Over the past week, ENS has been inundated with urgent requests for advice after receiving, or becoming aware of, the Information Regulator's latest "Notice of Non-Compliance with Regulation 7.1 of the Regulations Relating to the Promotion of Access to Information, 2021" dated 28 August 2025. Because the notice is addressed "TO: ALL INFORMATION OFFICERS, HEADS OF PRIVATE BODIES AND DEPUTY INFORMATION OFFICERS," it is not aimed at any single organisation; rather, it serves as a sector-wide warning that the Regulator's tolerance for procedural defects under the Promotion of Access to Information Act 2 of 2000 ("PAIA") has run its course.
Below we unpack the notice, explain why the Regulator's position matters, and outline practical steps that public and private bodies should be taking – with our assistance where required – to bring their PAIA manuals and related documentation into full alignment with PAIA, the Protection of Personal Information Act 4 of 2013 ("POPIA") and the 2021 Regulations.
The core message: Use Form 2 – or face non-compliance
The Regulator has confirmed that it continues to encounter frequent use of the repealed "Form A" when requesters seek access to information. Regulation 7.1 of the 2021 Regulations is unequivocal: a PAIA request "must be made on a form that corresponds substantially with Form 2 of Annexure A to the Regulations." Failure to furnish or accept the correct form constitutes non-compliance, which in turn:
- frustrates the constitutional right of access to information;
- hampers the Regulator's ability to investigate PAIA complaints under s 77C; and
- exposes the non-compliant body (and its Information Officer personally) to enforcement proceedings, civil liability and, in serious cases, criminal sanction.
The upshot is simple: every information officer should immediately ensure that outdated Form A is purged from internal and public-facing systems and replaced with Form 2.
Heightened regulatory scrutiny: Active PAIA inspections are underway
The notice underscores the Regulator's power, in terms of s 77H, to initiate own-motion compliance assessments and site inspections. In our own practice, we have already seen an uptick in:
- questionnaires requesting copies of PAIA and POPIA policies;
- spot-checks of PAIA manuals published on company websites; and
- formal inspection visits where officials request sample request files, refusal letters and records of decision-making.
In short, the Regulator is no longer confining itself to reactive complaint handling; proactive audits are rapidly becoming the norm.
Broader compliance implications
While the focal point of the notice is Form 2, the underlying message is broader: the Regulator expects holistic compliance with the entire PAIA/POPIA ecosystem. Deficiencies we are seeing flagged during inspections include:
- PAIA manuals that have not been updated to reflect POPIA's
commencement or the 2021 Regulations;
" incomplete section 17 records of requests granted/refused;
" failure to publish an internal process for handling data subject access requests under POPIA; and
" outdated contact details for Information Officers or Deputy Information Officers.
Each of these gaps, individually or cumulatively, can attract remedial directives, compliance notices or administrative fines.
Practical next steps for Information Officers
- Audit Existing Documentation – Verify that the published PAIA manual, access to information policy, and privacy notice are internally consistent and incorporate Form 2.
- Update Internal Workflows – Ensure help-desk staff, reception personnel and in-house legal teams know where to locate the correct form and how to process it within the statutory timeframes.
- Train Key Stakeholders – Conduct refresher sessions for executives and records managers on PAIA refusal grounds, POPIA's conditions for lawful processing and cross-border disclosures.
- Maintain Evidence of Compliance – Keep audit trails showing the date on which the PAIA manual was last reviewed and publicised, as the Regulator routinely asks for this during inspections.
How we can help
Our Privacy Team supports organisations in managing PAIA, POPIA and the 2021 Regulations. We routinely assist with:
- Reviewing and redrafting PAIA manuals for legal and practical compliance;
- Aligning PAIA processes with POPIA to streamline operations;
- Developing bespoke standard-operating-procedures for handling Form 2 requests, extensions and internal appeals; and
- Conducting internal audits to prepare for regulatory inspections.
Conclusion
The Information Regulator's August 2025 notice is a clear signal that formalism matters: something as seemingly minor as the wrong request form can trigger a finding of non-compliance. For information officers, the path forward involves swift remedial action, vigilant document maintenance and a seamless integration of PAIA and POPIA obligations.
If you are responding to a compliance questionnaire or would like to strengthen your readiness, early action is vital to avoid last minute pressure. Get in touch with the team below.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
