PAIA manual English

Prepared in terms of section 51 of the Promotion of Access to Information Act 2 of 2000 (as amended)

1. List of Acronyms and Abbreviations

1.1 “CEO” Chief Executive Officer;

1.2 “DIO” Deputy Information Officers;

1.3 “IO” Information Officer;

1.4 “Minister” Minister of Justice and Correctional Services;

1.5 “PAIA” Promotion of Access to Information Act No. 2 of 2000 (as Amended);

1.6 “POPIA” Protection of Personal Information Act No.4 of 2013;

1.7 “Regulator” Information Regulator; and

1.8 “Republic” Republic of South Africa.

2. Introduction

2.1 DMA is an authorised financial services provider in terms of the Financial Advisory & Intermediary Service Act 37 of 2002 and regulated by the Financial Sector Conduct Authority. As an authorized Financial Service Provider, with Financial Services Provider number 40983.

2.2 This manual has been prepared, as required by section 51 of PAIA, for the specific entity, being DMA. PAIA gives effect to the constitutional rights of access to any information held by a public or private body that is required for the exercise of the protection of any rights.

2.3. DMA is committed to ensuring that all business is conducted in accordance with good business practice and relevant legislation. In order to promote effective governance, it is necessary to ensure that all affected parties are educated and empowered to understand and access their rights in terms of PAIA, where applicable.

2.4 The objective of this PAIA Manual is to outline a suitable approach and response to requests to access information and the essential procedural requirements attached to such requests. This PAIA Manual should be read in conjunction with POPIA and DMA’s policies in respect of POPIA, where applicable.

3. Purpose of PAIA Manual

This PAIA Manual is useful for the public to –

3.1 check the categories of records held by a body which are available without a person having to submit a formal PAIA request;

3.2 have a sufficient understanding of how to make a request for access to a record of the body, by providing a description of the subjects on which the body holds records and the categories of records held on each subject;

3.3 know the description of the records of the body which are available in accordance with any other legislation;

3.4 access all the relevant contact details of the Information Officer and Deputy Information Officer who will assist the public with the records they intend to access;

3.5 know the description of the guide on how to use PAIA, as updated by the Regulator and how to obtain access to it;

3.6 know if the body will process personal information, the purpose of processing of personal information and the description of the categories of data subjects and of the information or categories of information relating thereto;

3.7 know the description of the categories of data subjects and of the information or categories of information relating thereto;

3.8 know the recipients or categories of recipients to whom the personal information may be supplied;

3.9 know if the body has planned to transfer or process personal information outside the Republic of South Africa and the recipients or categories of recipients to whom the personal information may be supplied; and

3.10 know whether the body has appropriate security measures to ensure the confidentiality, integrity and availability of the personal information which is to be processed.

4. Key Contact Details for access to information of DMA

4.1 . Chief Information Officer

Name: Peter Johnson

Tel: +27 10 201 6300

Email: peter.johnson@dma.co

4.2. Deputy Information Officers

Name: Muhammed Hoosein, Kyra Lynn Scully

Tel: +27 10 201 6300

Email: muhammed.hoosein@dma.co , kyra.scully@dma.co

4.3 Access to information general contacts

Email: compliance@dma.co

4.4 National Head Office

Postal Address: 48 7th Avenue, Parktown North, Johannesburg, Gauteng, South Africa, 2193

Physical Address: As above

Telephone: +27 10 201 6300

Email: compliance@dma.co

Website: www.dma.co

5. Guide on how to use PAIA and how to obtain access to the guide

5.1. The Regulator has, in terms of section 10 (1) of PAIA, as amended, updated and made available the revised Guide on how to use PAIA (“Guide”), in an easily comprehensible form and manner, as may reasonably be required by a person who wishes to exercise any right contemplated in PAIA and POPIA.

5.2. The Guide is available in each of the official languages and in braille.

5.3. The aforesaid Guide contains the description of –

5.3.1. the objects of PAIA and POPIA;

5.3.2. the postal and street address, phone number and, if available, electronic mail address of –

5.3.2.1. the Information Officer of every public body, and

5.3.2.2. every Deputy Information Officer of every public and private body designated in terms of section 17(1) of PAIA¹ and section 56 of POPIA^{2 ;}

5.3.3. the manner and form of a request for –

5.3.3.1. access to a record of a public body contemplated in section 11³ ; and

5.3.3.2. access to a record of a private body contemplated in section 50⁴ ;

5.3.4. the assistance available from the IO of a public body in terms of PAIA and
POPIA;

5.3.5. the assistance available from the Regulator in terms of PAIA and POPIA;

