SwitchX (Pty) Ltd (“Company”) Manual to Accessing Information (“Manual”) 

This Manual has been prepared in terms of section 51 of the Promotion of Access to Information Act 2 of 2000 (“PAIA”) and updated in the light of the Protection of Personal Information Act 4 of 2013 (“POPIA”). 

1. Introduction 

1.1. This manual is for the Company.

2. Purpose of PAIA 

2.1. PAIA is an act that was passed to give effect to the constitutional right, held by everyone in South African, of access to information which is held by the State or by another person and which is required for the exercise or protection of any right. Where a request is made in terms of PAIA, the body to which the request is made is obliged to give access to the requested information, except where the Act expressly provides that the information may or must not be released. 

2.2. It is important to note that PAIA recognises certain limitations to the right of access to information, including, but not exclusively, limitations aimed at the reasonable protection of privacy, commercial confidentiality, and effective, efficient and good governance, and in a manner which balances that right with any other rights, including such rights contained in the Bill of Rights in the Constitution. 

2.3. POPIA was enacted in November 2013, to promote the protection of personal information processed by public and private bodies. POPIA amended certain provisions of PAIA, balancing the need for access to information against the need to ensure the protection of personal information. 

2.4. This PAIA Manual is useful for the public to- 2.4.1. check the categories of records held by a body which are available without a person having to submit a formal PAIA request; 

2.4.2. have a sufficient understanding of how to make a request for access to a record of the body, by providing a description of the subjects on which the body holds records and the categories of records held on each subject; 

2.4.3. know the description of the records of the body which are available in accordance with any other legislation; 

2.4.4. access all the relevant contact details of the Information Officer and Deputy Information Officer who will assist the public with the records they intend to access; 

2.4.5. know the description of the guide on how to use PAIA, as updated by the Regulator and how to obtain access to it; 

2.4.6. know if the body will process personal information, the purpose of processing of personal information and the description of the categories of data subjects and of the information or categories of information relating thereto; 

2.4.7. know the description of the categories of data subjects and of the information or categories of information relating thereto; 

2.4.8. know the recipients or categories of recipients to whom the personal information may be supplied; 

2.4.9. know if the body has planned to transfer or process personal information outside the Republic of South Africa and the recipients or categories of recipients to whom the personal information may be supplied; and 

2.4.10. know whether the body has appropriate security measures to ensure the confidentiality, integrity and availability of the personal information which is to be processed. 

3. Guide to PAIA 

3.1. The Regulator has, in terms of section 10(1) of PAIA, as amended, updated and made available the revised Guide on how to use PAIA ("Guide"), in an easily comprehensible form and manner, as may reasonably be required by a person who wishes to exercise any right contemplated in PAIA and POPIA. 

3.2. The Guide is available from the Information Regulator in each of the official languages and in braille. 

3.3. Members of the public can inspect or make copies of the Guide from the offices of the public and private bodies, including the office of the Regulator, during normal working hours. 

3.4. The Guide can also be obtained- 3.4.1. upon request to the Information Officer; 

3.4.2. from the website of the Regulator (https://www.justice.gov.za/inforeg/). 

3.5. A copy of the Guide is also available in the following two official languages, for public inspection during normal office hours- English and Afrikaans 

4. Information manual

4.1. One of the main requirements specified in PAIA is the compilation of an information manual that provides information on both the types and categories of records held by a private body. This document serves as Company’s information manual. This Manual is compiled in accordance with section 51 of PAIA and the Schedule to POPIA. It is intended to give a description of the records held by and on behalf of Company; to outline the procedure to be followed and the fees payable when requesting access to any of these records in the exercise of the right of access to information, with a view of enabling requesters to obtain records which they are entitled to in a quick, easy and accessible manner. 

4.2. This Manual is available for public inspection at the physical address of Company, recorded in paragraph 4 below, free of charge; and on this website, free of charge; and on request by any person (along with payment of a prescribed fee). 

4.3. The Manual is available from the designated Information Officer, whose details appear below. 

4.4. The responsibility for administration of, and compliance with, PAIA and POPIA have been delegated to the Information Officer. 

4.5. Requests pursuant to the provisions of PAIA and/or POPIA should be directed to the Information Officer as follows: Daneel Jordaan – daneel.jordaan@switchx.co.za 

5. Automatic disclosure 

5.1. A private body may, on a voluntary basis, make available a description of categories of records that are automatically available without a person having to request access in terms of PAIA. 

5.2. The only fee for access to these records may be a prescribed fee for reproduction. 

6. Types and categories of records 

6.1. A requester may also request information that is available in terms of other legislation, such as (the below is not an exhaustive list):

6.1.1. Competition Act 89 of 1998; 

6.1.2. The Companies Act 71 of 2008; 

6.1.3. The Labour Relations Act 66 of 1995; 

6.1.4. Employment Equity Act 55 of 1998; 

6.1.5. Basic Conditions of Employment Act 75 of 1997; 

6.1.6. Compensation for Occupational Injuries and Diseases Act 130 of 1993; 

6.1.7. Financial Intelligence Centre Act 38 of 2001; 

6.1.8. Income Tax Act 58 of 1962; 

6.1.9. Occupational Health and Safety Act 85 of 1993; 

6.1.10. Unemployment Insurance Act 63 of 2001; 

6.1.11. Value-added Tax Act 89 of 1991; and 

6.1.12. Consumer Protection Act 68 of 2008. 

7. Subject Categories of Records 

7.1. Personnel Records: "Personnel" refers to any person who works for or provides services to or on behalf of Company and receives, or is entitled to receive, remuneration and any other person who assists in carrying out or conducting the business of Company. It includes, without limitation, directors (executive and non-executive), all permanent, temporary and part-time staff, as well as contract workers. 

7.2. Personal records provided by personnel include: 7.2.1. Records provided by a third party relating to Personnel; 

7.2.2. Conditions of employment and other Personnel-related contractual and quasi-legal records, including job applications; 

7.2.3. Internal evaluation records and other internal records;  

The information is classified and grouped according to records relating to the following subjects and categories: 

7.2.4. Correspondence relating to, or emanating from, Personnel (internal and external to the organization); and 

7.2.5. Training schedules and material; 

7.2.6. Payment records (and beneficiary payments), including banking details. 

7.3. Client Related Records: "Client" refers to any natural or juristic entity that receives services from Company. 

7.4. Client related records include: 7.4.1. Records provided by a client to a third party acting for or on behalf of Company; 

7.4.2. Records provided by a third party (for example, records from a reseller); 

7.4.3. Records generated by or within Company relating to its clients; 

7.4.4. Transactional records; 

7.4.5. Correspondence with a client that is implicitly or explicitly of a private or confidential nature 

7.4.6. Records pertaining to a client retrieved from “other sources”, such as any credit bureau or credit providers industry association. 

7.5. Private Body Records which include but are not limited to records pertaining to Company’s own internal affairs: 7.5.1. Financial records; 

7.5.2. Operational records; 

7.5.3. Information technology; 

7.5.4. Communication; 

7.5.5. Administrative records, such as contracts and service level agreements; 

7.5.6. Product records; 

7.5.7. Statutory records; 

7.5.8. Internal Policies and procedures; and 

7.5.9. Human resources records. 

7.6. Other Party Records:
7.6.1. Records held by Company pertaining to other parties, including without limitation, financial records, correspondence, contractual records, records provided by the other party (for example third party beneficiaries or employees of a client), and records third parties have provided about Company's contractors / suppliers. 
7.6.2. Company may possess records pertaining to other parties including, but not limited to, contractors, suppliers, and service providers and such other parties may possess records that can be said to belong to Company. 

8. Processing details 

8.1. In terms of POPIA, data must be processed for a specified purpose. The purpose for which data are processed by Company will depend on the nature of the data and the particular data subject. This purpose is ordinarily disclosed, explicitly or implicitly, at the time the data are collected. 

8.2. Purpose of Processing
8.2.1. Personnel data Company processes personnel data for business administration purposes. For example, personnel data are processed for payroll purposes. Personnel data are also processed to the extent required by legislation and regulation. For example, Company discloses employees’ financial information to the Commissioner for the South African Revenue Service, in terms of the Income Tax Act 58 of 1962 and employee’s sensitive personal information in terms of the Employment Equity Act 55 of 1998. 

8.2.2. Client related data Company processes client related records as an integral party of its commercial services. For example Company processes client related records during the client application and onboarding processes and for provision of a service. This list of processing purposes is non-exhaustive. 

9. Third party data 

9.1. Company processes third party records for business administration purposes. 

10. Other party data
10.1. Company processes “other party” records for business administration purposes. For example, Personnel data may be processed in order to effect payment to contractors and / or suppliers. 

