PAIA Manual

The Promotion of Access to Information Act, 2 of 2000, gives effect to the constitutional right of access to any information held by private bodies that is required for the exercise or protection of any rights. The Act provides that a person requesting information must be given access to any record of a private body, if that record is required for the exercise or protection of a right. However, the right to access any information held by a private body may be limited to the extent that the limitations are reasonable and justifiable in an open and democratic society based on human dignity, equality and freedom as contemplated in Section 36 of the Constitution. This document informs requesters of procedural and other requirements which a request must meet as prescribed by the Act.

1. AVAILABILTY
   

   This document will be available on the Company’s website, providing customers, clients and other external stakeholders with direct access to the manual.

2. THIS PAIA MANUAL IS USEFUL FOR THE PUBLIC TO
   
   • To check the categories of records held by a body which are available without a person having to submit a formal PAIA request.
   • To have sufficient understanding of how to make a request for access to a record of the body, by providing a description of the subjects on which the body holds records, and the categories of records held on each subject.
   • To know the description of the records of the body which are available in accordance with any other legislation.
   • To access all the relevant contact details of the Information Officer and Deputy Information Officer who will assist the public with the records they intend to access.
   • To know the description of the guide on how to use PAIA, as updated by the Regulator and how to obtain access to it.
   • To know if the body will process personal information, the purpose of processing personal information and the description of the categories of data subjects and of the information or categories of information relating thereto.
   • To know the description of the categories of data subjects and of the information or categories of information relating thereto.
   • To know the recipients or categories of recipients to whom the personal information may be supplied.
   • To know if the body has planned to transfer or process personal information outside the Republic of South Africa and the recipients or categories of recipients to whom the personal information may be supplied.
   • To know whether the body has appropriate security measures to ensure confidentiality, integrity and availability of the personal information which is to be processed.

The Regulator has, in terms of section 10(1) of PAIA, as amended, updated and made available the revised Guide on how to use PAIA (“Guide”), in an easily comprehensible form and manner, as may reasonably be required by a person who wishes to exercise any right contemplated in PAIA and POPIA.

The Guide is available in each of the official languages and in braille.

The aforesaid Guide contains the description of:

• The objects of PAIA and POPIA
• The postal and street address, phone and electronic mail address of:
  The Information Officer of every Private Body
• Every Deputy Information Officer of every Private Body designated in terms of section 17(1) of PAIA¹ and section 56 of POPIA²

1. The Manner and Form of a Request
   

   The manner and form of a request for / to access to a record of a public body is contemplated in section 11³ and for access to a record of a private body is contemplated in section 50⁴. The assistance available can be from the IO of a public body in terms of PAIA and POPIA or the assistance available from the Regulator in terms of PAIA and POPIA.

   All remedies in law regarding an act or failure to act in respect of a right or duty conferred or imposed by PAIA and POPIA are available, including the manner of lodging –

   • An internal appeal
   • A complaint to the Regulator
   • An application with a court against a decision by the information officer of a public body, a decision on internal appeal or a decision by the Regulator or a decision of the head of a private body

   The requester must complete Form 2 and submit this form together with a request fee, to the Information Officer of the Private Body. The requester may request the party responsible to confirm whether they hold their personal information, free of charge, provided adequate proof of identity has been given.

   The form must be submitted to the Information Officer of the Private Body at his/her address, fax number or email address. If you are a member or client of NUMERAL XII under any of its product offerings, you may contact the call centre on 087 012 5291, to access your information

   The form must:

   Provide sufficient particulars to enable the Information Officer or Deputy Information Officer of the Private Body to identify the record (s) requested and to identify the requester.

   Indicate which form of access is required.

   Specify a postal address or fax number of the request in the Republic.

   Identify the right that the requester is seeking to exercise or protect.

   Provide an explanation of why the requested record is required for the exercise or protection of that right.

   Should the requester wish to be informed of the decision on the request in any other manner, he/she should state the manner and the necessary particulars on the form.

   If the request is made on behalf of another person, the proof of the capacity to which the requester is making the request must be submitted to the reasonable satisfaction of the Information Officer or Deputy Information Officer of the Private Body.

   The Information Officer or Deputy Information Officer of the Private Body must notify the requester of the prescribed fee (if any) before further processing the request.

   If the request is granted then a further access fee must be paid for the reproduction, the search, the preparation and for any time that has exceeded the prescribed hours to search and prepare the record of disclosure.

   If a requester cannot complete the prescribed form, an oral request may be made.

   
   
2. How to obtain access to the guide

   Members of the public can inspect or make copies of the Guide from the offices of the Private Body, from the Information Officers, during normal working hours.

