PAIA Manual

THE PROMOTION OF ACCESS TO INFORMATION MANUAL ("Manual")

The Promotion of Access to Information Act, 2000 ("PAIA") came into operation on 9 March 2001. PAIA seeks, among other things, to give effect to the Constitutional right of access to any information held by the State or by any other person where such information is required for the exercise or protection of any right and gives natural and juristic persons the right of access to records held by either a private or public body, subject to certain limitations, in order to enable them to exercise or protect their rights. Where a request is made in terms of PAIA to a private body, that private body must disclose the information if the requester is able to show that the record is required for the exercise or protection of any rights and provided that no grounds of refusal contained in PAIA are applicable. PAIA sets out the requisite procedural issues attached to information requests.  

Section 51 of PAIA obliges private bodies to compile a manual to enable a person to obtain access to information held by such body and stipulates the minimum requirements that the manual has to comply with.

This Manual constitutes Kriel & Co’s PAIA manual. This Manual is compiled in accordance with section 51 of PAIA as amended by the Protection of Personal Information Act, 2013 ("POPIA"), which gives effect to everyone’s Constitutional right to privacy and largely commenced on 1 July 2020. POPIA promotes the protection of personal information processed by public and private bodies, including certain conditions so as to establish minimum requirements for the processing of personal information. POPIA amends certain provisions of PAIA, balancing the need for access to information Kriel & Co against the need to ensure the protection of personal information by providing for the establishment of an Information Regulator to exercise certain powers and perform certain duties and functions in terms of POPIA and PAIA, providing for the issuing of codes of conduct and providing for the rights of persons regarding unsolicited electronic communications and automated decision making in order to regulate the flow of personal information and to provide for matters concerned therewith.

This PAIA manual also includes information on the submission of objections to the processing of personal information and requests to delete or destroy personal information or records thereof in terms of POPIA.

Kriel & Co is an IMCSA accredited management consulting practice specializing in change management, digital transformation, and data privacy.

Kriel & Co’s Managing Director has three senior associates as direct reports, to whom other associates, staff and contractors report to. 

Name of Private Body:    Kriel and Co (Pty) Ltd
Information Officer:     Francois Kriel
Email address of Information Officer:     francois@krielandco.com 

Postal address:     Colab, 194 Bancor Ave, Menlyn Maine.
Street address:     Colab, 194 Bancor Ave, Menlyn Maine.
Phone number:     (+27) 012 881 6533

An official Guide has been compiled which contains information to assist a person wishing to exercise a right of access to information in terms of PAIA and POPIA. This Guide is made available by the Information Regulator (established in terms of POPIA). Copies of the updated Guide are available from Information Regulator and the Information Officer free of charge. Any request for public inspection of the Guide at the office of the Information Officer or a request for a copy of the Guide from the Information Officer must substantially correspond with Form 1 of Annexure A to Government Notice No. R.757 dated 27 August 2021 promulgated under the PAIA Regulations. Please refer to Annexure C.

Any enquiries regarding the Guide should be directed to:
Physical Address:    JD House 
27 Stiemens Street
Braamfontein
Johannesburg, 2001
Postal Address:     P.O. Box 31533
Braamfontein
Johannesburg, 2017

Telephone Number:     +27 (0) 10 023 5207 
E-mail Address:     inforeg@justice.gov.za 

Website:     https://www.justice.gov.za/inforeg/ 

The objectives of this Manual are:

• to provide a list of all records held by the legal entity;
• to set out the requirements with regard to who may request information in terms of PAIA as well as the grounds on which a request may be denied;
• to define the manner and form in which a request for information must be submitted; and
• to comply with the additional requirements imposed by POPIA.

PAIA provides that a person may only make a request for information if the information is required for the exercise or protection of a legitimate right.

Information will therefore not be furnished unless a person provides sufficient particulars to enable Kriel & Co to identify the right that the requester is seeking to protect as well as an explanation as to why the requested information is required for the exercise or protection of that right.  The exercise of a data subject’s rights is subject to justifiable limitations, including the reasonable protection of privacy, commercial confidentiality and effective, efficient and good governance. PAIA and the request procedure contained in this Manual may not be used for access to a record for criminal or civil proceedings, nor should information be requested after the commencement of such proceedings.

The Information Officer has been delegated with the task of receiving and co-ordinating all requests for access to records in terms of PAIA, in order to ensure proper compliance with PAIA and POPIA.

The Information Officer will facilitate the liaison with the internal legal team on all of these requests.

All requests in terms of PAIA and this Manual must be addressed to the Information Officer using the details in paragraph 3 above.

Personnel Information:
These records include employment contracts of all Kriel & Co employees, employment policies and remuneration details.  
Business records of Kriel & Co:

These records include:  
a)    Financial records  
b)    Minutes of meetings of the executive committee, departmental meetings, and staff meetings
c)    Strategic plans and other operational policies 
d)    Annual reports and other statutory reports 
e)    Newsletters, press releases and other publications 
9.    AUTOMATICALLY AVAILABLE INFORMATION
Information that is obtainable via Kriel & Co’s website about Kriel & Co is automatically available and need not be formally requested in terms of this Manual.

