A call to action for the Information Regulator

Posted in Blog


In 2016 the Information Regulator was established in South Africa with the dual mandate of ensuring access to information and protecting personal information for all citizens.

Since it has been established it has appointed five members to the board and set up its offices. However there has been little further action in the past year.

The public must now ask what are the reasons for these continued delays and for how much longer must we continue to wait?

The PAIA Act was written in 2000 and POPI Act passed in 2013 but we are still waiting for the commencement date for these Acts to be proclaimed by the President. This year will have been waiting for PAIA for almost 18 years. And with the European Union’s GDPR regulations coming into effect on the 25 May 2018, POPI can no longer be kept on the back-burner.

Action needs to be taken. It is time for the Information Regulator to fulfil its duties to the citizens of South Africa and start holding companies and organisations accountable to the PAIA and POPI Acts.

In a fair and democratic society the PAIA Act is a vital piece of legislation to facilitate access to information in order to increase the transparency of governmental bodies and public enterprises and to hold them accountable to the people.

As we move further into the 21st Century, cyber-security and threats to personal data are going to continue to be one of the most pressing concerns of people and governments.

Improving citizens’ data security, educating the public about data security and protecting people’s personal information is of paramount importance in modern society.

It is time for the Information Regulator to start encouraging swift and sustainable action in this regard.

As this issue becomes ever more pressing here are 20 questions we as citizens of South Africa want answered by the Information Regulator:

  1. How do I find out which companies have access to my personal data?
  2. How do I find out if my personal data has been compromised?
  3. How do I report a company that I think is abusing my personal information?
  4. What rights do I have with regards to protecting my personal data?
  5. Can I ask companies to tell me how much of my personal data they have?
  6. Can I ask businesses to remove my personal data from their systems?
  7. Do I have a right to claim compensation from companies who abuse my personal data?
  8. What rights do I have with regards to getting information about the purposes for which my personal data will be processed?
  9. Do I have the right to restrict or object to the processing of my personal data?
  10. Do I have the right to object the processing of my personal data for direct marketing purposes?
  11. Will the Information Regulator set-up a complaints channel for people to report data violations?
  12. How do citizens know if organisations are PAIA and POPI compliant?
  13. How will the Information Regulator ensure that companies communicate transparently with people about the processing of their personal data?
  14. How will the POPI Act be regulated and enforced once it is signed into legislation?
  15. What authorisation process is in place to ensure responsible parties can process personal information?
  16. What is the process for gaining access to information from Public and State Owned Enterprises?
  17. What are the criteria for requesting access to information from Public and State Owned Enterprises?
  18. How do we encourage sharing of public information for greater transparency and accountability from Public and State Owned Enterprises?
  19. What is the process for registering an Information Officer with the Information Regulator?
  20. How will the Information Regulator enable compliance with other regulatory bodies, for example the GDPR?

What you need to know about the Information Regulator

Posted in Blog


Every day we log in to multiple devices and share our personal information with a multitude of apps, online businesses and service providers. Do you ever think about how much of your personal information is online and where it is being stored? What do companies know about you and how safely are they keeping all your personal information? Can you recall how many services and companies you have given your ID number or credit card details too in order to secure a payment or verify your account? What about your personal address details? In a recent article on Bizcommunity it was noted that data is the biggest trend for 2018 and companies will pay top dollar for consumer data and insights. In a digital world, as we share more and more of our personal data every day, the question of how this data is collected, shared and stored is one of ever increasing concern that needs to be taken seriously.

But perhaps even more importantly, is the question of who monitors the collection and safe and just use of all our personal data?

In 2016 the Information Regulator was set-up in order to establish a governing body in South Africa that would be responsible for regulating the use of consumer data and holding companies to account for that data’s safe storage and protection. Since its establishment it has appointed five members including chairperson Pansy Tlakula, but we have not seen any substantial further action from this body. This government body is key to each and every one of our lives – so why have we heard so little about it?