   The guide can also be obtained from the Regulator’s website, during normal working hours:

   ACCESSING THE PAIA GUIDE
   Website	https://inforegulator.org.za/
   Contact Number	010 023 5200
   Email Address	enquiries@inforegulator.org.za

   A copy of the Guide is also available in the following two official languages, for public inspection during normal office hours:

   OFFICIAL LANGUAGES
   First Language	English
   Second Language	Afrikaans

¹ Section 17(1) of PAIA- For the purposes of PAIA, each public body must, subject to legislation governing the employment of personnel of the public body concerned, designate such number of persons as deputy information officers as are necessary to render the public body as accessible as reasonably possible for requesters of its records.

² Section 56(a) of POPIA- Each public and private body must make provision, in the manner prescribed in section 17 of the Promotion of Access to Information Act, with the necessary changes, for the designation of such a number of persons, if any, as deputy information officers as is necessary to perform the duties and responsibilities as set out in section 55(1) of POPIA.

³ Section 11(1) of PAIA- A requester must be given access to a record of a public body if that requester complies with all the procedural requirements in PAIA relating to a request for access to that record; and access to that record is not refused in terms of any ground for refusal contemplated in Chapter 4 of this Part.

⁴ Section 50(1) of PAIA- A requester must be given access to any record of a private body if-

1. that record is required for the exercise or protection of any rights;
2. that person complies with the procedural requirements in PAIA relating to a request for access to that record; and
3. access to that record is not refused in terms of any ground for refusal contemplated in Chapter 4 of this Part.

1. Purpose of Processing Personal Information

   We will collect the minimum required information from you, and we will process your personal information only for the purposes for which it was collected or as agreed with you. These purposes include (this list of processing purposes is non-exhaustive):

   To provide our advice, services, and products to you, to help you take out or maintain financial products and/or carry out the transactions you requested, as well as to maintain our contractual relationship.

   To conduct ITC Checks for the purpose of assessing your company’s or your personal creditworthiness.

   To assist you with queries relating to your financial product.

   To confirm and verify your identity or to verify that you are an authorised user for security purposes, where applicable.

   For audit and record keeping purposes.

   Maintain and update our customer, or potential customer database.

   To protect our rights in any litigation.

   To inform you about any changes to the Website, Privacy Notice or other changes which may be relevant to you.

   
   

2. Description of Data Subjects and their perspective categories including Information in Relation to those Data Subjects

   The categories of data subjects in respect of whom NUMERAL XII processes personal information and the nature or categories of the personal information being processed are summarized here below:

   Categories of Data Subjects	Personal Information that may be processed
   Customers / Clients	Name, address, registration numbers or identity numbers, employment status and bank details, email address, telephone numbers
   Service Providers	Names, registration number, vat numbers, address, trade secrets and bank details, email address, telephone numbers
   Employees	Address, qualifications, gender and race, identity numbers, email address, telephone numbers, car registration number, criminal record, financial record, bank account details

   
   

3. The Recipients or Categories of Recipients to whom the Personal Information may be supplied in relation to those Data Subjects

   The persons or category of people to whom NUMERAL XII may disseminate personal information is summarized here below:

   Category of personal information	Recipients or Categories of Recipients to whom the personal information may be supplied
   Identity number and names, for criminal checks	South African Police Services
   Qualifications for qualification verifications	South African Qualifications Authority
   Credit and payment history, for credit information	Credit Bureaus

   
   

4. The Following Company Records are confirmed as either Available on our Website or Available upon Request

   Category of records	Types of the Record	Available on Website	Available upon request
   Company Documents	MOI / Registration Documents		X
   Policies and Procedures	PAIA Manual	X
   Policies and Procedures	POPIA / Privacy Policy	X
   Policies and Procedures	Complaints Policy	X
   Marketing Records			X
   Auditing			X
   IT Related Records			X
   Financials			X
   Tax			X

   
   

5. The following Subjects and Categories of Records are held at the Physical Address of NUMERAL XII

   Subjects on which the body holds records	Categories of records
   Strategic Documents, Plans, Proposals	Annual Reports, Strategic Plan, Annual Performance Plan.
   Human Resources	HR policies and procedures Advertised posts Employees records Job applications, resumes, and employment history Training and development records Disciplinary and grievance records Leave and attendance records Compensation and benefits information
   Finance	Financial statements and reports Invoices, receipts, and payment records Tax records and returns. Budgets and financial planning documents Banking and transaction records Payroll records
   Operations	Operational policies, procedures, and Project documentation and reports Operational performance records Incident and accident reports Health and safety records

   Information is held solely for the purpose it was collected for and may be removed or updated by the data subject unless otherwise stated as a result of a legal obligation where provision to a public body must be honored by NUMERAL XII.

