PAIA Manual
Published in terms of Section 51 (Private Bodies) of the Promotion of Access to Information Act 2 of 2000 (PAIA)
As amended by the
PROTECTION OF PERSONAL INFORMATION ACT 4 OF 2013 (POPIA)
Table of Contents
Introduction
Who Owns Whom (the “Company”) conducts business as an independent research organisation. Our niche research focus is the provision of holistic, industry-focused business information on the African continent.
We offer factual perspectives on the environments within which businesses operate. This encompasses an overview of the industry in terms of its value chain and geographic positioning, size, state, influencing factors, competition, SWOT, industry associations, governing and service bodies, as well as entities operating within the industry, including ownership and corporate structures, directors/management, African footprint, M&A, BEE, etc.
The Company’s research is used in the disciplines of procurement, state developmental and regulatory agencies, compliance, strategy, risk, Know Your Customer (KYC), corporate marketing intelligence, private equity, corporate finance and management consultancies.
The main drivers of the Company’s research are industry research requests from clients and updates to industries pertinent at the time. This process includes researching and updating entities operating within these industries and providing them with a verification opportunity.
This Promotion of Access to Information Manual (“Manual”) provides an outline of the type of records and the personal information it holds and explains how to submit requests for access to these records in terms of the Promotion of Access to Information Act 2 of 2000 (“PAIA Act”). In addition, it explains how to access, or object to, personal information held by the Company, or request correction of the personal information, in terms of paragraphs 23 and 24 of the Protection of Personal Information Act 4 of 2013 (“POPI Act”).
The PAIA and POPI Acts give effect to everyone’s constitutional right of access to information held by private sector or public bodies, if the record or personal information is required for the exercise or protection of any rights. If a public body lodges a request, the public body must be acting in the public interest.
Requests shall be made in accordance with the prescribed procedures, at the rates provided. The forms and tariff are dealt with in section 5.
Availability of this PAIA Manual
This manual may be published on the Company’s website at https://www.whoownswhom.co.za or alternatively, a copy can be requested from the Information Officer (see contact details in section 2).
Availability of guides to the PAIA and POPI Acts
Guides to the PAIA and POPI Acts can be obtained and queries directed to
Information Regulator P.O Box 31533 Braamfontein, Johannesburg, 2017 |
JD House 27 Stiemens Street Braamfontein Johannnesburg 2001 |
Fax number: (086) 500 3351 Website: https://www.justice.gov.za/inforeg/ E-mail: mailto:inforeg@justice.gov.za |
Purpose of PAIA Manual
This PAIA Manual is useful for the public to-
- check the categories of records held by a body which are available without a person having to submit a formal PAIA request;
- have a sufficient understanding of how to make a request for access to a record of the body, by providing a description of the subjects on which the body holds records and the categories of records held on each subject;
- know the description of the records of the body which are available in accordance with any other legislation;
- access all the relevant contact details of the Information Officer and Deputy Information Officer who will assist the public with the records they intend to access;
- know the description of the guide on how to use PAIA, as updated by the Regulator and how to obtain access to it;
- know if the body will process personal information, the purpose of processing of personal information and the description of the categories of data subjects and of the information or categories of information relating thereto;
- know the description of the categories of data subjects and of the information or categories of information relating thereto;
- know the recipients or categories of recipients to whom the personal information may be supplied;
- know if the body has planned to transfer or process personal information outside the Republic of South Africa and the recipients or categories of recipients to whom the personal information may be supplied; and
- know whether the body has appropriate security measures to ensure the confidentiality, integrity and availability of the personal information which is to be processed.
