Reviewed by: ITLawCo Access to Information Team
Last updated: 21 November 2025
Jurisdiction: South Africa
PAIA at a glance
- Gives effect to the constitutional right of access to information.
- Applies to public bodies and private bodies.
- Private bodies must grant access where the record is required to exercise or protect a right.
- A valid refusal must rely on a PAIA ground (privacy, confidentiality, privilege, etc.).
- Decisions are due within 30 days.
- The Information Regulator now oversees complaints and enforcement.
What PAIA does (and why it matters)
PAIA gives effect to section 32 of the Constitution by creating a fair, structured process for accessing information held by both public and private bodies.
For organisations, PAIA is not merely a statutory obligation; it’s a reflection of operational maturity, record-keeping integrity, and public accountability. A clear PAIA process reduces disputes, builds trust, and ensures that lawful disclosures happen without compromising privacy, confidentiality, or security.
Who PAIA applies to
Public bodies
Government departments, provincial administrations, municipalities, and any entity exercising a public power or performing a public function.
Private bodies
Companies, close corporations, partnerships, sole proprietors, NGOs, and political parties.
PAIA applies regardless of when a record was created and includes any record held by an employee or contractor in that capacity.
The core test for private-body requests
A requester may access a private body’s record when:
- The request follows PAIA procedure.
- The requester shows the record is required to exercise or protect a right.
- No PAIA ground of refusal applies.
This threshold prevents speculative fishing expeditions but ensures legitimate rights-based requests are processed properly.
The PAIA Manual: your compliance front door
Every private body must maintain a PAIA Manual that includes:
- categories of records you hold;
- contact details for your Information Officer/Deputies;
- how to make a request;
- applicable fees;
- the internal process for considering requests;
- access to other prescribed information.
A strong PAIA Manual is not a tick-box PDF; it shapes how your organisation receives, triages, and responds to requests.
The PAIA request process (private bodies)
- Submission: A requester completes Form 2 and provides enough detail to identify the record and the right involved.
- Acknowledgement & assessment: The Information Officer confirms receipt, checks compliance, and determines fees if applicable.
- Fees: Request fees and access fees (including search, preparation, and copying) may apply.
- Decision within 30 days: Extensions are allowed where searches are complex, large volumes are involved, or third-party notices are required.
- Granting or refusing access: Access may be granted with necessary redactions or refused with reasons and details on escalation.
Timeframes that matter
- 30 days to respond to a request.
- Valid extensions permitted.
- No response in time = deemed refusal, which can be escalated to the Information Regulator or court.
When access may be refused
Refusal must rely on a valid PAIA ground, including:
- personal information of third parties;
- confidential commercial information;
- safety or security risks;
- legal privilege;
- protected research information.
The public-interest override
Even when a refusal ground exists, PAIA may require disclosure if the information reveals:
- serious wrongdoing,
- public-safety or environmental risks, and
- the public interest clearly outweighs harm.
This analysis is delicate: organisations must balance privacy, confidentiality, and transparency with precision.
Remedies and escalation
If a requester disagrees with a decision, they may:
- lodge a complaint with the Information Regulator;
- approach a court;
- (for some public bodies) lodge an internal appeal.
For private bodies, Regulator complaints and litigation are the primary escalation routes.
Common organisational risk points
- Outdated or template-based PAIA manuals.
- Unclear delegation to Deputy Information Officers.
- Missed deadlines leading to deemed refusals.
- Over- or under-redaction of sensitive information.
- Weak record-search evidence.
- Poor alignment between PAIA and POPIA workflows.
A defensible PAIA posture requires legal understanding, sound record-management practices, and well-documented internal processes.
How ITLawCo can help
| Need | What ITLawCo provides | Result |
|---|---|---|
| Build or update your PAIA Manual | Records-based structure, POPIA alignment, and practical guidance | A manual that works operationally |
| End-to-end process design | Workflows, templates, triage criteria, decision trees | Faster, reliable, auditable responses |
| Request support | Assessment, fees guidance, refusal decisions, redaction | Legally defensible outcomes |
| Complex/public-interest requests | Balancing tests, third-party notices, privilege management | Lower dispute and investigation risk |
| Regulator & litigation support | Submissions, investigation response, legal strategy | Clear direction under scrutiny |
| Training | Executive and operational training on PAIA handling | Confident Information Officer capability |
If you’re facing a difficult request or want a review of your PAIA readiness, our team can assist discreetly and efficiently. Contact us today.