Introduction to the Information Regulator

The Information Regulator is an independent body that has been established with the dual mandate of;
(1) Promoting access to information in line with the Promotion of Access to Information Act, 2000 (Act 2 of 2000) (PAIA) and
(2) Monitoring and enforcing compliance by public and private bodies of the Protection of Personal Information Act, 2013 (Act 4 of 2013) (POPI).

The Information Regulator was established in terms of Section 39 of the Protection of Personal Information Act 4 of 2013. It is subject only to the law and the constitution and it is accountable to the National Assembly.

The Information Regulator was established in December 2016 and the current members of the Information Regulator are Chairperson Pansy Tlakula (Adv), Adv Lebogang Stroom-Nzama, Adv Collen Weapond, Prof Tana Pistorius and Mr Sizwe Snail ka Mtuze.

The creation of this body means that the public can now approach the Information Regulator to address the following:

1. The facilitation of access to information
2. Protection of information and personal data
3. Reporting on misuse of data

However, the law that creates the Information Regulator is not yet in operation. They have yet to appoint staff, after being in operation for a year.

What could the information regulator do?

The Information Regulator has a dual mandate of ensuring access to information and protecting personal information. As part of this role, it is the Regulator’s responsibility to ensure that data is protected and that personal information is held and secured by responsible parties.

The Information Regulator can also hold responsible parties accountable for not complying with the PAIA or POPI Acts.
The Information Regulator’s responsibilities include:

  • The responsibilities as outlined in Part 4 and 5 of the Promotion of Access to Information Act (PAIA)
  • Monitoring and enforcing POPI compliance by public and private bodies
  • Handling complaints by data subjects in line with POPI
  • Ensuring compliance with the conditions for processing information
  • Ensuring the personal information is processed lawfully by responsible parties
  • Educating responsible parties on the conditions for lawful processing of personal information

Find out more about the Powers, Functions and duties of the Information Regulator here: http://www.justice.gov.za/inforeg/about.html

For some time ODAC have been promoting the use of the Promotion of Access to Information Act 2 of 2000 (PAIA). We have accomplished some great successes with PAIA in not only encouraging the public to use the Act but also using it ourselves in the strategic pursuit of transparency. In the 2012 reporting period, the PAIA Civil Society Network (of which ODAC is an active member) noted that only 16% of requests resulted in the release of requested information, and more disturbingly, 54% of requests simply remained unanswered. As the Information Regulator is now responsible for upholding the PAIA Act it is our hope that this will allow for more freedom of information and greater transparency as clearer processes are put in place to facilitate the sharing of information under the Act.

Why is the Information Regulator important?

The Information Regulator reports to Parliament and has extensive powers to regulate and enforce both the Promotion of Access to Information (PAIA) and the Protection of Personal Information (POPI) Acts. The Information Regulator can also investigate and fine any parties who violate the PAIA or POPI regulations. Under POPI businesses and bodies will be responsible for the protection of the personal and consumer data they gather and will not be allowed to sell consumer data without consent.   Under this law companies could be fined up to R10 million and Directors of companies found to be in violation of the laws could face prosecution and jail terms.

As recently as October 2017 there was a massive data breach reported in which 30 million South African's personal information was compromised, including their names, addresses, ID numbers, genders, ethnicities and email addresses. The breach was blamed on insufficient security measures and is a stark wake-up call that we should all be questioning what measures companies have in place to protect our personal data.

This is one of the numerous data hacks which have occurred over the last few years. Do you know if your personal data has been compromised? If you would like to you, can test and see if your personal information has been compromised here: https://www.thisisme.com/

Under the POPI Act the Information Regulator should be enforcing stricter security measures to prevent these types of breaches and holding those companies who are responsible for security negligence to account.

The Regulator’s appointment promised a new dawn in access to information and protection of privacy in South Africa. However, so far the Regulator has not received sufficient support from the state to ensure its operation. The five members of the Commission are drawing salaries without enough support staff or their own offices to allow them to function. As there is currently no legislation in action they are effectively bound hand and foot.