   Measures and agreements are in place to ensure that outsourced venders with provisional access to personal information have controls and infrastructure to continue to keep information provided, for the purpose of service rendering in a safe and secure manner.

6. Description of Data Subjects and their Respective Categories including Information in Relation to those Data Subjects

   The list below is not exhaustive:

   Categories of Data Subjects	Personal Information that may be processed
   Customers / Clients	Identity Data, which includes information concerning your name, username or similar identifier, marital status, title, date of birth, gender, race and legal status, as well as copies of your identity documents, photographs, identity number, registration number and qualifications.
   	Contact Data, which includes billing addresses, delivery addresses, email addresses and telephone numbers.
   	Financial Data, which includes bank account and payment card details, insurance information, and financial statements.
   	Transaction Data, which includes details about payments to and from you.
   	Service Data, which includes information concerning your interactions with NUMERAL XII.
   	Marketing and Communications Data, which includes your preferences in receiving marketing from and your communication preferences.
   Service Providers / third party with whom NUMERAL XII conducts its business services	Identity Data, which includes information concerning your name, username or similar identifier, marital status, title, date of birth, gender, race and legal status, as well as copies of your identity documents, photographs, identity number, registration number and qualifications.
   	Contact Data, which includes billing addresses, delivery addresses, email addresses and telephone numbers.
   	Financial Data, which includes bank account and payment card details, insurance information, and financial statements.
   	Transaction Data, which includes details about payments to and from you.
   	Service Data, which includes information concerning your interactions with NUMERAL XII.
   	Marketing and Communications Data, which includes your preferences in receiving marketing from and your communication preferences.
   Employees / personnel	Address, qualifications, gender and race, identity numbers, email address, telephone numbers, car registration number, criminal record, financial record, bank account details.
   	Identity Data, which includes information concerning your name, username or similar identifier, marital status, title, date of birth, gender, race and legal status, as well as copies of your identity documents, photographs, identity number, registration number and qualifications.
   	Contact Data, which includes billing addresses, delivery addresses, email addresses and telephone numbers.
   	Financial Data, which includes bank account and payment card details, insurance information, and financial statements.
   	Transaction Data, which includes details about payments to and from you.
   	Service Data, which includes information concerning your interactions with NUMERAL XII.
   	Marketing and Communications Data, which includes your preferences in receiving marketing from and your communication preferences.

   
   

7. Recipients to whom Personal Information will be supplied

   Depending on the nature of the data, NUMERAL XII may supply information or records to the following recipients:

   Statutory oversight bodies, regulators, judicial commissions of enquiry making a request for data.

   Any court of law, an administrative or judicial forum, arbitration, statutory commission, or ombudsman making a request for data or discovery in terms of the applicable rules (i.e., the Compensation Commission in terms of the Competition Act 89 of 1998).

   A Brokerage or Financial Adviser who requires this information to provide a service or product to the data subject.

   Third parties with whom NUMERAL XII has a contractual relationship for the retention of data (e.g., third-party archiving service).

   Auditing and accounting bodies (internal and external).

   Anyone making a successful application for access in terms of PAIA.

   
   

8. Planned Transborder Flows of Personal Information

   The Companies within the Group may, from time to time, transfer personal information across the borders of the Republic of South Africa. Such transfers will only take place where they are necessary for business operations, regulatory compliance, or where service providers or group companies are located in other jurisdictions.

   Personal information may be transferred to and/or accessed in the following jurisdictions where the Group has operations or related entities:

   • Namibia
   • Botswana
   • Zimbabwe
   • Mozambique
   • Zambia
   • Democratic Republic of Congo (DRC)
   • Mauritius
   • United Arab Emirates (UAE)

   All such transfers will be carried out in accordance with the requirements of the Protection of Personal Information Act, 4 of 2013 (“POPIA”), and, where applicable, the relevant data protection laws of the destination country. The Group ensures that adequate safeguards are implemented to protect the integrity, security, and confidentiality of personal information in the course of such transfers.

9. Grounds for Refusal of Access to Records

   The main grounds for NUMERAL XII refusing a request for information relate to:

