brief understanding of the two acts. However, should you require any further information on these subjects please feel free to contact the regulatory compliance manager, Julian Pillay on 0825606625 or julian.pillay@rmi.org.za

Source: RMI