Information that is obtainable via Kriel & Co’s website about Kriel & Co is automatically available and need not be formally requested in terms of this Manual.

11.1.    Categories of personal information collected by Kriel & Co 

Kriel & Co may collect information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to-
-    information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
-    information relating to the education or the medical, financial, criminal or employment history of the person;
-    any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
-    the biometric information of the person;
-    the personal opinions, views or preferences of the person;
-    correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
-    the views or opinions of another individual about the person; and
-    the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;

11.2.    The purpose of processing personal information

In terms of POPIA, personal information must be processed for a specified purpose. The purpose for which personal information is processed by Kriel & Co will depend on the nature of the personal information and the particular data subject. This purpose is ordinarily disclosed, explicitly or implicitly, at the time the personal information is collected.
In general, personal information is processed for purposes of dealing with complaints under the Consumer Protection Act, 2008, procurement purposes, records management, security, employment, and related matters.

11.3.    A description of the categories of data subjects 

Kriel & Co holds information and records on the following categories of data subjects: 
-    Employees / personnel of Kriel & Co;
-    Any third party with whom Kriel & Co conducts business;
-    Contractors of Kriel & Co;
-    Suppliers of Kriel & Co;
-    Clients and Research subjects of Kriel & Co.
(This list of categories of data subjects is non-exhaustive.)

11.4.    The recipients or categories of recipients to whom the personal information may be supplied

Depending on the nature of the personal information, Kriel & Co may supply information or records to the following categories of recipients:
-    Statutory oversight bodies, regulators or judicial commissions of enquiry making a request for personal information;
-    Any court, administrative or judicial forum, arbitration, statutory commission, or ombudsman making a request for personal information or discovery in terms of the applicable rules;
-    South African Revenue Services, or another similar authority; 
-    Anyone making a successful application for access in terms of PAIA or POPIA; and
-    Subject to the provisions of POPIA and other relevant legislation, Kriel & Co may share information about a client’s creditworthiness with any credit bureau or credit providers industry association or other association for an industry in which Kriel & Co operates.

11.5.    Planned transborder flows of personal information

If a data subject visits Kriel & Co’s website from a country other than South Africa, the various communications will necessarily result in the transfer of information across international boundaries.
Kriel & Co may need to transfer a data subject's information to service providers in countries outside South Africa, in which case it will fully comply with applicable data protection legislation. 
These countries may not have data-protection laws which are similar to those of South Africa.

11.6.    A general description of information security measures implemented and maintained by Kriel & Co

Kriel & Co takes extensive information security measures to ensure the confidentiality, integrity and availability of personal information in our possession. Kriel & Co takes appropriate technical and organisational measures designed to ensure that personal information remains confidential and secure against unauthorised or unlawful processing and against accidental loss, destruction or damage over and above the general requirements and code of ethics of the Institute of Managements Consultants of South Africa (IMCSA). Details of our internal Cyber Policy and Cyber Security Standards (aligned with the standards of our Insurers) is available upon request.

Information is available in terms of certain provisions of the relevant legislation to the persons or entities specified in such legislation:

• Administration of Estates Act 66 of 1965
• Basic Conditions of Employment Act 75 of 1997
• Consumer Protection Act 68 of 2008
• Close Corporations Act 69 of 1984
• Companies Act 61 of 1973
• Compensation for Occupational Injuries and Health Diseases Act 130 of 1993
• Employment Equity Act 55 of 1998
• Estate Agency Affairs Act 112 of 1976
• Income Tax Act 58 of 1962
• Insolvency Act No. 24 of 1936 
• Labour Relations Act 66 of 1995
• Occupational Health & Safety Act 85 of 1993
• Pension Funds Act 24 of 1956
• Skills Development Act 97 of 1998
• Skills Development Levies Act 9 of 1999
• Stock Exchanges Control Act 1 of 1985 (and the rules and listing requirements of the JSE Securities Exchange authorised in terms thereof)
• Unemployment Contributions Act 4 of 2002
• Unemployment Insurance Act 30 of 1966
• Value Added Tax Act 89 of 1991

Kriel & Co maintains records on the categories and subject matters listed below. Please note that recording a category or subject matter in this Manual does not imply that a request for access to such records would be granted. All requests for access will be evaluated on a case-by-case basis in accordance with the provisions of PAIA.  

Please note further that many of the records held by Kriel & Co are those of third parties, such as clients and employees, and Kriel & Co takes the protection of third-party confidential information very seriously. For further information on the grounds of refusal of access to a record please see paragraph 15.2 below. Requests for access to these records will be considered very carefully. Please ensure that requests for such records are carefully motivated.