Questions for the Information Regulator

With the concerns about data security increasing daily here are some urgent questions that need to be asked and answered by the Information Regulator.

1. How will the POPI Act be regulated and enforced once it is signed into legislation?
2. What authorisation process is in place to ensure responsible parties can process personal information?
3. If there is no authorisation process is place, what is the time frame to have this process established?
4. The law according to PAIA automatically designates a person in each organisation as the Information Officer. What is the process for registering an Information Officer with the Information Regulator?
5. How will the Information Regulator enable compliance with other regulatory bodies, for example the GDPR?


Of further concern is the European Union’s passing of the General Data Protection Regulation (GDPR). The European Union (EU), which governs how countries within the EU such as France, Germany, and Italy interact with each other and the rest of the world, has developed a set of rules to protect the personal information of all residents of the European Union called the General Data Protection Regulation (GDPR).

The GDPR replaces the Data Protection Directive and is set to become the ‘gold standard’ for data privacy regulation globally. Under the GDPR, individuals will have expanded rights over their data including; the right to access, the right to be forgotten, the right to data portability, the right to be informed, the right to restrict processing, the right to object and the right to be notified. The rights outlined in the GDPR mean that the conditions for obtaining consent to use personal information are stricter and organisations will have to prove that consent was given before using individual’s personal data. The security of personal data will also become stricter and businesses will need to put adequate security measures in place to guard against data breaches as well as take quick action to notify individuals and authorities if any data breaches occur. In addition it will be imperative that organisations establish procedures for handling personal data to comply with GDPR rights and regulations.

The GDPR enforcement date is 25 May 2018. The EU has stated that any organisations who are not in compliance with the GDPR will face heavy fines. This can have important implications for companies in South Africa who work with EU customers’ personal data as any company that handles personal data from EU citizens will need to comply with the GDPR whether they are situated in the EU or not. Even non-EU established organizations will be subject to GDPR. If a business offers goods or services to citizens in the European Union, then it will be subject to GDPR.

It is also thought that the GDPR will conduct an adequacy assessment of all companies with customers in the European Union. The question of adequacy will be linked to the role of the Information Regulator and the legislation that South Africa has in place with regards to data protection. This makes the POPI Act legislation even more relevant to South African businesses. Will the EU and the GDPR find South African companies adequate if there is no legislation in place to protect personal data?

We as citizens of South Africa need to start holding our government and the Information Regulator in particular accountable for our data security.

How do you contact the Information Regulator?

You can email the Information Regulator with your query at This email address is being protected from spambots. You need JavaScript enabled to view it. or call them on 012 406 4818.
Visit their website for more details: http://www.justice.gov.za/inforeg/contact.html
If you have a question or comment about PAIA or POPI that you would like the Information Regulator to address we suggest you write a formal letter to the Office of the Information Regulator for the attention of Chairperson Pansy Tlakula.

For more information on PAIA and POPI:

PAIA: Promotion of Access to Information Act, 2000 (Act 2 of 2000):

POPI: Protection of Personal Information Act 4 of 2013:

ODAC have put together a guide to assist organisations in engaging with PAIA. Our hope is that as more departments are forced to engage with PAIA though requests, they will be more likely to implement systems to deal with PAIA requests which will lead to more effective and responsive behaviour.


Creating A Culture Of Supporting Whistleblowing

Posted in Blog

Do people feel safe to speak up? Is our leadership supportive of our vision of a fair and open society? These questions cut to the core of our prime cause: creating the ideal environment for exposing and managing harmful actions – and protecting those who are brave enough to step forward against these actions. 

Culture of whistleblowing


Your Safety Is Our Priority 

Though it is true that many are discouraged from uttering the first word against unlawful and dangerous actions for fear of being victimised, whistleblowing remains a key means of exposing flaws in the system. The more issues are brought to light, the easier it becomes to identify patterns and pockets of corruption, and then doctor them accordingly.