5.3.6. all remedies in law available regarding an act or failure to act in respect of a right or duty conferred or imposed by PAIA and POPIA, including the manner of lodging –

5.3.6.1. an internal appeal;

5.3.6.2. a complaint to the Regulator; and

5.3.6.3. an application with a court against a decision by the IO of a public body, a decision on internal appeal or a decision by the Regulator or a decision of the head of a private body;

5.3.7. the provisions of sections 14⁵ and 51⁶ requiring a public and private body, respectively, to compile a manual and how to obtain access to a manual;

5.3.8. the provisions of sections 15⁷ and 52⁸ providing for the voluntary disclosure of categories of records by a public and private body, respectively;

5.3.9. the notices issued in terms of sections 22⁹ and 54¹⁰ regarding fees to be paid in relation to requests for access; and

5.3.10. the regulations made in terms of section 92¹¹.

5.4. Members of the public can inspect or make copies of the Guide from the offices of the public and private bodies, including the office of the Regulator, during normal working hours.

5.5. The Guide can also be obtained –

5.5.1. upon request to the IO;

5.5.2. from the website of the Regulator (https://www.inforegulator.org.za/docs.html).

5.6 A copy of the Guide is also available in the following two official languages, for public inspection during normal office hours

5.6.1 English and Afrikaans

¹ Section 17(1) of PAIA- For the purposes of PAIA, each public body must, subject to legislation governing the employment of personnel of the public body concerned, designate such number of persons as deputy information officers as are necessary to render the public body as accessible as reasonably possible for requesters of its records.

² Section 56(a) of POPIA- Each public and private body must make provision, in the manner prescribed in section 17 of the Promotion of Access to Information Act, with the necessary changes, for the designation of such a number of persons, if any, as deputy information officers as is necessary to perform the duties and responsibilities as set out in section 55(1) of POPIA.

³ Section 11(1) of PAIA- A requester must be given access to a record of a public body if that requester complies with all the procedural requirements in PAIA relating to a request for access to that record; and access to that record is not refused in terms of any ground for refusal contemplated in Chapter 4 of this Part.

⁴ Section 50(1) of PAIA- A requester must be given access to any record of a private body if –

a) that record is required for the exercise or protection of any rights;
b) that person complies with the procedural requirements in PAIA relating to a request for access to that record; and
c) access to that record is not refused in terms of any ground for refusal contemplated in Chapter 4 of this Part.

⁵ Section 14(1) of PAIA- The information officer of a public body must, in at least three official languages, make available a manual containing information listed in paragraph 4 above.

⁶ Section 51(1) of PAIA- The head of a private body must make available a manual containing the description of the information listed in paragraph 4 above.

⁷ Section 15(1) of PAIA- The information officer of a public body, must make available in the prescribed manner a description of the categories of records of the public body that are automatically available without a person having to request access

⁸ Section 52(1) of PAIA- The head of a private body may, on a voluntary basis, make available in the prescribed manner a description of the categories of records of the private body that are automatically available without a person having to request access

⁹ Section 22(1) of PAIA- The information officer of a public body to whom a request for access is made, must by notice require the requester to pay the prescribed request fee (if any), before further processing the request.

10 Section 54(1) of PAIA- The head of a private body to whom a request for access is made must by notice require the requester to pay the prescribed request fee (if any), before further processing the request.

11 Section 92(1) of PAIA provides that –“The Minister may, by notice in the Gazette, make regulations regarding-

(a) any matter which is required or permitted by this Act to be prescribed;
(b) any matter relating to the fees contemplated in sections 22 and 54;
(c) any notice required by this Act;
(d) uniform criteria to be applied by the information officer of a public body when deciding which categories of records are to be made available in terms of section 15; and
(e) any administrative or procedural matter necessary to give effect to the provisions of this Act.”

6. Categories of records of DMA which are available without a person having to request access

6.1. The records reflected in the table below are available without a person having to formally request access.

‍

Category of Records	Types of the Record	Available on Website	Available upon Request
Company information	Complaints policy and procedure Conflicts of interest policy and register PAIA Manual Privacy notice/statement Terms and conditions	X	X
Company information	Other policies		X
Publications	Advertising Information documents Marketing material Newsletters Presentations Press releases Social media Videos Websites and content	X	X