10.2. In performing these various tasks, Company may, amongst others, collect, collate, process, store and disclose personal information. 

11. Categories of Data Subjects. Company holds information and records on the following category of data subject: 11.1. Employees / Personnel of Company; 

11.2. Clients of Company; 

11.3. Any third party with whom Company conducts its business services; 

11.4. Contractors of Company; 

11.5. Suppliers of Company; 

11.6. Service providers of Company. 

This list of categories of data subjects is non-exhaustive. 

12. Recipients To Whom Personal Information Will Be Supplied

12.1. Depending on the nature of the data, Company may supply information or records to the following categories of recipients:
12.1.1. Statutory oversight bodies, regulators or judicial commissions of enquiry making a request for data (i.e. the Information Regulator in terms of POPIA); 

12.1.2. Any court, administrative or judicial forum, arbitration, statutory commission, or ombudsman making a request for data or discovery in terms of the applicable rules (i.e. the Competition Commission in terms of the Competition Act 89 of 1998); 

12.1.3. South African Revenue Services, or another similar authority; 

12.1.4. A contracted third party who requires this information to provide services; 

12.1.5. Third parties with whom Company has a contractual relationship for the retention of data (for example, a third party hosting services); 

12.1.6. Research/ academic institutions; 

12.1.7. Auditing and accounting bodies (internal and external); 

12.1.8. Anyone making a successful application for access in terms of PAIA. 

13. Planned Transborder Flows Of Personal Information

13.1. Company may transfer personal information to a third party who is in a foreign country in order to administer certain services, but may only do so subject to the provisions of POPIA. Thus internal cross-border transfers, as well as external cross-border transfers of information are envisaged, subject to the provisions of POPIA. 

14. Security Measures

14.1. Company takes extensive information security measures to ensure the confidentiality, integrity and availability of personal information in Company’s possession. Company takes appropriate technical and organizational measures designed to ensure that personal data remain confidential and secure against unauthorized or unlawful processing and against accidental loss, destruction or damage. 

15. Grounds for Refusal of Access to Records 

15.1. Company may refuse a request for information on the following basis:
15.1.1. Mandatory protection of the privacy of a third party who is a natural person, which would involve the unreasonable disclosure of personal information of that natural person; 

15.1.2. Mandatory protection of the commercial information of a third party, if the record contains: Trade secrets of that third party; Financial, commercial, scientific or technical information which disclosure could likely cause harm to the financial or commercial interests of that third party; and Information disclosed in confidence by a third party to Company, if the disclosure could put that third party at a disadvantage in negotiations or commercial competition. 

15.1.3. Mandatory protection of confidential information of third parties if it is protected in terms of any agreement or legislation; 

15.1.4. Mandatory protection of the safety of individuals and the protection of property; 

15.1.5. Mandatory protection of records which would be regarded as privileged in legal proceedings; 

15.1.6. The commercial activities of Company, which may include: Trade secrets of Company; Financial, which, if disclosed, could put Company at a disadvantage in negotiations or commercial competition; A computer program which is owned by Company and which is protected by copyright. 

15.1.7. Requests for information that are clearly frivolous or vexatious, or which involve an unreasonable diversion of resources shall be refused. 

16. Access procedure 

16.1. A requester is any person making a request for access to a record of, or held by, Company. The requester is entitled to request access to information, including information pertaining to third parties, but Company is not obliged to grant such access. Apart from the fact that access to a record can be refused based on the grounds set out in paragraph 15 above, in order to successfully access information the requester must fulfil the prerequisite requirements for access in terms of PAIA, including the payment of a request and access fee. 

17. Access Request Procedure 

17.1. A requester requiring access to information held by Company must complete the prescribed Access Request Form, available here: https://www.justice.gov.za/forms/paia/J752_paia_Form%20C.pdf, submit it to the Information Officer at the physical address or electronic mail address recorded in paragraph 4.5 and pay a request fee (and a deposit, if applicable). 

17.2. In order to facilitate a timely response to requests for access, all requesters should take note of the following when completing the Access Request Form:
17.2.1. The Access Request Form must be comprehensively completed. 

17.2.2. Proof of identity is required to authenticate the identity of the requester. Therefore, in addition to the access request form, requesters will be required to supply a copy of their identification document. 

