Who must comply — every “private body”
PAIA gives effect to the constitutional right of access to information. It binds public bodies (government) and, importantly for business, every “private body” — a term defined so broadly that it captures essentially every business in the country.
“‘private body’ means— (a) a natural person who carries or has carried on any trade, business or profession, but only in such capacity; (b) a partnership which carries or has carried on any trade, business or profession; (c) any former or existing juristic person; or (d) a political party, but excludes a public body…”
So a one-person consultancy, a family trust that trades, a close corporation and a listed company are all “private bodies” with the same baseline duty: a PAIA manual.
The small-business exemption is gone
For years, the Minister of Justice exempted certain smaller private bodies (by sector, headcount and turnover) from the manual requirement. That exemption was extended several times and then allowed to lapse on 31 December 2021. Since 1 January 2022 there is no size or sector exemption: every private body must have a manual. This is the single change that brought thousands of ordinary SMEs into scope — many still do not realise it.
What the section 51 manual must contain
Section 51 sets out the contents of a private body’s manual. Since POPIA amended PAIA, the manual now has three limbs — general contact details, PAIA access information, and a POPIA-processing description — so a modern PAIA manual is effectively a combined PAIA-and-POPIA document.
“The head of a private body must make a manual available in terms of subsection (3) containing— (a) in general— (i) the postal and street address, phone and fax number and, if available, electronic mail address of the head of the body; and (ii) such other information as may be prescribed; (b) insofar as this Act is concerned— (i) a description of the guide referred to in section 10…; (ii) the latest notice in terms of section 52(2)…; (iii) a description of the records of the body which are available in accordance with any other legislation; and (iv) sufficient detail to facilitate a request for access to a record of the body…; (c) insofar as the Protection of Personal Information Act, 2013, is concerned— (i) the purpose of the processing; (ii) a description of the categories of data subjects…; (iii) the recipients…; (iv) planned transborder flows of personal information; and (v) a general description allowing a preliminary assessment of the suitability of the information security measures…”
The Information Regulator publishes a model manual template that maps onto these requirements — a sound starting point, but the manual must be tailored to what your business actually does and holds.
Making the manual available
A manual sitting in a drawer does not satisfy the Act. Section 51(3) sets out four channels through which it must be available.
“The manual referred to in subsection (1), or the updated version thereof… must be made available— (a) on the web site, if any, of the private body; (b) at the principal place of business of the private body for public inspection during normal business hours; (c) to any person upon request and upon the payment of a reasonable amount; and (d) to the Information Regulator upon request.”
If you have a website, the manual belongs on it. The head of the body must also update it on a regular basis (section 51(2)).
The “head” and the POPIA Information Officer
PAIA makes the “head” of a private body responsible — for a company, the chief executive officer or equivalent (or a duly authorised person). That is the same individual who is the Information Officer under POPIA section 55, and who must be registered with the Information Regulator before taking up those duties. PAIA and POPIA share one regulator (the Information Regulator) and, in practice, one responsible person — which is why the two are handled together. See the POPIA hub for the data-protection side.
The annual report to the Regulator
Here the Act draws a distinction that is widely misstated. PAIA compels an annual report only from public bodies, under section 32. For private bodies, the statutory basis is section 83(4), which is framed permissively:
“For the purpose of the annual report referred to in section 84 and if so requested by the Information Regulator, the head of a private body may furnish to that Commission information about requests for access to records of the body.”
The Information Regulator has activated that section by requesting annual PAIA reports from all private bodies and building an eServices portal for them. So the accurate position is: public bodies must report under section 32; private bodies are required by the Regulator to report under section 83(4). The Regulator’s portal opens on 1 April and closes on 30 June each year, covering the prior 1 April–31 March cycle, and it does not grant extensions. Reports are submitted via the Information Regulator eServices portal.
Penalties for non-compliance
PAIA creates a criminal offence for a head of a private body who fails to comply with the manual requirement — but only where the failure is wilful or grossly negligent.
“A head of a private body who wilfully or in a grossly negligent manner fails to comply with the provisions of section 51 commits an offence and is liable on conviction to a fine, or to imprisonment for a period not exceeding two years.”
The realistic exposure is not jail for a missing manual — the threshold is wilfulness or gross negligence — but regulatory attention, enforcement and reputational harm. (The R10 million administrative-fine regime that people associate with the Information Regulator lives in POPIA, a different Act, and applies to data-protection breaches, not PAIA manual failures.) Getting it right is inexpensive: a tailored manual on your website, the right person registered as Information Officer, and the annual report filed before 30 June.