‍

7. Description of the records of DMA which are available in accordance with any other legislation

7.1. The records reflected in the table below are available, in accordance with legislation.

Category of Records	Applicable Legislation
Company information	Company information Companies Act 71 of 2008
Collective investment schemes information	Collective Investment Schemes Control Act 45 of 2002
Communications information Information security and privacy policy Privacy notice/statement	Electronic Communications Act 36 of 2005 Electronic Communications and Transactions Act 25 of 2002 Regulation of Interception of Communications and Provision of Communication-related Information Act 70 of 2002
Competition information	Competition Act 89 of 1998
Copyright information	Copyright Act 98 of 1978
Credit information	Credit Rating Services Act 24 of 2012 National Credit Act 34 of 2005
Employment information	Basic Conditions of Employment Act 75 of 1997 Broad-Based Black Economic Empowerment Act 53 of 2003 Compensation for Occupational Injuries and Diseases Act 130 of 1993 Employment Equity Act 55 of 1998 Labour Relations Act 66 of 1995 Skills Development Act 97 of 1998 Unemployment Insurance Act 63 of 2001
Exchange control information	Currency and Exchanges Act 9 of 1933
Financial crime information	Financial Intelligence Centre Act 38 of 2001 Prevention and Combating of Corrupt Activities Act 12 of 2004 Prevention of Organised Crime Act 121 of 1998 Protection of Constitutional Democracy against Terrorist and Related Activities Act 33 of 2004
PAIA Manual Information security information	Promotion of Access to Information Act 2 of 2000 Protected Disclosures Act 26 of 2000 Protection of Personal Information Act 4 of 2013
Complaints management policy and procedure Financial services provider information	Financial Advisory and Intermediary Services Act 37 of 2002
Financial institutions information	Financial Institutions (Protection of Funds) Act 28 of 2001 Financial Sector Regulation Act 9 of 2017
Financial markets information	Financial Markets Act 19 of 2012
Health information	Council for Medical Schemes Levies Act 58 of 2000 Medical Schemes Act 131 of 1998 Occupational Health and Safety Act 85 of 1993 Tobacco Products Control Act 83 of 1993
Insurance information	Insurance Act 18 of 2017 Long-Term Insurance Act 52 of 1998 Short-Term Insurance Act 53 of 1998
Legal information	Interpretation Act 33 of 1957 Justices of the Peace and Commissioner of Oaths Act 16 of 1963 Legal Practice Act 28 of 2014 Promotion of Administrative Justice Act 3 of 2000 Small Claims Courts Act 61 of 1984
People information	Births and Deaths Registration Act 51 of 1992 Children’s Act 38 of 2005 Civil Union Act 17 of 2006 Consumer Protection Act 68 of 2008 Constitution of the Republic of South Africa (as amended) Maintenance Act 99 of 1998 Marriage Act 99 of 1998 Promotion of Equality and Prevention of Unfair Discrimination Act 4 of 2000
Retirement fund information	Friendly Societies Act 25 of 1956 Government Employees Pension Law (1996) Pension Funds Act 24 of 1956
Tax information	Employment Tax Incentive Act 26 of 2013 Income Tax Act 58 of 1962 Organisation for Economic Co-operation and Development (OECD) Common Reporting Standard for automatic exchange of financial account information (CRS) Securities Transfer Tax Act 25 of 2007 Securities Transfer Tax Administration Act 26 of 2007 Skills Development Levies Act 9 of 1999 Tax Administration Act 28 of 2011 Tax on Retirement Funds Act 38 of 1996 Unemployment Insurance Contributions Act 4 of 2002 United States Foreign Account Tax Compliance Act (FATCA) Value Added Tax Act 89 of 1991
Trust property information	Trust Property Control Act 57 of 1988

8. Description of the subjects on which the body holds records and categories of records held on each subject by DMA

8.1. The records reflected in the table below may be formally requested, in terms of the PAIA, but parts, or the whole, of the record may be subject to the grounds for refusal of access to records. Refer to the Guide on how to use the PAIA.

8.2. DMA reserves the right to refuse access to records if the processing of the record will substantially and unreasonably result in a diversion of its resources.

8.3. DMA reserves the right to refuse access to records that relate to the mandatory protection of:

8.3.1. privacy of a third party, who is a natural person, which would involve the unreasonable disclosure of personal information of that natural person;

8.3.2. commercial information of a third party, if the record contains trade secrets of the third party; financial, commercial or technical, information, which disclosure may cause harm to the financial or commercial, interests of the third party; and information disclosed in confidence by a third party to DMA, if the disclosure may place the third party at a disadvantage;

8.3.3. confidential information of a third party, if it is protected in terms of an agreement, or legislation;

8.3.4. safety of natural persons and the protection of property;

8.3.5. records that are regarded as privileged, in legal proceedings;

8.3.6. records that are personal information, in terms of the POPIA; and

8.3.7. commercial activities of DMA, including, but not limited to, trade secrets, financial, commercial, or technical, information and software platforms, or programmes, exclusively developed for DMA.

