South Africa · PAIA & POPIA

Access and data protection for South Africa, in one platform

AccessPoint manages PAIA access-to-information requests and POPIA data-subject requests, security-compromise notifications, and impact assessments — pre-configured for South Africa and running inside your own Microsoft 365 tenant.

South Africa at a glance

Response deadline
30 days to decide a PAIA request
Extensions
A single extension of up to 30 more days — large volume, wide search, or third-party consultation
Fees
A request fee plus prescribed access fees; personal requesters are exempt from the request fee
POPIA data-subject rights
Access (s 23) and correction or deletion (s 24)
Oversight
Information Regulator — both PAIA and POPIA; administrative fines up to R10 million
Languages
English

Built for South Africa

One platform for the whole access-and-privacy mandate, pre-configured for this regime and running in your own Microsoft 365 tenant.

PAIA request lifecycle

Intake to decision on PAIA's 30-day clock — with the up-to-30-day extension, the Act's grounds of refusal, fee estimates, and a defensible record — for both public and private bodies, all built on Microsoft 365.

Public and private bodies

PAIA is unusual in reaching records held by private bodies, not only public ones, where an applicant needs them to exercise or protect a right. AccessPoint ships the public-body and private-body request types with the section numbers that apply to each.

POPIA requests and assessments

Run data-subject access and correction requests and the impact assessments POPIA expects — a guided questionnaire engine with screeners, an embedded risk register, and a regulator-ready summary export.

Security-compromise notification

Log a security compromise, assess it, and get a live checklist of what section 22 requires — notice to the Information Regulator and to affected data subjects, as soon as reasonably possible after discovery, and what each notice must contain.

Regulator complaints and enforcement

Track complaints and assessments by the Information Regulator with a filing-window check, an investigation workspace, and a guided path from representations to an enforcement notice or disposition.

In your own tenant

Every request, assessment, and record stays inside your own Microsoft 365 and Azure tenant — no third-party cloud, no cross-border transfers, no per-user fees.

One regulator, two regimes

One regulator now oversees access and privacy. AccessPoint runs both.

Since 2021, the Information Regulator has overseen both PAIA and POPIA — taking access-to-information oversight over from the South African Human Rights Commission and holding data-protection powers of its own. Most offices already handle access requests. Fewer run POPIA's data-subject requests, its section 22 security-compromise notifications, and the eight conditions for lawful processing on the same footing. AccessPoint operates both regimes on one platform, in your own tenant, so a single office answers to a single regulator from a single system.

PAIA requests Public-body and private-body access on the 30-day clock.
POPIA requests Data-subject access and correction, with assessments and a risk register.
Breach notification Section 22 notice to the Regulator and data subjects, computed for you.

Configured out of the box

Installing the za-paia-popia configuration pack seeds your tenant with everything this regime needs — a starting point you can adjust, not a lock-in.

Related guide: FOI Workflow Quick Check
  • PAIA and POPIA as the legal-authority and citation spine
  • South African public-holiday calendar and PAIA due-date rules
  • PAIA grounds of refusal, colour-coded for redaction
  • PAIA extension grounds with citations and limits
  • Request and access fee categories, including the personal-requester exemption
  • Information Regulator complaint grounds and dispositions
  • POPIA section 22 security-compromise notification rules
  • PAIA correspondence templates with statutory wording

South Africa Questions

Does AccessPoint cover both PAIA and POPIA?

Yes. The South African configuration ships both regimes in one pack — PAIA access-to-information requests and POPIA data-subject requests — with PAIA's 30-day clock and its up-to-30-day extension, POPIA's access (s 23) and correction (s 24) rights, the section 22 breach-notification rules, and the Information Regulator reflected in the complaint workflows.

Does it handle requests to private bodies, not just public ones?

Yes. PAIA is unusual in reaching records held by private bodies where an applicant needs them to exercise or protect a right. AccessPoint ships both the public-body and private-body request types, each with the section numbers and routes that apply to it — including that private bodies have no internal appeal, so requesters go directly to the Regulator or a court.

Does it manage POPIA security-compromise notifications?

Yes. Log a security compromise and AccessPoint assesses it and produces a live checklist of what section 22 requires — notice to the Information Regulator and to affected data subjects, as soon as reasonably possible after there are reasonable grounds to believe a compromise occurred — with a full audit trail.

Where does South African data reside?

Entirely within your own Microsoft 365 and Azure tenant. Requests, documents, assessments, and audit history never leave your control — no third-party cloud and no cross-border data transfers.

Run PAIA and POPIA in One Platform

Try AccessPoint free for 30 days, pre-configured for South Africa. No credit card required.

Start Free Trial