This document was last updated 18 October 2023
1. Introduction
This Manual is prepared in terms of Section 51 of the Promotion of Access to Information Act 2 of 2000 (as amended). The Act gives effect to the provisions of Section 32 of the Constitution, which provides for the right of access to information held by the State and to information held by another person that is required for the exercise and/or protection of any right.
The reference to any information in addition to that specifically required in terms of Section 51 of the Act does not create any right or entitlement (contractual or otherwise) to receive such information, other than in terms of the Act.
Genlib CC supports the constitutional right of access to information, and we are committed to providing you access to our records in accordance with the provisions of the Act, the confidentiality we owe third parties, and the principles of South African law.
Who May Request Information In Terms Of The Act?
Any person, who requires information for the exercise or protection of any rights, may request information from a private body if, as Section 50 of the Act states:
a) That record is required for the exercise or protection of any rights;
b) That person complies with the procedural requirements in this Act relating to a request for access to that record; and
c) Access to that record is not refused in terms of any ground for refusal contemplated in Chapter 4 of this Part
2. List Of Acronyms And Abbreviations
2.1 “CEO” Chief Executive Officer
2.2 “DIO” Deputy Information Officer
2.3 “IO“ Information Officer
2.4 “Minister” Minister of Justice and Correctional Services
2.5 “PAIA” Promotion of Access to Information Act No. 2 of 2000 (as Amended)
2.6 “POPIA” Protection of Personal Information Act No.4 of 2013
2.7 “Regulator” Information Regulator
2.8 “Republic” Republic of South Africa
3. Purpose Of PAIA Manual
This PAIA Manual is useful for the public to:
3.1 Check the categories of records held by a body which are available without a person having to submit a formal PAIA request;
3.2 Have a sufficient understanding of how to make a request for access to a record of the body, by providing a description of the subjects on which the body holds records and the categories of records held on each subject;
3.3 Know the description of the records of the body which are available in accordance with any other legislation;
3.4 Access all the relevant contact details of the Information Officer and Deputy Information Officer who will assist the public with the records they intend to access;
3.5 Know the description of the guide on how to use PAIA, as updated by the Regulator and how to obtain access to it;
3.6 Know if the body will process personal information, the purpose of processing of personal information and the description of the categories of data subjects and of the information or categories of information relating thereto;
3.7 Know the description of the categories of data subjects and of the information or categories of information relating thereto;
3.8 Know the recipients or categories of recipients to whom the personal information may be supplied;
3.9 Know if the body has planned to transfer or process personal information outside the Republic of South Africa and the recipients or categories of recipients to whom the personal information may be supplied; and
3.10 Know whether the body has appropriate security measures to ensure the confidentiality, integrity and availability of the personal information which is to be processed.
4. Key Contact Details For Access To Information
5. Information Officer Of The Company
The Company has appointed an Information Officer in terms of the Protection of Personal Information Act No. 4 of 2013 (“POPI Act”). The duties of the Information Officer include the following:
5.1 supervision;
5.2 collecting data processing inventories;
5.3 administration of data processing notifications;
5.4 handling complaints;
5.5 preparing annual reports;
5.6 developing internal regulations and providing advice on technology and protection;
5.7 ensuring that the rights and freedoms of the data subjects are unlikely to be adversely affected by the processing operations;
5.8 raising awareness and provide training on data protection issues and encourage a culture of protecting personal data within his/her organizations;
5.9 informing controllers of their obligations and making data subjects aware of their rights;
5.10 ensuring that controllers and data subjects are informed of their rights and obligations pursuant to the local POPI Act and cross border considerations;
5.11 making recommendations for the practical improvement of information and data protection to the FSP;
5.12 advising the controller concerned on matters concerning the application of data protection provisions; and
5.13 communicating with the Information Regulator and discussing any issues.
6. Guide On How To Use PAIA and How To Obtain Access The Guide
6.1. The Regulator has, in terms of section 10(1) of PAIA, as amended, updated and made available the revised Guide on how to use PAIA (“Guide”), in an easily comprehensible form and manner, as may reasonably be required by a person who wishes to exercise any right contemplated in PAIA and POPIA.
6.2. The Guide is available in each of the official languages and in braille.
6.3. The aforesaid Guide contains the description of-
6.3.1. the objects of PAIA and POPIA;
6.3.2. the postal and street address, phone and fax number and, if available, electronic mail address of-
6.3.2.1 the Information Officer of every public body, and
6.3.2.2 every Deputy Information Officer of every public and private body designated in terms of section 17(1) of PAIA1 and section 56 of POPIA2 ;
6.3.3. the manner and form of a request for-
6.3.3.1 access to a record of a public body contemplated in section 113 ; and
6.3.3.2. access to a record of a private body contemplated in section 504 ;
6.3.4. the assistance available from the IO of a public body in terms of PAIA and POPIA;
6.3.5. the assistance available from the Regulator in terms of PAIA and POPIA;
6.3.6. all remedies in law available regarding an act or failure to act in respect of a right or duty conferred or imposed by PAIA and POPIA, including the manner of lodging-
6.3.6.1 an internal appeal;
6.3.6.2 a complaint to the Regulator; and
6.3.6.3 an application with a court against a decision by the information officer of a public body, a decision on internal appeal or a decision by the Regulator or a decision of the head of a private body;
6.3.7. the provisions of sections 145 and 516 requiring a public body and private body, respectively, to compile a manual, and how to obtain access to a manual;
6.3.8. the provisions of sections 157 and 528 providing for the voluntary disclosure of categories of records by a public body and private body, respectively;
6.3.9. the notices issued in terms of sections 229 and 5410 regarding fees to be paid in relation to requests for access; and
6.3.10. the regulations made in terms of section 9211.
6.4. Members of the public can inspect or make copies of the Guide from the offices of the public and private bodies, including the office of the Regulator, during normal working hours.
6.5. The Guide can also be obtained-
6.5.1. upon request to the Information Officer;
6.5.2. from the website of the Regulator (https://inforegulator.org.za/).
Section References
1Section 17(1) of PAIA- For the purposes of PAIA, each public body must, subject to legislation governing the employment of personnel of the public body concerned, designate such number of persons as deputy information officers as are necessary to render the public body as accessible as reasonably possible for requesters of its records.
2 Section 56(a) of POPIA- Each public and private body must make provision, in the manner prescribed in section 17 of the Promotion of Access to Information Act, with the necessary changes, for the designation of such a number of persons, if any, as deputy information officers as is necessary to perform the duties and responsibilities as set out in section 55(1) of POPIA.
3 Section 11(1) of PAIA- A requester must be given access to a record of a public body if that requester complies with all the procedural requirements in PAIA relating to a request for access to that record; and access to that record is not refused in terms of any ground for refusal contemplated in Chapter 4 of this Part.
4 Section 50(1) of PAIA- A requester must be given access to any record of a private body if-
a) that record is required for the exercise or protection of any rights;
b) that person complies with the procedural requirements in PAIA relating to a request for access to that record; and
c) access to that record is not refused in terms of any ground for refusal contemplated in Chapter 4 of this Part.
5 Section 14(1) of PAIA- The information officer of a public body must, in at least three official languages, make available a manual containing information listed in paragraph 4 above.
6 Section 51(1) of PAIA- The head of a private body must make available a manual containing the description of the information listed in paragraph 4 above.
7 Section 15(1) of PAIA- The information officer of a public body, must make available in the prescribed manner a description of the categories of records of the public body that are automatically available without a person having to request access
8 Section 52(1) of PAIA- The head of a private body may, on a voluntary basis, make available in the prescribed manner a description of the categories of records of the private body that are automatically available without a person having to request access
9 Section 22(1) of PAIA- The information officer of a public body to whom a request for access is made, must by notice require the requester to pay the prescribed request fee (if any), before further processing the request.
10 Section 54(1) of PAIA- The head of a private body to whom a request for access is made must by notice require the requester to pay the prescribed request fee (if any), before further processing the request.
11 Section 92(1) of PAIA provides that –“The Minister may, by notice in the Gazette, make regulations regarding-
(a) any matter which is required or permitted by this Act to be prescribed;
(b) any matter relating to the fees contemplated in sections 22 and 54;
(c) any notice required by this Act;
(d) uniform criteria to be applied by the information officer of a public body when deciding which categories of records are to be made available in terms of section 15; and
(e) any administrative or procedural matter necessary to give effect to the provisions of this Act.”
7. Categories Of Records And Description Of The Subjects
The subjects on which the Company holds records and the categories of records are listed below. Please note that a requester is not automatically allowed access to these records and that access to them may be refused in accordance with Sections 62 to 69 of the Act.
7.1 Human Resources
Records found in this division contain information of employees that include the following:
a) any personal records provided to the Company by the employee/personnel;
b) any records a third party has provided to the Company about its personnel;
c) conditions of employment and other personnel-related contractual and quasi-legal records;
d) internal evaluation records;
e) other internal records and correspondence related to the particular employee.
7.2 Client Related Records
Clients include both juristic and natural entities that receive a service from the Company and includes:
a) any records a client has provided to a third party acting on behalf of the Company;
b) any records a Third Party has provided to the Company; and
c) records generated by or within the Company pertaining to the client, including transactional records.
7.3 Company Records
This category of records relates, but is not limited to, the following information:
a) Financial records
b) Operational records
c) Databases
d) Information Technology
e) Marketing records
f) Internal correspondence
g) Product records
h) Statutory records
i) Internal policies and procedures
j) Treasury related records
k) Securities and equities
l) Records held by officials of the Company
7.4 Other Parties
The Company may possess records pertaining to other parties, including without limitation, contractors, suppliers, subsidiary/holding/sister companies, joint venture companies, service providers. Alternatively, such other parties may possess records that can be said to belong to the Company.
The following records fall under this category:
a) Personnel, client or the Company records which are held by another party as opposed to being held by the Company; and
b) Records held by the Company pertaining to other parties, including without limitation financial records, correspondence, contractual records, records provided by the other party, and records third parties have provided about the contractors/suppliers.
8. Description Of The Records Which Are Available In Accordance With Any Other Legislation
Records are kept in accordance with such other legislation as applicable to the Genlib CC, which includes, but is not limited to:
a) Basic Conditions of Employment Act (Act No 75 of 1997);
b) Compensation for Occupational Injuries and Diseases Act (Act No. 130 of 1993);
c) Employment Equity Act (Act No. 55 of 1998);
d) Labour Relations Act (Act No. 66 of 1995);
e) Occupational Health and Safety Act (Act No. 85 of 1993);
f) Promotion of Equality and Prevention of Unfair Discrimination Act (Act No. 4 of 2000);
g) Skills Development Act (Act No. 97 of 1998);
h) Skills Development Levies Act (Act No. 9 of 1999);
i) South African Qualifications Authority Act (58 of 1995);
j) Companies Act (Act No. 71 of 2008);
k) Short-Term Insurance Act (Act No. 53 of 1998);
l) Long-Term Insurance Act (Act No. 52 of 1998);
m) Financial Advisory and Intermediary Services Act (Act No. 37 of 2002);
n) Financial Intelligence Centre Act (Act No. 38 of 2001);
o) Financial Services Laws General Amendment Act (Act No. 45 of 2013);
p) Financial Markets Control Act (Act No. 55 of 1989);
q) Financial Services Board Act (Act No. 97 of 1990);
r) Income Tax Act (Act No. 58 of 1962 as amended);
s) VAT Act (Act No. 89 of 1991)
Records relating to tax, employees and the company may be requested in terms of the above Acts.
Records relating to company reporting and Company related records as far as is allowed in terms of the above Acts may be requested.
Although Genlib CC has used its best endeavours to supply you with a list of applicable legislation it is possible that the above list may be incomplete. Wherever it comes to Genlib CC’s attention that existing or new legislation allows a requester access on a basis other than that set out in the Act, we shall update the list accordingly.
The Information Officer will take into consideration section 8 of the Manual to decide on whether or not access to any of the information stated above should be given to the requestor.