8.4. DMA will refuse access if the requests are frivolous and/or vexatious.

8.5. The IO or DIO may grant access to a record if disclosing the record would reveal evidence of a material contravention of, or failure to comply with, any law, and the public interest in disclosing the record outweighs the harm contemplated in the relevant grounds for refusal of access to records.

‍

Subjects on which the body holds records	Categories of records
Company information	Incorporation documents Memorandum of incorporation Minutes Resolutions Records of subsidiary companies Registers of directors and officers Share registers and other statutory registers Statutory returns to relevant authorities Other statutory obligations Policies and procedures Records relating to appointment of directors, auditors, company secretary, public officer, and other officers
Accounting and finance records	Accounting (including books of account) Administration Annual financial statements Asset registers Audit reports Banking Budgets Intellectual property Invoices and credit notes Lease agreements Rental agreements Sale agreements Supporting schedules, and documents, to books of account
Tax records	Dividends withholding tax Income tax Pay As You Earn (PAYE) Skills Development Levies (SDL) Unemployment Insurance Fund (UIF) levies Workmen’s compensation Value Added Tax (VAT)
Legal records	Documents relating to litigation and/or arbitration General agreements and contracts Licenses, permits, and authorisations Regulator correspondence
Insurance records	Claims Details of insurance cover, limits, and insurers Insurance policies
Employee records	Arbitration awards Attendance registers Casual employees CCMA proceedings Code of conduct Income tax (PAYE/SDL/UIF) submissions for employees Confidentiality agreements Disciplinary proceedings and internal evaluations Employee personal details Employment conditions and policies Employment contracts Employment equity plan Internal correspondence Internal policies, and procedures Leave Operating manuals Other agreements/contracts Other interventions Medical aid Documents provided by employees Strikes, lockouts, or protest, action Remuneration and benefits Restraint of trade agreements Retirement funds Service Share option schemes registers Share option schemes rules Share purchase scheme register Share purchase scheme rules Training schedules and material Verification reports (credit, criminal, employment, FAIS, identity, qualification)
Client records	Client agreements/contracts and forms Complaints and/or queries Client documents, and information Proposals Transactions and supporting information Verification reports
Service supplier and third	Code of conduct Conflicts of interest Requests for information Service supplier and/or third party agreements/contracts (including service level agreements) Tenders Terms and conditions for dealing with suppliers Transactions and supporting information
Information technology	Asset issuing and custodian information Back-ups Disaster recovery testing Incidents and service requests Information and communication technologies (ICT) policies and procedures Network maintenance Operations reports Service level agreements System event logs System performance logs System maintenance checklists System development lifecycle documents
Publications	Advertising Information documents Marketing material Newsletters Presentations Press releases Social media Videos Websites and content

9. Processing of personal information

9.1 Purpose of Processing Personal Information
DMA processes the personal information of data subjects in the following ways:

9.1.1 Executing and/or fulfilling its statutory obligations in terms of the PAIA and/or the POPIA;

9.1.2 Executing and/or fulfilling its statutory obligations in terms of other applicable legislation;

9.1.3 Executing and/or fulfilling its contractual obligations;

9.1.4 Administering employees and potential employees;

9.1.5 Keeping accounts and records;

9.1.6 Procurement processes; and

9.1.7 Visitors to the Company’s business premises.

9.2 Description of the categories of Data Subjects and of the information or categories of information relating thereto
DMA may process information for itself, shareholders (and those of clients), employees (and those of clients), clients (and those of clients), service suppliers (and those of clients) and product suppliers (and those of clients).

Categories of Data Subjects	Personal Information that may be processed
Clients (and those of clients)	Full names; contact details (contact numbers; fax numbers; email addresses); physical addresses; postal addresses; unique identifier; identity/registration numbers; confidential correspondence; tax related information; company information; information required in terms of the FAIS Act and the FICA (and other relevant legislation)
Service suppliers and product suppliers (and those of clients)	Full names of contact persons; registered, and trade, names of entities; full names of directors and shareholders, physical addresses; postal addresses; contact details (contact numbers, fax numbers, email addresses); financial information; identity/passport/registration numbers; founding documents; tax related information; authorised signatories’ information; broad-based black economic empowerment (B-BBEE) status; associated entities; business strategies; information required in terms of the FAIS Act and the FICA (and other relevant information)
Employees/Key individuals/Representatives (and those of clients)	Gender; pregnancy; marital status; race; age; language; education information (qualifications); financial information; employment history; identity/passport/registration numbers; physical addresses; postal addresses; contact details (contact numbers; fax numbers; email addresses); credit record; FAIS related information; criminal record; well-being and family members; medical; nationality; ethnic and/or social origin; physical and/or mental health; disability; biometric information; professional affiliation; references; CVs/resumes; information required in terms of the FAIS Act and the FICA (and other relevant legislation)

