Most South African business owners have heard of POPIA. Far fewer know about PAIA — and the annual reporting deadline that comes with it every year.
The 2025/2026 PAIA annual report submission window opens 1 April 2026 and closes 30 June 2026. The Information Regulator has made it clear that no extensions will be granted. Every registered company, close corporation, and private body in South Africa is expected to submit — including businesses that received zero information requests during the year.
If this is the first time you've heard of a PAIA annual report, you are not alone. This article explains what it is, who must submit, what the process involves, and what happens if you miss it.
What PAIA actually is — in plain language
PAIA stands for the Promotion of Access to Information Act 2 of 2000. It is a constitutional right given legal form: the right of any person in South Africa to request access to records held by a government body or a private company, where those records are needed to exercise or protect a right.
In practice this means that if a customer, employee, supplier, or member of the public believes your business holds records that affect their rights — personal information, a contract, a decision that affected them — they can formally request access to those records. Your business must respond within a prescribed timeframe.
PAIA is not the same as POPIA. PAIA is about how your company shares information when it's requested. POPIA is about how your company protects personal information in general. Both are enforced by the same body — the Information Regulator of South Africa.
What the PAIA annual report is
The PAIA Annual Report is a mandatory report submitted to the Information Regulator of South Africa by both public and private bodies, detailing requests for access to information received and how they were handled.
The report covers the financial period from 1 April to 31 March each year. The 2025/2026 report covers 1 April 2025 to 31 March 2026 and must be submitted by 30 June 2026.
For most South African SMEs, the report is straightforward. If your business did not receive any formal requests for information during the reporting period, you are still legally required to submit your PAIA Annual Report. Your report will simply reflect that zero requests were received, but it still needs to be submitted to the Information Regulator before the deadline.
The information you need to report includes:
- Total number of information requests received
- How many were granted in full, partially, or refused
- The grounds relied on for any refusals
- Whether any prescribed response timeframes were extended
- The number of internal appeals lodged, if any
- Any complaints received by the Information Regulator about your organisation
For a business that has never received a formal PAIA request — which describes the vast majority of South African SMEs — every field is zero. The report takes under 30 minutes to complete.
Is submission actually compulsory for private companies?
Here the law has a nuance worth understanding.
According to section 83(4) of PAIA, the Regulator can request the heads of private bodies to submit reports about requests for access to records. The word “may” in the legislation has led some legal commentators to question whether private bodies are strictly compelled.
However — and this is the practical reality — the Regulator has confirmed that all private bodies are required to submit a PAIA report and this is not a voluntary exercise. The distinction between legal technicality and regulatory expectation matters here. Previously, certain smaller private entities were exempt, but that exemption ended on 31 December 2021. Since then, all private bodies — regardless of size or sector — must comply fully with PAIA.
The practical position for any registered South African company: submit. The administrative cost is minimal. The risk of non-submission — a compliance assessment triggered by the Regulator — is not.
Who is responsible for submitting
Every public and private body in South Africa is required by law to appoint an Information Officer. For most small businesses, the business owner or managing director automatically becomes the Information Officer — but you must still register this appointment with the Information Regulator before you can submit your PAIA report.
You will not be able to submit your annual report unless your Information Officer, Head of Private Body, or Deputy Information Officers are registered with the Regulator. This registration step must be completed first if it hasn't been done already.
If you registered with the Information Regulator for your POPIA Section 69 notification, check whether your Information Officer registration on the eServices portal is current and linked to your organisation's PAIA reporting. These are separate but related registrations.
How to submit your PAIA annual report — step by step
Step 1: Register your Information Officer
Go to eservices.inforegulator.org.za. If you have not yet registered your Information Officer with the Regulator, do this first. The registration is free. You will need your company registration number and the Information Officer's ID number.
Step 2: Log in during the submission window
The submission window opens 1 April 2026 and closes 30 June 2026. Log in to your eServices account during this window. In collaboration with CIPC, private bodies may also submit via bizportal.gov.za.
Step 3: Complete the Section 83(4) report form
Select the annual report submission option and complete the form for the 2025/2026 financial period (1 April 2025 to 31 March 2026). For most SMEs, all fields will reflect zero requests received.
Do not leave fields blank — enter zero where applicable rather than leaving them empty. The Regulator may issue an information notice to organisations that provide incomplete submissions.
Step 4: Submit and save your confirmation
Once submitted, the Information Officer will receive a confirmation email. Save this confirmation — it is your proof of compliance.
The full process takes under 30 minutes for a business with no information requests.
What PAIA compliance also requires beyond the annual report
The annual report is the most time-sensitive PAIA obligation, but it is not the only one. Full PAIA compliance for a private body requires three things:
A PAIA Manual (Section 51 Manual). This document outlines how your organisation will give access to its records. It includes the types of records available, how to request access, and the contact details of the Information Officer. The manual must be made available to anyone who requests it, free of charge, and should be published on your website.
A registered Information Officer. You cannot submit your annual report without this registration in place.
A process for responding to access requests. If someone submits a formal PAIA request to your business, you must respond within 30 days. You need a named person responsible for receiving and processing requests, and a basic internal procedure for handling them.
What happens if you don't submit
The consequences of missing the 30 June deadline are real, even if the enforcement timeline is not always immediate.
A failure to submit may result in the Regulator conducting an own-initiative PAIA assessment. This assessment includes a physical inspection and a review of documents relating to your organisation's compliance with PAIA. The consequences of non-compliance can include enforcement proceedings.
There is also a compounding risk. Missing this submission, or failing to have a PAIA manual in place, or not registering an Information Officer, could flag your organisation for POPIA non-compliance. This opens the door to penalties, investigations, and reputational damage. If you don't submit, it may signal to the Regulator that your business is not compliant with POPIA either — especially if you haven't registered an Information Officer.
For a compliance company, a law firm, an accounting practice, or any business that holds sensitive client information, this reputational dimension matters as much as the regulatory one.