Company Contact Details
Company contact details in terms of PAIA section 51:
Who Owns Whom 70 2nd Avenue Newton Park Gqeberha6045 Telephone number: +27 41 394 0600 Website : https://www.whoownswhom.co.za E-mail Address: mailto:compliance@whoownswhom.co.za |
Duly authorised persons:
Information Officer
Name: Andrew McGregor
E-mail Address: mailto:andrewm@wow.joburg
Deputy Information Officer
Name: Sandy Kerkhove
E-mail Address: mailto:sandyk@whoownswhom.co.za
Company Records
Company Records Availability
Category | Subject | Classification No. |
---|---|---|
Client | Client Records | 4, 5 |
Communications/Public Affairs | Public Corporate Records | 1 |
Media Releases | 1 | |
Facilities | Physical Security Records (Visitors, Suppliers, Contractors, Employees) | 4,5 |
Electronic Access & Identity Management Records (Employees, Contractors) | 4,5 | |
Time and Attendance Records | 4,5 | |
Complaints and Investigations Records | 4,5 | |
Finance | Audited Financial Statements | 1 |
Health, Safety and Environmental | Environmental Policy | 11 |
Environmental Records | 11 | |
Health and Safety Records (Employees, Contractors) | 4, 5 | |
Human Resources | Employee Records | 4, 5 |
Employment Contracts | 4, 5 | |
Personnel Guidelines, Policies and Procedures | 3 | |
Employee Medical Records | 5 | |
Employee Disability Insurance Records | 4, 5 | |
Employee Pension and Provident Fund Records | 4, 5 | |
Payroll Records | 4, 5 | |
Recruitment Records | 4, 5 | |
Beneficiary details | 4, 5 | |
Employee banking details | 4, 5 | |
Employee photographs | 4, 5 | |
Tax Records (Company & Employees) | 4 | |
Asset Register | 2 | |
Supplier Records | 4, 5 | |
Management Accounts | 5 | |
General Contract Documentation | 4, 5 | |
Medical Aid | 4, 5 | |
Suppliers & Researchers | 4, 5 | |
Directors Details | 4, 5 | |
Information Technology | Processing, Testing and Development Records | 4, 5 |
Legal and Compliance | Company Guidelines, Policies and Procedures | 3 |
Intellectual Property Records | 4 | |
Employee, customer and supplier information | 4, 5 | |
Immovable Property Records | 3 | |
Statutory Records | 4 | |
Market Information | 1 | |
Production / Logistics | Production Records | 12 |
Juristic entities referenced in Company’s database – including entity and director/management information, and entity contact details. | 13 | |
Sales and Marketing | Product Brochures | 1 |
Performance Records | 12 | |
Product Sales Records | 1 | |
Marketing and Future Product Strategies | 12 | |
Customer Information and Database | 4, 5, 12 | |
Social media database | 4, 5, 12 | |
Quality Records | 12 |
Company Record Classification Key
Classification No. | Access | Classification [PAIA section] |
1 | May be Disclosed | Public Access Document |
2 | May not be Disclosed | Request after commencement of criminal or civil proceedings [s7] |
3 | May be Disclosed | Subject to copyright |
4 | Limited Disclosure | Personal Information of natural persons that belongs to the requester of that information, or personal information of juristic persons represented by the requestor of that information [s61] |
5 | May not be Disclosed | Unreasonable disclosure of personal information or of Natural person [s63(1)] or Juristic Person [POPI] |
6 | May not be Disclosed | Likely to harm the commercial or financial interests of third party [s64(a)(b)] |
7 | May not be Disclosed | Likely to harm the Company or third party in contract or other negotiations [s64(c)] |
8 | May not be Disclosed | Would breach a duty of confidence owed to a third party in terms of an Agreement [s65] |
9 | May not be Disclosed | Likely to compromise the safety of individuals or protection of property [s66] |
10 | May not be Disclosed | Legally privileged document [s67] |
11 | May not be Refused | Environmental testing / investigation which reveals public safety / environmental risks [s64(2); s68(2)] |
12 | May not be Disclosed | Commercial information of Private Body [s68] |
13 | May not be Disclosed | Likely to prejudice research and development information of the Company or a third party [s69] |
14 | May not be Refused | Disclosure in public interest [s70] |
Processing of personal information
Who Owns Whom takes the privacy and protection of personal information very seriously and will only process personal information in accordance with the current South African privacy legislation and other legislation applicable to its business. Accordingly, the relevant personal information privacy principles relating to the processing thereof (including, but not limited to, the collection, handling, transfer, sharing, correction, storage, archiving and deletion) will be applied to any personal information processed by Who Owns Whom.
The purpose of processing of personal information by Who Owns Whom
We process personal information for a variety of purposes, including but not limited to the following:
- to provide or manage any information and services requested by data subjects;
- to provide industry and associated juristic entity research obtained from the public domain or volunteered by juristic entities for the purposes of our research services to major local and multinational companies, state corporations and agencies, and international trade agencies for the legitimate interests of trade, investment and procurement, and also to provide an independent verification source for supplier onboarding by customers for FICA and KYC purposes, as required by the FIC Act.
- to help us identify data subjects when they contact Who Owns Whom;
- to maintain client / customer records;
- for recruitment purposes;
- for employment purposes;
- for travel purposes;
- for general administration, financial and tax purposes;
- for legal or contractual purposes;
- for health and safety purposes;
- to monitor access, secure and manage our premises and facilities;
- to transact with our suppliers and business partners;
- to help us improve the quality of our products and services;
- to help us detect and prevent fraud and money laundering;
- to help us recover debts;
- to carry out analysis and customer profiling; and
- to identify other products and services which might be of interest to data subjects and to
inform them about our products and services.