14.1.    Completion of the prescribed form

Any request for access to a record in terms of PAIA must substantially correspond with Form 2 of Annexure A to Government Notice No. R.757 dated 27 August 2021 2021 promulgated under the PAIA Regulations and should be specific in terms of the record requested.  Please refer to Annexure A.
A request for access to information which does not comply with the formalities as prescribed by PAIA will be returned to you.
POPIA provides that a data subject may, upon proof of identity, request Kriel & Co to confirm, free of charge, all the information it holds about the data subject and may request access to such information, including information about the identity of third parties who have or have had access to such information.

POPIA also provides that where the data subject is required to pay a fee for services provided to him/her, Kriel & Co must provide the data subject with a written estimate of the payable amount before providing the service and may require that the data subject pays a deposit for all or part of the fee.
Grounds for refusal of the data subject’s request are set out in PAIA and are discussed below.

POPIA provides that a data subject may object, at any time, to the processing of personal information by Kriel & Co, on reasonable grounds relating to his/her particular situation, unless legislation provides for such processing. The data subject must complete the prescribed form attached hereto as Annexure E and submit it to the Information Officer at the postal or physical address, facsimile number or electronic mail address set out above. 

A data subject may also request Kriel & Co to correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or destroy or delete a record of personal information about the data subject that Kriel & Co is no longer authorised to retain records in terms of POPIA's retention and restriction of records provisions. 

A data subject that wishes to request a correction or deletion of personal information or the destruction or deletion of a record of personal information must submit a request to the Information Officer at the postal or physical address, facsimile number or electronic mail address set out above on the form attached hereto as Annexure F.

14.2.    Proof of identity

Proof of identity is required to authenticate your identity and the request.  You will, in addition to this prescribed form, be required to submit acceptable proof of identity such as a certified copy of your identity document or other legal forms of identity.

 
There are two categories of fees which are payable:

• The request fee: R100
• The access fee: This is calculated by taking into account reproduction costs, search and preparation costs, as well as postal costs.  These fees are set out in Annexure B.

Section 54 of PAIA entitles Kriel & Co to levy a charge or to request a fee to enable it to recover the cost of processing a request and providing access to records. The fees that may be charged are set out in Annexure B of Government Notice No. R.757 dated 27 August 2021 2021 promulgated under the PAIA Regulations.  Please refer to Annexure D.
Where a decision to grant a request has been taken, the record will not be disclosed until the necessary fees have been paid in full.

15.1.    Timelines for consideration of a request for access

Requests will be processed within 30 (thirty) days, unless the request contains considerations that are of such a nature that an extension of the time limit is needed.
The Information Officer will inform the requester of the decision, and the fees payable (if applicable) on a form that corresponds substantially with Form 3 of Annexure A to Government Notice No. R.757 dated 27 August 2021 promulgated under the PAIA Regulations.
Should an extension be required, you will be notified, together with reasons explaining why the extension is necessary.

15.2.    Grounds for refusal of access and protection of information

There are various grounds upon which a request for access to a record may be refused.  These grounds include:

• the protection of personal information of a third person (who is a natural person) from unreasonable disclosure;
• the protection of commercial information of a third party (for example: trade secrets; financial, commercial, scientific or technical information that may harm the commercial or financial interests of a third party);
• if disclosure would result in the breach of a duty of confidence owed to a third party;
• if disclosure would jeopardise the safety of an individual or prejudice or impair certain property rights of a third person;
• if the record was produced during legal proceedings, unless that legal privilege has been waived;
• if the record contains trade secrets, financial or sensitive information or any information that would put Kriel & Co (at a disadvantage in negotiations or prejudice it in commercial competition); and/or
• if the record contains information about research being carried out or about to be carried out on behalf of a third party or by Kriel & Co.

Section 70 of PAIA contains an overriding provision. Disclosure of a record is compulsory if it would reveal (i) a substantial contravention of, or failure to comply with the law; or (ii) there is an imminent and serious public safety or environmental risk; and (iii) the public interest in the disclosure of the record in question clearly outweighs the harm contemplated by its disclosure.
If the request for access to information affects a third party, then such third party must first be informed within 21 (twenty one) days of receipt of the request.  The third party would then have a further 21 (twenty one) days to make representations and/or submissions regarding the granting of access to the record.

If the Information Officer decides to grant you access to the particular record, such access must be granted within 30 (thirty) days of being informed of the decision.

There is no internal appeal procedure that may be followed after a request to access information has been refused. The decision made by the Information Officer is final. In the event that you are not satisfied with the outcome of the request, you are entitled to apply to the Information Regulator or a court of competent jurisdiction to take the matter further.

Where a third party is affected by the request for access and the Information Officer has decided to grant you access to the record, the third party has 30 (thirty) days in which to appeal the decision in a court of competent jurisdiction.  If no appeal has been lodged by the third party within 30 (thirty) days, you must be granted access to the record.

Copies of this Manual are available for inspection, free of charge, at the offices of Kriel & Co and at the following addresses:

• Cape Town: De Wagenweg Office Park, Stellenbosch.