17.2.3. Every applicable question must be answered. If a question does not apply “N/A” should be stated in response to that question. If there is nothing to disclose in reply to a particular question "Nil" should be stated in response to that question. 

17.2.4. The Access Request Form must be completed with enough particularity to enable the Information Officer to identify: The record(s) requested; The identity number of the requester; The form of access required if the request is granted; The postal address or fax number of the requester. 

17.3. The requester must also state that he or she requires the information in order to exercise or protect a right, and clearly state the nature of the right to be exercised or protected. In addition, the requester must clearly specify why the record is necessary to exercise or protect such a right. 

17.4. If a request is made on behalf of another person, then the requester must submit proof of the capacity in which the requester is making the request to the reasonable satisfaction of the Information Officer. 

17.5. If an individual is unable to complete the prescribed form because of illiteracy or disability, such a person may make the request orally. 

17.6. The requester will be informed in writing whether access has been granted or denied. If, in addition, the requester requires the reasons for the decision in any other manner, he must state the manner and the particulars so required. 

18. Payment Of Fees for Copies of the PAIA Manual 

18.1. A copy of the Manual is available- 18.1.1. on ( specify the website), if any; 

18.1.2. head office of the ( name of the body) for public inspection during normal business hours; 

18.1.3. to any person upon request and upon the payment of a reasonable prescribed fee; and 

18.1.4. to the Information Regulator upon request. 

18.2. A fee for a copy of the Manual, as contemplated in annexure B of the Regulations, shall be payable per each A4-size photocopy made. 

19. Third Party Notification 

19.1. Company must take all reasonable steps to inform a third party to whom or which a requested record relates if the disclosure of that records would –
19.1.1. involve the disclosure of personal information about that third party; 

19.1.2. involve the disclosure of trade secrets of that third party; financial, commercial, scientific or technical information (other than trade secrets) of that third party, the disclosure of which would be likely to cause harm to the commercial or financial interests of that third party; or information supplied in confidence by a third party, the disclosure of which could reasonably be expected to put that third party at a disadvantage in contractual or other negotiations; or to prejudice that third party in commercial competition; 

19.1.3. constitute an action for breach of a duty of confidence owed to a third party in terms of an agreement; or 

19.1.4. involve the disclosure of information about research being, or to be, carried out by or on behalf of a third party, the disclosure of which would be likely to expose the third party, a person that is or will be carrying out the research on behalf of the third party, or the subject matter of the research, to serious disadvantage. 

19.2. Company will inform the third party as soon as reasonably possible, but in any event, within 21 days after that request is received. 

19.3. Within 21 days of being informed of the request, the third party may-
19.3.1. make written or oral representations to the Information Officer why the request for access should be refused; or 

19.3.2. give written consent for the disclosure of the record to the requester. 

19.4. Company will notify the third party of the outcome of the request. If the request is granted, adequate reasons for granting the request will be given. 

19.5. The third party may lodge a complaint to the Information Regulator or an application with a court against the decision within 30 days after notice is given, after which the requester will be given access to the record after the expiry of the 30 day period. 

20. Notification of Decision 
20.1. The Information Officer will, within 30 days of receipt of the request, decide whether to grant or decline the request and give notice with reasons (if required) to that effect. 

20.2. The 30 day period, within which Company has to decide whether to grant or refuse the request, may be extended for a further period of not more than 30 days if the information cannot reasonably be obtained within the original 30 day period. For example, the time period may be extended if the request is for a large amount of information, or the request requires Company to search for information held at another office of Company. 

20.3. The Information Officer will notify the requester in writing should an extension be required. The requester may lodge a complaint to the Information Regulator or an application with a court against the extension. 

21. Remedies Available for Refusals for a Request for Information 

21.1. All complaints, by a requester or a third party, can be made to the Information Regulator or a court, in the manner prescribed below. 

21.2. The requester or third party, as the case may be, may submit a complaint in writing to the Information Regulator, within 180 days of the decision, alleging that the decision was not in compliance with the provisions of PAIA. 

21.3. The Information Regulator will investigate the complaint and reach a decision - which may include a decision to investigate, to take no further action or to refer the complaint to the Enforcement Committee established in terms of POPIA. The Information Regulator may serve an enforcement notice confirming, amending or setting aside the impugned decision, which must be accompanied by reasons. 

21.4. An application to court maybe brought in the ordinary course. For purposes of PAIA, any reference to an application to court includes an application to a Magistrates’ Court.