Categories of data subjects and personal information processed by Who Owns Whom
Categories of data subjects and personal information processed by Who Owns Whom include the following:
Categories of Data Subjects | Personal Information processed |
Customers and potential customers | Customer personal information |
Customer contracts, and warranties | |
Customer location information | |
Business partners | Partner personal information |
Personal information of partner employees | |
Employees | Employee Disability Information |
Employee Pension and Provident Fund Information | |
Employee Contracts | |
Employee beneficiary records | |
Employee Performance Records | |
Payroll Records | |
Electronic Access Records | |
Physical Access Records | |
Surveillance Records | |
Health & Safety Records | |
Training Records | |
Employment History Records | |
Time & Attendance Records | |
Employee Photographs | |
Job Applicants | Curriculum Vitae & Application Forms |
Criminal Checks | |
Background Checks | |
Suppliers | Supplier personal information |
Personal information of supplier representatives | |
Surveillance Records | |
Juristic entities | Information relating to juristic entities obtained from public record or volunteered by the entity for the purposes of providing our niche research services which focus on 300 of the most active African industries, including profiles of the notable players. The latter, depending on the entity type, may include statutory and Black Economic Empowerment (BEE) information, directors and management, ownership/corporate structure, African footprint, professionals, M & A and FDI activity, entity reports and published financials as well as industry sectors. |
Recipients or categories of recipients with whom personal information is shared
We may share the personal information of our data subjects for any of the purposes outlined in Section 5.1, with the following:
- our other Who Owns Whom partners in other countries;
- our authorised Who Owns Whom Divisions;
- our service providers and agents who perform services on our behalf.
- industry and associated juristic entity research obtained from the public domain or volunteered by the juristic entities for the purposes of our research services to authorised subscribers of our research services.
We do not share the personal information of our data subjects with any third parties, except if:
- we are obliged to provide such information for legal or regulatory purposes;
- we are required to do so for purposes of existing or future legal proceedings,
- we are selling one or more of our businesses to someone to whom we may transfer our rights under any customer agreement we have with you;
- we are involved in the prevention of fraud, loss, bribery or corruption;
- they perform services and process personal information on our behalf;
- this is required to provide or manage any information, products and/or services to data subjects; or
- needed to help us improve the quality of our products and services.
We will send our data subjects notifications or communications if we are obliged by law, or in terms of our contractual relationship with them.
We will only disclose personal information to government authorities if we are required to do so by law.
Who Owns Whom employees, our service providers’ employees and our suppliers, are required to adhere to data privacy and confidentiality principles and to attend data privacy training.
Information security measures to protect personal information
Reasonable technical and organisational measures have been implemented for the protection of personal information processed by Who Owns Whom and its operators. In terms of the POPI Act, operators are third parties that process personal information on behalf of Who Owns Whom.
We continuously implement and monitor technical and organisational security measures to protect the personal information we hold, against unauthorised access, as well as accidental or wilful manipulation, loss or destruction.
We will take steps to ensure that operators that process personal information on behalf of Who Owns Whom apply adequate safeguards as outlined above.
Trans-border flows of personal information
We will only transfer personal information across South African borders if the relevant business transactions or situation requires trans-border processing and will do so only in accordance with South African legislative requirements; or if the data subject consents to transfer of their personal information to third parties in foreign countries.
We will take steps to ensure that operators are bound by laws, binding corporate rules or binding agreements that provide an adequate level of protection and uphold principles for reasonable and lawful processing of personal information, in terms of the POPI Act.
We will take steps to ensure that operators that process personal information in jurisdictions outside of South Africa, apply adequate safeguards as outlined in Clause 4.4.
Personal information received from third parties
When we receive personal information from a third party on behalf of a data subject, we require confirmation that they have consent from the data subject that they are aware of the contents of this PAIA manual and the Who Owns Whom Privacy Policy, and do not have any objection to our processing their information in accordance with this policy.
Prescribed request forms and fees
Form of request
To facilitate the processing of your request, kindly:
- Use the prescribed form which is available from the Information Officer or Deputy Information Officer on the contact details outlined in clause 3 of this PAIA manual.
- Address your request to the Information Officer.
- Provide sufficient detail to enable the Company to identify:
- The record(s) requested.
- The requestor (and, if an agent is lodging the request, proof of capacity).
- The South African postal address, email address or fax number of the requestor.
- The form of access required.
- The South African postal address, email address or fax number of the requestor.
- If the requester wishes to be informed of the decision in any manner (in addition to written) the manner and particulars thereof.
- The right which the requestor is seeking to exercise or protect with an explanation of the reason the record is required to exercise or protect the right.
Prescribed fees
The following applies to requests (other than personal requests):
- A requestor is required to pay the prescribed fees (R50.00) before a request will be processed.
- If the preparation of the record requested requires more than the prescribed hours (six), a deposit shall be paid (of not more than one third of the access fee which would be payable if the request were granted).
- A requestor may lodge an application with a court against the tender/payment of the request fee and/or deposit.
- Records may be withheld until the fees have been paid.
- The Fee Structure is available on request from the Information Officer or Deputy Information Officer on the contact details outlined in clause 3 of this PAIA manual.
Access to prescribed forms and fees
Prescribed forms and fees can be requested from the Information Officer or Deputy Information Officer on the contact details outlined in clause 3 of this PAIA manual.
Remedies
The company does not have internal appeal procedures regarding PAIA and POPI Act requests. As such, the decision made by the duly authorised persons in Clause 3, is final. If a request is denied, the requestor is entitled to apply to a court with appropriate jurisdiction, or the Information Regulator, for relief.
Terms & Definitions
Term | Descriptions |
Access Control | Access control is a method of restricting access to sensitive data. Only those that have had their identity verified can access company data through an access control gateway. |
Accountability | The responsible party must ensure that the conditions and all the measures set out in the Act that give effect to such conditions, are complied with at the time of the determining the purpose and means of the processing. |
Biometrics | Means a technique of personal identification that is based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition; |
Breach Disclosure | The requirement that an organization notify regulators and/or victims of incidents affecting the confidentiality and security of personal data |
Bring Your Own Device (BYOD) | Refers to the trend of employees using personal devices to connect to their organizational networks and access work-related systems and potentially sensitive or confidential data. Personal devices could include smartphones, personal computers, tablets, or USB drives. |
Cloud Computing | Cloud computing is the on-demand availability of computer system resources, especially data storage and computing power, without direct active management by the user. |
Codes of Conduct | Means a code of conduct issued in terms of Chapter 7 of POPIA |
Confidentiality | The keeping of another person or entity’s information private. Certain professionals are required by law to keep information shared by a client or patient private, without disclosing the information, even to law enforcement, except under certain specific circumstances. |
Consent | Means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information |
Cross Border Data Transfer | Refer to moving personal data from one country to another across international borders |
Cyber Security | Cyber security is the state or process of protecting and recovering networks, devices and programs from any type of cyberattack. |
Data Anonymization | A type of information sanitization whose intent is privacy protection. It is the process of removing personally identifiable information from data sets, so that the people whom the data describe remain anonymous |
Data Breach | A data breach is an incident where information is stolen or taken from a system without the knowledge or authorization of the system’s owner |
Data Operator | A natural or legal person, public authority, agency or other body which processes personal data on behalf of the Responsible Party. |
Data Subject | Means the person to whom personal information relates. |
Data Subject Participation | Data subjects may request whether their personal information is held, as well as the correction and/or deletion of any personal information held about them. |
De-identify | in relation to personal information of a data subject, means to delete any information that— a) identifies the data subject; b) can be used or manipulated by a reasonably foreseeable method to identify the data subject; or c) can be linked by a reasonably foreseeable method to other information that identifies the data subject, and d) ‘‘de-identified’’ has a corresponding meaning |
Disclosure | The action of making new or secret information known. |
Document Library | A special type of library, used to store related files or documents together with their metadata. |
Further Processing Limitation | Personal information may not be processed for a secondary purpose unless that processing is compatible with the original purpose. |
Information Officer | Of, or in relation to, a – a) public body means an Information Officer or Deputy Information Officer as contemplated in terms of section 1 or 17 of the Promotion of Access to Information Act; or b) private body means the head of a private body as contemplated in section 1, of the Promotion of Access to Information Act |
In-place records management | This records management option is used when a document is left in its current location, but declared as a record that can no longer be edited. In other words, the record is immutable. |
Information Quality | The responsible party must take reasonable steps to ensure that the personal information collected is complete, accurate, not misleading and updated where necessary. |
Metadata (Columns) | Metadata is used to describe the content and files that are stored and managed on a SharePoint site. If set up correctly, metadata can be used for automatic routing, workflow and managing of content. In SharePoint, columns are used to add and manage metadata. |
Mobile Device | A mobile device (or handheld computer) is a computer small enough to hold and operate in the hand. Typically, any handheld computer device will have an LCD or OLED flatscreen interface, providing a touchscreen interface with digital buttons and keyboard or physical buttons along with a physical keyboard. Many such devices can connect to the Internet and interconnect with other devices such as car entertainment systems or headsets via Wi-Fi, Bluetooth, cellular networks or near field communication (NFC). |
