Understanding the difference is not an academic exercise. It affects what documents your organisation must produce, what processes it must follow, and what penalties it faces for non-compliance. This guide breaks down both Acts clearly and explains what your business needs to do to meet its obligations under each.
The One Thing They Have in Common: The Information Regulator
Both PAIA and POPIA fall under the jurisdiction of the Information Regulator of South Africa, an independent body established in 2016. The Regulator enforces both Acts, can investigate complaints about non-compliance with either, and can issue administrative fines and enforcement notices under both. This shared oversight body is one reason the two Acts are frequently discussed together — and why many organisations address both in a single combined manual.
What is PAIA?
PAIA — the Promotion of Access to Information Act 2 of 2000 — gives effect to the constitutional right of access to information. It creates a framework under which any person can submit a formal request to access records held by a public or private body. The Act is about enabling access to information, not restricting it.
Under PAIA, every private body must:
• Appoint an Information Officer (this is automatic — it is the head of the organisation)
• Compile and publish a PAIA manual describing their records and request procedures
• Respond to formal PAIA requests within 30 days
• Submit an annual PAIA report to the Information Regulator
PAIA's primary audience is the person seeking access to information — a journalist investigating a company, an employee seeking their own employment records, a litigant wanting documents relevant to a dispute. The Act gives them a formal mechanism to compel disclosure.
What is POPIA?
POPIA — the Protection of Personal Information Act 4 of 2013 — came into full effect on 1 July 2021. It regulates how organisations collect, use, store, share, and discard personal information. POPIA is South Africa's equivalent of Europe's GDPR and imposes strict requirements on any entity that processes personal information about people.
Under POPIA, every responsible party (an organisation that determines the purpose and means of processing personal information) must:
• Process personal information lawfully and in accordance with eight conditions of lawful processing
• Appoint an Information Officer and register that officer with the Information Regulator
• Implement appropriate technical and organisational measures to protect personal information
• Notify affected persons and the Information Regulator of data breaches within a reasonable time
• Give data subjects the right to access, correct, and request deletion of their personal information
POPIA's primary audience is the data subject — the individual whose personal information is being processed. The Act gives them rights and imposes obligations on those who hold their data.
The Key Differences at a Glance
The easiest way to distinguish the two Acts is to ask: who is asking for what?
• PAIA: any person asking for access to records held by an organisation
• POPIA: a data subject asking for protection of their personal information held by an organisation
PAIA is about the right to know. POPIA is about the right to privacy.
Other key differences:
• Scope: PAIA applies to both public and private bodies; POPIA applies primarily to private bodies (though public bodies that process personal information must also comply)
• Age: PAIA has been law since 2000; POPIA only came into full effect in 2021
• Enforcement: PAIA criminal penalties can include imprisonment; POPIA administrative fines can reach R10 million per contravention
• Proactive vs reactive: PAIA is largely reactive (triggered by a request); POPIA is proactive (requires ongoing compliance even without a specific request)
How PAIA and POPIA Interact
Despite their differences, PAIA and POPIA intersect in several important ways.
First, POPIA amended PAIA. When POPIA came into effect, it amended several provisions of PAIA — including the requirement for private bodies to register their Information Officers with the Information Regulator (a POPIA requirement that now also applies for PAIA purposes).
Second, a PAIA request can implicate POPIA. If someone submits a PAIA request for records that contain the personal information of third parties, your response must balance the requester's right of access against the third party's right to privacy under POPIA. Access may be refused on privacy grounds under Section 63 of PAIA where disclosure would unreasonably infringe on someone's privacy.
Third, the Information Officer role spans both Acts. The person who is the Information Officer for PAIA purposes is the same person who holds that role under POPIA. The duties are different, but the role is unified.
The Combined PAIA and POPIA Manual
Because the two Acts share a regulator and the Information Officer role, and because both require organisations to be transparent about their information practices, many South African organisations now compile a single combined manual that addresses both.
A combined manual typically includes:
• All eight mandatory elements required by Section 51 of PAIA
• A description of the organisation's personal information processing activities under POPIA
• A statement of data subjects' rights under POPIA
• The procedure for submitting data subject requests (access, correction, deletion)
• The organisation's data breach notification procedure
• Contact details for the Information Officer for both PAIA and POPIA purposes
Preparing a combined manual is not legally required — PAIA and POPIA can be addressed in separate documents — but it is practical, efficient, and increasingly the standard approach adopted by compliance practitioners in South Africa.
Penalties: How They Differ
The penalty frameworks under PAIA and POPIA are meaningfully different.
PAIA Penalties
Non-compliance with PAIA's manual requirements is a criminal offence. An Information Officer who fails to compile or publish a PAIA manual, or who otherwise contravenes the Act, can be convicted of a criminal offence and fined up to approximately R2 million or imprisoned for up to two years.
POPIA Penalties
Non-compliance with POPIA is enforced through administrative fines by the Information Regulator. The maximum fine is R10 million per contravention. For more serious offences — such as intentionally obstructing the Regulator's work or unlawfully processing special personal information — criminal penalties including imprisonment can also apply.
In practice, the Information Regulator has issued significant fines. The Department of Justice was fined R5 million in 2022, and enforcement activity has accelerated considerably through 2025 and 2026 as the Regulator's capacity has grown.
What Does Your Business Actually Need?
For most South African private bodies, the practical compliance checklist looks like this:
• Register your Information Officer with the Information Regulator (required under POPIA, now also standard under PAIA)
• Compile a PAIA manual that meets all Section 51 requirements
• Consider combining your PAIA manual with your POPIA obligations in a single document
• Publish the manual on your website and/or make it available at your offices
• Put in place a procedure for handling PAIA requests (using Form C, within 30 days)
• Put in place a procedure for handling POPIA data subject requests
• Implement appropriate technical and organisational security measures for personal data
• Establish a data breach notification process
• Submit annual PAIA reports to the Information Regulator
Conclusion
PAIA and POPIA are complementary rather than competing. PAIA gives people the right to access information; POPIA gives individuals the right to protect their personal information. Both place compliance obligations on your business, and both are enforced by the Information Regulator with increasing vigour.
The practical starting point for most organisations is the PAIA manual — getting that right lays the foundation for broader information governance compliance. From there, aligning your POPIA obligations and considering a combined manual is a logical and cost-effective next step.
Need a PAIA Manual for Your Business?
Access to Info specialises in generating fully compliant, professionally drafted PAIA manuals for South African businesses of all sizes. Our manuals meet all Section 51 requirements and are ready for immediate use.
Visit www.accesstoinfo.co.za to get your PAIA manual today.