 The Protected Disclosures Act (PDA) exists to shield whistleblowers from any kind of victimisation, from discrimination to unfair dismissal. We are proud of the fact that the recent positive amendments to the PDA are, in part, the result of over 15 years of advocacy by ODAC.

We have been working tirelessly for many years to fight the stigmas around reporting wrongdoing by providing individuals and organisations with access to the right information, and advocating for best practices. 

The second edition of The Code of Good Practice, our easy-to-follow guide to whistleblowing best practices, includes these new amendments, and covers everything one would need to know in order to safely disclose information, what to consider prior to disclosure, and which steps to take in your pursuit of justice.

 Click here to download The Code of Good Practice for free.

Keeping Whistleblowers Safe In The Workplace

Establishing a safe environment for whistleblowing within an organisation gives rise to many benefits. These include nurturing an open workplace culture that naturally rules out wrongdoing, contributing to effectively handling reported incidents, and improving company performance through learning and honest dialogue. This, however, begins with implementing a detailed and considered whistleblowing policy.

A good employer should always ensure that their employees know which whistleblowing policies have been put in place, and that they are protected by the PDA, and supported by the organisation.

Get In Touch To Drive Change From Within

If you would like to ensure that your company has solid whistleblowing mechanisms in place, or require guidance for making disclosure, please contact ODAC.

Whistleblower Helpline:  0800 52 53 52 (toll-free)

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

State of Access to Information in Africa 2017

Posted in Blog

ODAC are exceptionally excited to launch our latest research on the state of access to information in Africa.

In 2016 UNESCO officially adopted 28 September as the International Day for Universal Access to Information. The Day was adopted after intense lobbying by ODAC and the other members of the African Platform on Access to Information Working Group. To mark the Day in 2017, and to reflect on developments in the state of access to information in Africa, this study has been launched as a development on a 2014 study done on a similar methodology.

And some of the results are fascinating. The study covers twelve countries: Cote d'Ivoire, Kenya, Madagascar, Malawi, Mozambique, Namibia, Niger, Nigeria, South Africa, Tanzania, Uganda and Zimbabwe. Using the African Model Law we were able to develop a methodology for reviewing access to information laws. South Africa's law for instance received a reasonable 78%, which is unsurprising given how it has traditionally been lauded as a strong law. However, Malawi's new law received a 77%. It is worth noting then that – except for South Africa – the top three scoring African laws (Malawi, Kenya and Tanzania) all come into being after the AU Model Law, with the bottom four scoring laws (Niger, Nigeria, Uganda and Zimbabwe) all coming into being prior to the AU Model Law being drafted.

And, as we know, the strength of a law is not enough to ensure that access to information is a reality. The existence of an ATI law is a necessary, but insufficient, step for ensuring a positive access to information environment. Problems with the implementation of ATI laws often cited a lack of awareness of the laws, and weak political will for implementation, as key inhibitors. Both of these factors highlight the important role ATI activists must play in developing the positive discourse around ATI to both encourage users, as well as bureaucratic and administrative actors.

There is also generally a very weak implementation of proactive disclosure, and low levels of utilisation of Internet and Communication Technologies (ICTs) to facilitate access. Both of these indicators make the reality of open government data, in particular, a problematic area on the continent. Proactive disclosure and open data are vital avenues for access – particularly when we consider the non-existence or weakness of laws, coupled with discriminatory access practices.

A further identified trend is that not a single country cited a practice in the domestic contexts that demonstrated a presumption of openness. While some countries have laws, which provide such a presumption – practice does not correspond with this obligation.

So, how best might you be able to use this report?

  • Each country comes with a one page summary for easy circulation.
  • Each country also has a slightly longer detailed analysis.
  • The report as a whole can be read as a snapshot of the access to information environment.
  • There is also some trends analysis over the twelve countries considered together.

You can download the report here.

An example of the South African summary can be seen below: