PAIA Records: A Guide to What to Include in Your Manual

Table of Contents

1. Introduction: Demystifying "Records" under PAIA

2. What Exactly Is a "Record"? A Comprehensive Definition

3. Mandatory PAIA Manual Record Categories: Your Checklist

   • Corporate and Statutory Records

   • Financial and Accounting Records

   • Human Resources and Employment Records

   • Operational and Commercial Records

   • IT and Communications Records

   • Intellectual Property Records

4. The POPIA-PAIA Link: Personal Information as a Core Record Category

5. Beyond the Manual: Implementing a Records Classification System

6. Navigating Access: Grounds for Refusing a Record Request

7. Your PAIA Records FAQs

8. Ensure Your Compliance Today

1. Introduction: Demystifying "Records" under PAIA

For many South African businesses, the task of compiling a PAIA manual can seem like a bureaucratic headache. You've heard you need one, but what exactly are you supposed to put in it? The most critical part of this document is the description of the records your organization holds. This section isn't just a simple list; it's a foundational element of your South Africa access to information strategy.

The Promotion of Access to Information Act (PAIA) gives effect to a constitutional right—the right to access information. For private bodies, this means being transparent about what data and documents you have in your possession. A well-crafted manual helps you fulfill this legal duty by providing a clear and accessible roadmap for anyone who may wish to request information from you. This article will break down what constitutes a "record" for PAIA purposes, detail the mandatory categories you must include, and help you understand how to navigate this key aspect of business records legislation.

2. What Exactly Is a "Record"? A Comprehensive Definition

The PAIA Act provides a very broad and inclusive definition of a "record," which is any recorded information regardless of its form or medium. This is a crucial point that many businesses misunderstand. A record isn't just a physical file in a cabinet; it can be anything from a digital document to an email, a video, or even a text message.

Key characteristics of a PAIA "record":

• Any Form or Medium: This includes paper documents, electronic files (PDFs, spreadsheets, word documents), audio and video recordings, emails, and social media posts. The Information Regulator emphasizes that digital information is a core part of a private body's records.

• Recorded Information: The information must be "recorded." This means a verbal conversation or an unrecorded thought is not a record. The moment it is written down, typed, or captured in any medium, it becomes a record.

• In Your Possession or Control: The record does not have to be created by your business. If you are in possession or control of a record created by a third party (for instance, a report from a consultant or an email from a client), it still falls under your PAIA obligations. This is why managing third-party records is an essential component of business records legislation compliance.

Understanding this definition is the first step toward proper PAIA compliance. It forces a shift in mindset from simply thinking about formal documents to considering all the recorded information that your business manages.

3. Mandatory PAIA Manual Record Categories: Your Checklist

The PAIA Act requires private bodies to provide "a description of the subjects on which the body holds records and the categories of records held on each subject." This requires a structured and logical approach to categorizing your organization's information. The manual should not be a detailed, line-by-line list of every single file you possess. Instead, it should be a high-level overview that is sufficient to guide a requester.

Based on best practices and the guidelines from the Information Regulator, your PAIA manual must, at a minimum, include the following categories. You should expand on these with details specific to your business.

Corporate and Statutory Records

These are the foundational legal documents that establish and govern your business. They are mandatory for all juristic persons.

• Examples: Memorandum of Incorporation (MOI), Articles of Association, partnership agreements, trust deeds, minutes of board and shareholder meetings, company registration documents, tax records (including tax returns), and annual financial statements.

Financial and Accounting Records

This category covers all financial transactions and accounting information. It provides a clear picture of your business's financial activities.

• Examples: Bank statements, general ledgers, trial balances, invoices and receipts (both issued and received), payroll records, audit reports, and expense reports.

Human Resources and Employment Records

These are records related to your employees, contractors, and job applicants. Given the sensitivity of personal information, this is a critical section to get right.

• Examples: Employee personal files (including identity documents, addresses, and next-of-kin details), employment contracts, performance reviews, disciplinary records, leave records, and provident fund or pension fund information.

Operational and Commercial Records

This is a broad category that covers the day-to-day functioning of your business and its commercial relationships.

• Examples:

  • Sales and Marketing: Customer lists, sales agreements, marketing strategies, advertising materials, and promotional campaigns.

  • Procurement: Supplier contracts, vendor information, procurement policies, and purchase orders.

  • Client Management: Client files, correspondence with clients, project proposals, and service agreements.

  • General Administration: Internal policies and procedures (e.g., code of conduct, health and safety policies), correspondence with regulatory bodies, and internal reports.

IT and Communications Records

In the digital age, this is a rapidly growing and crucial category. It encompasses all digital and electronic information.

• Examples: Website content, system logs, data backup records, information security policies, user access logs, and electronic communication records like emails and instant messages.

Intellectual Property Records

This category includes records that protect your business's unique creations and competitive advantage.

• Examples: Patents, trademarks, copyright materials, trade secrets, confidential agreements, and licenses.

A well-structured private body manual is a single document that addresses both PAIA and POPIA, serving as a fundamental pillar of your overall information compliance strategy.

4. The POPIA-PAIA Link: Personal Information as a Core Record Category

The modern PAIA manual cannot be created in isolation. It must be read in conjunction with the Protection of Personal Information Act (POPIA). PAIA now mandates that your manual include specific details about your processing of personal information. This is a critical link that all businesses must understand.

Your PAIA manual must include a description of:

• The purpose for which you process personal information.

• The categories of data subjects (e.g., employees, customers, suppliers) and the types of personal information you process for each.

• The recipients to whom personal information may be supplied.

• Planned trans-border flows of personal information (i.e., if you send data to other countries).

• A general description of your information security measures.

This integration means your manual is no longer just a list of records; it is also a foundational part of your POPIA compliance framework, ensuring that individuals know how to request their personal information from you.

5. Beyond the Manual: Implementing a Records Classification System

Simply listing your PAIA records is not enough. To truly be compliant and efficient, you should have a clear records classification and management system in place. A good system allows you to:

• Locate records quickly: When a request for access is made, you must be able to find the requested record within 30 days. Without a system, this can be an impossible task.

• Identify confidential information: It helps you easily identify records that may contain legally protected information, such as trade secrets or personal information of a third party, and which may be subject to a refusal of access under PAIA.

• Manage records throughout their lifecycle: From creation to destruction, a system ensures records are handled consistently and securely, minimizing the risk of a data breach.

A compliant PAIA manual is a reflection of a well-managed internal records system. It demonstrates that your business takes its legal obligations seriously and is committed to transparency.

6. Navigating Access: Grounds for Refusing a Record Request

It's a common misconception that a PAIA request means you have to hand over every single document. The Act provides specific grounds for refusing access to a record. These grounds exist to protect sensitive information, such as:

• The privacy of a third party's personal information.

• Confidential commercial information that, if disclosed, could cause harm to your business. This includes trade secrets and financial information.

• Legal professional privilege, such as confidential communications between you and your legal representative.

• The safety of individuals or property.

Your PAIA manual should explicitly mention these grounds for refusal, providing a clear explanation of when and why you may deny a request. This ensures that while you are transparent about the records you hold, you are also protecting your legitimate business interests and the privacy of others.

7. Your PAIA Records FAQs

Q1: What is the difference between "records" and "information" under PAIA? A: Under PAIA, a "record" is the physical or electronic manifestation of information. For example, the information is "sales data," while the record is the "Q3 Sales Report spreadsheet."

Q2: Do I need to list every single email in my PAIA manual? A: No, you do not. The Act requires a description of categories of records. You would list "email correspondence" as a category, not every individual email.

Q3: What happens if I fail to list a certain record category in my manual? A: Failing to provide a complete and accurate description of your records could be considered a contravention of the Act, which may lead to penalties. It also makes it difficult to manage and respond to requests, increasing your risk of a complaint.

Q4: Is a PAIA manual a static document? A: No. Your manual should be a living document that you update regularly to reflect changes in your business, the types of records you hold, and any new legislative requirements.

Q5: What about records that are already publicly available? A: Your manual should contain a separate section detailing records that are available without a formal PAIA request (e.g., on your website). This simplifies the process for both your business and the requester.

Q6: Does a PAIA request mean I have to give away my trade secrets? A: No. The Act provides specific grounds for refusing a request, including the protection of trade secrets and other confidential commercial information.

Q7: Can I refuse a PAIA request if the record contains a third party's personal information? A: Yes, the protection of a third party's privacy is a mandatory ground for refusal. However, you must first check if the third party has consented or if the information is already public.