Openness | The data subject whose information you are collecting must be aware that you are collecting such personal information and for what purpose the information will be used. |
Operator | The POPIA person (or Entity) who processes personal information for or on behalf of a responsible party in terms of a contract or mandate, without coming under the direct authority of that party. |
Person | Means a natural person or a juristic person. |
Personal Information | Means information relating to an identifiable, living, natural person, identifiable, existing juristic person, including, but not limited to— a) information relating to the race, gender, sex, national or social origin, language, age disability; b) information relating to the education or medical or financial history of the person; c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person; d) the biometric information of the person; e) the personal opinion, views or preferences of the person; f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; g) the views or opinions of another individual about the person; and h) the name of the person. if it appears with other personal information relating to the person. or if the disclosure of the name itself would reveal information about the person. |
POPIA | Protection of Personal Information Act. The South African Privacy law |
Privacy | Privacy is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively. When something is private to a person, it usually means that something is inherently special or sensitive to them |
Privacy by Design | Means building privacy into the design, operation, and management of a given system, business process, or design specification; |
Private Body | a) A natural person who carries or has carried on any trade, business or profession, but only in such capacity. b) A partnership which carries or has carried on any trade, business or profession; or c) Any former or existing juristic person. |
Processing | Any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including— a) The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use; b) Dissemination by means of transmission, distribution or making available in any other form; or d) Merging, linking, as well as restriction, degradation, erasure or destruction of information. |
Processing Limitation | Personal information may only be processed in a fair and lawful manner and only with the consent of the data subject. |
Public Body | a) Any department of state or administration in the national or provincial sphere of government or any municipality in the local sphere of government; or b) Any other functionary or institution when i. exercising a power or performing a duty in terms of the Constitution or a provincial constitution; or ii. exercising a public power or performing a public function in terms of any legislation. |
Purpose Specific | Personal information may only be processed for specific, explicitly defined and legitimate reasons. |
Record | Means any recorded information— a) regardless of form or medium, including any of the following: i. Writing on any material; ii. information produced, recorded or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored; iii. label, marking or other writing that identifies or describes any thing of which it forms part, or to which it is attached by any means; iv. book, map, plan, graph or drawing; v. photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced; b) in the possession or under the control of a responsible party; c) whether or not it was created by a responsible party; and d) regardless of when it came into existence; |
Records Centre | A records centre is created using a site template and comes with built-in features (such as versioning, auditing, metadata management and record routing) to manage the records management process. A records centre is a separate part of a SharePoint site. |
Re-identify | in relation to personal information of a data subject, means to resurrect any information that has been de-identified, that— a) identifies the data subject; b) can be used or manipulated by a reasonably foreseeable method to identify the data subject; or c) can be linked by a reasonably foreseeable method to other information that identifies the data subject, and ‘‘re-identified’’ has a corresponding meaning |
Responsible Party | The POPIA public or private body or any other person which determines the purpose of and means for processing personal information. |
Restriction | Means to withhold from circulation, use or publication any personal information that forms part of a filing system, but not to delete or destroy such information |
Requestor | in relation to- a) a public body, means- i. any person (other than a public body or an official thereof) making a ii. request for access to a record of that public body; or iii. a person acting on behalf of the person referred to in subparagraph above; b) a private body, means- i. any person, including, but not limited to, a public body or an official thereof, ii. making a request for access to a record of that private body; or iii. a person acting on behalf of the person contemplated in subparagraph above; |
Right to be Forgotten (RTBF) | A right to have personal data deleted, in particular from the world wide web. South African law does not explicitly recognise a general right to be forgotten |
Security | Security settings control who can access sites, what content they can see and what they can do with the content. Security can be set on sites, web parts, folders and documents/items. Users should be added to security groups and permission should be assigned on group level, not on individual user level. |
Security Safeguards | Personal information must be kept secure against the risk of loss, unlawful access, interference, modification, unauthorized destruction and disclosure. |
The Act | means Promotion of Access to Information Act 2 of 2000 |
Third Parties | means any natural or juristic person other than the Requester or, such party acting on behalf of the Requester |
Views | Views control what information is displayed in lists and libraries, but can only be fully utilised if metadata is properly set up and used. Views determine what columns are displayed, how information is sorted, grouped and filtered. It is possible to create multiple views to display the same information in different ways, depending on how it is filtered, sorted and organised. A public view is available to all users on a site, whereas a private view is only available to the user that created it. |