‍

9.3 The recipients or categories of recipients to whom the personal information may be supplied

9.3.1 DMA may supply the personal information of data subjects to service suppliers, who provide the following services:

9.3.1.1 Administration (for example, clients, investments, medical aids, retirement funds);

9.3.1.2 Accounting and/or auditing;

9.3.1.3 Capturing and organising personal information;

9.3.1.4 Compliance;

9.3.1.5 Due diligence reviews;

9.3.1.6 Information and communication technologies (ICT);

9.3.1.7 Storing of personal information; and

9.3.1.8 Verification checks (for example, credit (and payment history), criminal, employment history, FAIS related, financial sanctions, identity, qualifications, terrorism).

9.3.2 DMA may supply the personal information of data subjects to:

9.3.2.1 Courts, in terms of matters taken on judicial review;

9.3.2.2 Enforcement agencies, for criminal investigation (for example, National Prosecuting Authority, South African Police Service);

9.3.2.3 People against whom complaints have been lodged; and/or

9.3.2.4 Regulators, ombuds, or tribunals, in terms of matters that fall under their jurisdiction.

Category of personal information	Recipients or Categories of Recipients to whom the personal information may be supplied
Identity/passport/registration numbers, dates of birth, dates of incorporation, names	Companies and Intellectual Property Commission, Department of Home Affairs, Financial Intelligence Centre, South African Police Services, United Nations, and verification providers
Qualifications	South African Qualifications Authority and verification providers
Credit, and payment history	Credit Bureaus and verification providers
Tax information	South African Revenue Service

9.4 Planned transborder flows of personal information

9.4.1 DMA has not planned transborder flows of personal information however does store information within a cloud environment which is GDPR (General Data Protection Regulation) compliant. The GDPR is a regulation in European (EU) law on data protection and privacy in the European Union and the European Economic Area.

9.4.2 If it becomes necessary to transfer personal information to another country for a lawful purpose outside South Africa or the EU (in terms of DMA’s cloud storage), DMA will ensure that the person (both legal and natural) to whom the personal information will be transferred is subject to a law, binding
company rules, and/or binding agreements, which provide a suitable level of protection, and the third party agrees to treat the personal information with the same level of protection as DMA is required to provide, in terms of the POPIA.

9.4.3 The cross-border transfer of personal information will be done with the data subject’s consent; however, if it is not reasonably practicable to obtain the data subject’s consent, DMA will transfer the personal information if it will be for the data subject’s benefit and the data subject would have provided consent if it had been reasonably practicable to obtain the consent.

9.5 General description of Information Security Measures to be implemented by the responsible party to ensure the confidentiality, integrity and availability of the information

9.5.1 DMA has established and maintains, suitable technical and operational, measures to prevent loss of damage to, or unauthorised destruction of, personal information and unlawful access to, or processing of, personal information.

9.5.2 The suitable measures that DMA has taken includes, but is not limited to:

9.5.2.1 Access control;

9.5.2.2 Agreements with operators to ensure that they implement and maintain suitable security controls;

9.5.2.3 Anti-virus software;

9.5.2.4 Anti-malware software;

9.5.2.5 Awareness and vigilance of users;

9.5.2.6 Data back-ups;

9.5.2.7 Data encryption; and/or

9.5.2.8 Defensive measures.

9.5.3 The suitable measures are in place to ensure that DMA:

9.5.3.1 Identifies the risks (both internal and external) to the personal information that is in its possession and/or under its control;

9.5.3.2 Establishes and maintains suitable safeguards against the risks identified;

9.5.3.3 Regularly verifies that the safeguards are effectively implemented; and

9.5.3.4 Updates the safeguards when new risks are identified and when existing safeguards are found to be deficient.

10. Availability of the manual

10.1 A copy of the Manual is available

on www.dma.co/en-za/legal , if any;
head office of the SCM DMA (Pty) Ltd for public inspection during normal business hours;
to any person upon request and upon the payment of a reasonable prescribed fee; and
to the Information Regulator upon request.

10.2 A fee for a copy of the Manual, as contemplated in annexure B of the Regulations (as may be amended from time to time), shall be payable per each A4-size photocopy made.

11. Updating of the manual

The head of SCM DMA (Pty) Ltd will on a regular basis review this manual and update it where/if required.

‍