Editor's Note
Over the past five issues we have covered POPIA's technical requirements, social engineering, the FSCA Joint Standards, the difference between IT support and security, and ransomware. Every one of those topics sits under the umbrella of the same regulator, the Information Regulator of South Africa.

This issue is about a separate but closely related obligation that same regulator enforces. Most of our readers will not know it applies to them. Many will be surprised to find out there is a deadline in three weeks. This is worth reading now.

THE 30 JUNE DEADLINE MOST BUSINESSES HAVE MISSED

A Law Most Businesses Think Does Not Apply to Them

PAIA, the Promotion of Access to Information Act, is one of South Africa's foundational pieces of legislation. Its purpose is straightforward: it gives people the right to request access to records held by organisations, and it places obligations on those organisations to respond properly to those requests.

Most business owners are vaguely aware that PAIA exists. Most assume it mainly applies to government departments. Both of those assumptions are partially correct and substantially wrong.

Previously, certain smaller private entities were exempt from PAIA reporting obligations. That exemption ended on 31 December 2021. Since then, all private bodies, regardless of size or sector, must comply fully with PAIA. If your business holds records - client files, employee information, supplier contracts, financial records - PAIA applies to you.

The Annual Report Obligation

The annual PAIA reporting window is open from 1 April 2026 to 30 June 2026. All public and private bodies are required to submit reports detailing requests for access to records received and processed during the reporting period, covering 1 April 2025 to 31 March 2026.

Although the Information Regulator refers to this process as an invitation, this should not be misunderstood. Submission is mandatory, and the Regulator has made it clear that all organisations are expected to comply.

This requirement applies regardless of how many access to information requests an organisation received during the year, including zero. The submission still needs to be made. Receiving no requests does not remove the obligation to report.

What the Report Requires

The submission is completed online through the Information Regulator's eServices portal. The report requires a tally of requests received between 1 April 2025 and 31 March 2026, the outcome of each request, response time, grounds for any refusals, fees charged, and whether any internal appeals or court reviews were lodged.

Your Information Officer must be registered on the Information Regulator portal before you can submit. Failure to submit triggers compliance assessments, increased POPIA scrutiny, and reputational risk. The same person who carries POPIA responsibility in your organisation, typically the business owner or a designated director, is your Information Officer under PAIA. If they are not yet registered on the portal, that step must happen before the submission can be made.

Treating 20 June 2026 as your internal deadline, rather than 30 June, gives your organisation enough time to correct common issues that delay submission - missing Information Officer registrations, portal access problems, or incomplete reporting data - before the legal window closes.

The PAIA Manual

The annual report is not the only PAIA obligation. Every private body in South Africa is also required to have a PAIA Manual; a document that sets out how members of the public can request access to records your organisation holds.

Many businesses do not realise that missing this submission, or failing to have a PAIA manual in place or registering an Information Officer, can flag them for POPIA non-compliance. This opens the door to penalties, investigations, and reputational damage. The two pieces of legislation are enforced by the same regulator and non-compliance with one creates scrutiny of the other.

The PAIA Manual must be kept current, must be available at your business premises, and should be published on your website where applicable.

What Happens If You Miss It

Missing the PAIA reporting deadline is not an administrative slip. It can trigger inspections, enforcement action, and potential POPIA exposure, with both financial and reputational consequences.

No extensions will be granted once the portal shuts. This is not a situation where a late submission can be quietly corrected. Once 30 June passes, the non-compliance is on record.

The Bottom Line

30 June 2026 is three weeks away. If your organisation has not yet submitted its PAIA Annual Report, has not registered its Information Officer on the portal, or does not have a PAIA Manual in place, these are not items to defer. Aigeus can assist with compiling or updating your PAIA Manual, registering your Information Officer, and submitting your annual report. If you are unsure where to start, get in touch before the window closes.

Aigeus Cyber Briefing

Keep Reading