9. Purpose Of Processing Personal Information
9.1 Legal Basis for Processing Your Personal Information
When we process your personal information, we may rely on one or more of the following legal bases, depending on the purpose for which the processing activity is undertaken and the nature of our relationship with you:
• Our legitimate interests (or those of a third party with whom we share your personal information) for the purpose of managing, operating or promoting our business, and administrative purposes, except where such interests are overridden by your interests or fundamental rights or freedoms which require protection of personal information;
• Where this is necessary to comply with a legal obligation on us;
• To protect the vital interests of any individual;
• Where you have consented for such processing to take place.
Furthermore:
a) Genlib shall only collect Your personal information for a specific, explicitly defined and lawful purpose relating to a function or activity of Genlib’s business;
b) Such purposes may include the following:
i. to make the decision whether or not to enter into a contract with You or allow You to contract with our panel of Insurers;
ii. to perform any obligations under a contract with You;
iii. to comply with a legal obligation;
iv. to protect a legitimate interest of Your (unless You have specifically objected in writing to all or some of the processing activities on reasonable grounds);
v. to pursue its own legitimate interests or the legitimate interests of a third party who it is sharing the information with (unless You have specifically objected in writing to all or some of the processing activities on reasonable grounds);
vi. to customise and display content including, but not limited to products, articles, listings and advertisement to You in a way that Genlib feels may interest You or
vii. be most beneficial to You;
viii. to send content including, but not limited to products, articles, listings and advertisement content to You via email or other electronic media, where You have consented to be contacted by Genlib with such content;
9.2 Description Of Information Collected
Genlib CC is subject to the Protection of Personal Information Act, No.4 of 2013 (POPIA), the main objectives of which shall be adhered to. Personal information is defined in POPI as information relating to an identifiable, living natural person, and where applicable, an identifiable, existing juristic person.
Depending on how you interact with Genlib CC, personal information we collect may include but without limitation:
Address, Banking Details, Correspondence That Would Reveal The Identity Of A Data Subject, Date Of Birth, Driver’s License Number, Education, Email Address, Employment, Full Name, ID Number, Medical, Owned Properties E.G. Vehicle Identification Number (VIN), Passport Number, Telephone Number.
9.3 The recipients to whom the personal information may be supplied
Genlib CC may share your personal, as applicable:
• With service providers and / or business partners to provide operational services, including but not limited to processing of orders, assisting with sales-related activities or post-sales support, client support, data analytics and auditing;
• Where applicable, for credit reference, fraud prevention or business scoring agencies, or other credit scoring agencies;
• For debt collection agencies or other debt recovery organisations.
For other legal reasons:
• We may share your personal information in response to a request for information by a competent authority in accordance with, or required by any applicable law, regulation, or legal process;
• Where necessary to comply with judicial proceedings, court orders or government orders, or
b To protect the rights, property, or safety of Genlib CC, its business partners, you, or others, or as otherwise required by applicable law.
9.4 Planned transborder flows of personal information
a) Genlib does not intend sharing Your personal information with a third party in another country.
b) Genlib may transfer personal information to another country in the following circumstances, to which You consent:
i. the transfer is necessary for the conclusion or performance of a contract with a third party which is for the benefit of or in the interest of You;
ii. the transfer is otherwise for the benefit of You;
iii. You have consented to the transfer of Your information; or
iv. to store Your personal information electronically in a secure database, which shall be done by electronically transmitting Your personal information via a secure connection to, and storing Your personal information electronically in, a secure database hosted in an ISO27001 certified environment. Your personal information shall be hosted with an offshore hosting partner which is a European Union member, compliant with the EU Data Directive which provides data protection at least as protective as POPI , as selected by Genlib from time to time.
c) The service providers to which Genlib discloses Your personal information have the right to electronically transmit Your personal information via a secure connection to, and store Your personal information electronically in, a secure database hosted outside South Africa, provided they have security and privacy policies and procedures providing at least the same level of protection as Genlib does.
9.5 General description of information security measures to be implemented by the responsible party to ensure the confidentiality, integrity and availability of the information
a) Genlib is committed to protecting the personal information in its custody against any loss of, damage to or unauthorised destruction of that information, and to prevent any unauthorised parties from accessing that information.
b) Genlib takes steps to continually identify and document any risks to the personal information it has in its possession or under its control and that appropriate security safeguards are in place against those risks.
c) Genlib shall ensure that in any contracts entered into with third party operators who process personal information on Genlib’s behalf, include the following obligations:
i. the operator shall not process any personal information without Genlib’s knowledge and authority;
ii. the operator shall treat all personal information given to it as confidential and shall not disclose it to any unauthorised third parties;
iii. the operator shall establish and maintain adequate security measures which are the same or offer similar protection over the personal information as that employed by Genlib;
iv. the operator shall notify Genlib immediately where there are reasonable grounds to believe that any personal information has been leaked to or accessed by any unauthorised person;
v. if the operator is situated in another country, it must comply with the data protection laws in that country and be able to provide verification that it is so compliant;
vi. if an operator is legally obliged to disclose any personal information processed by them on Genlib’s behalf to other parties, it must notify Genlib beforehand enable Genlib and/or You to protect Your rights if necessary.
d) Genlib shall ensure that all personal information on its systems is properly backed up and that backup copies are stored separately from the live files.
11. Updating Of The Manual
The head of Genlib will, on a regular basis, update this manual.
12. How To Request Access To Records
Requests for access to records held by the Genlib CC must be made on the Form 2 – Request For Access To Record at the bottom of this document. Not using this form could cause your request to be refused or delayed.
Requests need not be accompanied by payment, but will only be processed upon payment of the prescribed fees. All requests to Genlib CC will be evaluated and considered in accordance with the Act.
13. Fees
The Act provides for two types of fees:
A Request Fee (which will be a standard fee) and an Access Fee, which must be calculated by taking into account reproduction costs, search and preparation time and cost, as well as postal costs where applicable.
When a request is received by the Information Officer of the organisation, the Information Officer shall by notice require the requester, other than a personal requester, to pay the prescribed request fee (if any) before further processing of the request. If a search for the record is necessary and the preparation of the record for disclosure, including arrangement to make it available in the requested form, requires more than the hours prescribed in the regulations for this purpose, the Information Officer shall notify the requester to pay as a deposit the prescribed portion of the access fee which would be payable if the request is granted.
The Information Officer shall withhold a record until the requester has paid the fee or fees as indicated. A requester whose request for access to a record has been granted, must pay an access fee for reproduction and for search and preparation, and for any time reasonably required in excess of the prescribed hours to search for and prepare the record for disclosure including making arrangements to make it available in the request form. If a deposit has been paid in respect of a request for access, which is refused, then the Information Officer shall arrange for Genlib to repay the deposit to the requester.
14. Decision Making Process
14.1. In terms of Section 55, the Information Officer will take all reasonable steps to find a record that has been requested. If the record cannot be found or does not exist, the Information Officer must notify the requester by way of affidavit or affirmation, that it is not possible to give access to the record. This is deemed to be a refusal of the request. If, however, the record is later found, the requester must be given access if the requester would otherwise have been granted.
14.2. Section 56 provides that the Information Officer must within 30 days of receipt of a correctly completed request; notify the requester of the decision as to whether or not to grant the request. If the request is:
14.2.1. Granted: the notification must state the applicable access fee required to be paid, together with the procedure to be followed should the requester wish to apply to court against such fee, and the form in which access will be given.
14.2.2. Declined: the notification must include adequate reasons for the decision, together with the relevant provisions of the Act relied upon and provide the procedure to be followed should the requester wish to apply to court against the decision.
14.3. The Information Officer may extend the period of 30 days by a further period not exceeding 30 days if:
14.3.1. The requester is for a large number of records or requires a search through a large number of records;
14.3.2. Consultation between divisions of the Company, or with another private body is required; or
14.3.3. The requester consents to the extension
14.4. Section 59 provides that the Information Officer may sever a record and grant access only to that portion which the law does not prohibit access to.
14.5. If access is granted, access must be given in the form that is reasonably required by the requester, or if the requester has not identified a preference, in a form reasonably determined by the Information Officer.
15. Third Parties
If the request is for record pertaining to a third party, the Information Officer must take all reasonable steps to inform that third party of the request. This must be done within 21 days of receipt of the request. The manner in which this is done must in the fastest means reasonably possible, but if orally, the Information Officer must thereafter give the third party a written confirmation of the notification. The third party may within 21 days thereafter either make representations to the Company as to why the request should be refused, alternatively grant written consent to the disclosure of the record. The third party must be advised of the decision taken by the Information Officer on whether to grant or decline the request and must also be advised of his/her/its right to appeal against the decision by way of application to court within 30 days after the notice.
16. Grounds For Refusal Of A Request
Notwithstanding compliance with section 50, the request may be declined in accordance with one of the prescribed grounds in terms of the Act, namely:
16.1. Section 63 of the Act prohibits the unreasonable disclosure of the personal information of natural-person third parties to requestors. This includes the personal information of deceased persons. However, Section 63 (2) does provide exceptions to this.
16.2. Section 64 states that a request must be refused if it relates to records containing third party information pertaining to:
16.2.1. Trade secrets;
16.2.2. Financial, commercial, scientific or technical information where disclosure would be likely to cause harm to the commercial or financial interests of that third party; or
16.2.3. Information, supplied in confidence by the third party, the disclosure of which could reasonably be expected to put the third party at a disadvantage in contractual or other negotiations, or prejudice the third party in commercial competition.
The information must, however, be released if it pertains to the results of products or environmental testing, the disclosure of which would reveal a serious public safety or environmental risk.
16.3. Section 65 prohibits disclosure of information if such disclosure would constitute a breach of any duty of confidentiality owed to a third party in terms of an agreement.
16.4. In terms of Section 66, the Company must refuse a request for access to a record of the body if disclosure could reasonably be expected to:
16.4.1. Endanger the life or physical safety of an individual;
16.4.2. Prejudice or impair the security of a building, structure or system, including but not limited to a computer or communication system, means of transport or any other property;
16.4.3. The Company may also refuse a request for access to information that would prejudice methods, systems, plans or procedures for the protection of an individual in accordance with a witness protection scheme or safety of the public.
16.5. Section 67 mandates the refusal of a request if the record is privileged from production in legal proceedings, unless the person entitled to the privilege has waived the privilege.
16.6. Section 68 pertains to records containing information about the Company itself and unlike the other provisions pertaining to declinature of a request, is not mandatory, but rather discretionary. The Company may refuse access to a record if the record:
16.6.1. Contains trade secrets of the Company;
16.6.2. Contains financial, commercial, scientific or technical information, the disclosure of which would be likely to cause harm to the commercial or financial interests of the Company;
16.6.3. Contains information which, if disclosed, could reasonably be expected to put the Company at a disadvantage in contractual or other negotiations, or prejudice the Company in commercial competition; or
16.6.4. Consists of a computer program owned by the Company.
16.6.5. Notwithstanding the above, the information must be released if it pertains to the results of product or environmental testing, the disclosure of which would reveal a serious public safety or environmental risk.
16.7. Section 69 prohibits the disclosure of information about research where disclosure is likely to expose the third party, the person conducting the research on behalf of the third party, or the subject matter of the research to serious disadvantage. Disclosure is discretionary if such research pertains to the Company itself.
16.8. Notwithstanding any of the above-mentioned provisions, section 70 provides that a record must be disclosed if its disclosure would:
16.8.1. Reveal evidence of a substantial contravention of or failure to comply with the law, imminent and serious public safety or environmental risk; and
16.8.2. If the public interest in the disclosure clearly outweighs the harm.
17. Rights Of Appeal
17.1. A requestor that is dissatisfied with the Information Officer’s refusal to grant access to any information may, within 30 days of notification of the decision, apply to court for relief. Likewise, a third party dissatisfied with the Information Officer’s decision to grant a request may, within 30 days of notification of the decision, apply to court for relief.
17.2. It should be noted that notwithstanding any provision in this Act, the court may examine the record (s) in question. No record may be withheld from the court in any grounds. The court may not, however, disclose the contents of the record (s).
17.3. The court is empowered to grant any order that is just and equitable, including:
17.3.1. Confirming, amending or setting aside the Information Officer’s decision;
17.3.2. Requiring the Information Officer to take any action, or refrain from taking any action as identified by the court within a specified period;
17.3.3. Granting an interdict, interim or special relief, declaratory order or compensation; or an order as to costs.