   1.	Mandatory protection of privacy to a third party who is a natural person:
   	The Information Officer of the Private Body must refuse a request for access to a record if its disclosure would involve the unreasonable disclosure of personal information about a third party, including a deceased individual.
   	Trade secrets of a third party.
   	Financial, commercial, scientific, technical information of a third party, other than trade secrets, where the disclosure thereof would be likely to cause harm to the commercial or financial interests of that third party.
   	Information supplied to the third party in confidence, and if disclosed would place the third party at a disadvantage in contractual / other negotiations or prejudice the third party in commercial competition.
   2.	Mandatory protection of commercial information of a third party:
   	The Information Officer of the Private Body must refuse a request for access to a record if that record contains:
   	Mandatory protection of certain confidential information of a third party.
   	The Information Officer of a Private Body must refuse a request for access to a record if the disclosure of that record constitutes an action for breach of a duty of confidence owed to a third party in terms of an agreement.
   3.	Mandatory protection of safety of individuals, and protection of property:
   	The Information Officer of the Private Body must refuse a request for access to a record if its disclosure could reasonably be expected to endanger the life or physical safety of an individual.
   	The Information Officer of the Private Body should also refuse if the disclosure would be likely to prejudice or impair the security of NUMERAL XII, a licensed National Credit Provider (NCRCP10367)
   4.	Mandatory protection of records privileged from production in legal proceedings:
   	The Information Officer of the Private Body must refuse a request for access to a record if the record is privileged from production in legal proceedings unless the person entitled to the privilege has waived such privilege.
   5.	Mandatory protection of research information of a third party and protection of research information of a Private Body:
   	The Information Officer of the Private Body must refuse a request for access to a record if the record contains information about research being or to be carried out by or on behalf of a third party or a private body and the disclosure of which would be likely to expose:
   	The third party or the private body.
   	A person that is or will be carrying out the research on behalf of the third party.
   	The subject matter of the research, to serious disadvantage.

   
   

10. Available Solutions when LNDR Bbusiness Credit (Pty) Ltd Refuses a Requeste for Information

    NUMERAL XII will, within 30 days of receipt of a request, decide whether to grant or to decline that request and give notice with reasons.

    The 30 day period within which NUMERAL XII has to decide whether to grant or refuse the request, may be extended for a further period of not more than 30 days if the request is for a vast amount of information or the request requires the search for information to be held at another location and the information cannot be reasonably obtained within the original 30 day period.

    NUMERAL XII will notify the requester in writing should an extension be sought.

    When a requester is not satisfied with the decision made, for example, refusing access, imposing an access fee or extending the time period for when a response is due, he/she may lodge an application with a court against the decision made within 60 days of receiving the decision that caused the grievance.

Records are kept in accordance with legislation applicable to NUMERAL XII, which includes but is not limited to, the following –

Reference to the above-mentioned legislation shall include subsequent amendments and secondary legislation to such legislation.

A copy of the manual is available:

• On our website https://numeral.co.za/
• At our Head Office for public inspection during normal business hours.
• To any person upon request and upon payment of a reasonable prescribed fee.
• To the Information Regulator upon request.

A fee⁵ for a copy of the Manual, as contemplated in annexure B of the Regulations, shall be payable per each A4-size photocopy made. According to Part III of Regulation 187 published in the Government Gazette on the 15th of February 2002, the Information Officer of the Private Body will notify the requester in writing to pay the prescribed request fee, before processing the request.

If the request pertains to personal information, the requisite request fee will not be imposed. The fee for a copy of the manual as contemplated in Regulation 9 (2)(c) is R1,10 for every photocopy of an A4-size page or part thereof. To search for and prepare the record for disclosure, R30,00 for each hour or part of an hour reasonably required for such search and preparation.

For the purposes of Section 54(2) of the Act, the following applies:

• Six hours as the hours to be exceeded before a deposit is payable.
• One third of the access fee is payable as a deposit by the requester.
• The actual postage is payable when a copy of a record must be posted to a requester.
• Fees are subject to change.

A responsible party must maintain the documentation of all processing operations under its responsibility as referred to in section 14 or 51 of the Promotion of Access to Information Act.

⁵ See Annexure B

This manual has been drafted and implemented according to legislation. The manual will be reviewed and amended according to legislation. The head of NUMERAL XII will update this manual on a regular basis but no less than annually. Section 51(2) states that the head of a private body must on a regular basis update the manual referred to in subsection (1).

Section 51(3) states that the updated version thereof as referred to in subsection (2) must be made available –

1. on the web site, if any, of the private body;
2. at the principal place of business of the private body for public inspection during normal business hours;
3. to any person upon request and upon the payment of a reasonable amount; and
4. to the Information Regulator upon request.

As stated in Condition 7 of POPIA (Protection of Personal Information Act), organizations must implement robust information security measures to protect personal data, including security safeguards, processing limitations, and breach notification procedures, with the Information Regulator overseeing compliance. NUMERAL XII takes extensive security measures to ensure the confidentiality, integrity and availability of personal information in our possession.

At NUMERAL XII we have taken reasonable technical & organisational measures to implement, maintain, and prevent loss of, damage to, or unauthorized destruction of, or unlawful access to, personal information. NUMERAL XII takes appropriate technical and organisational measures designed to ensure that personal data remains confidential and secure against unauthorized or unlawful processing and against accidental loss, destruction or damage.

Measures we have undertaken include:

• Technical safeguards: Implementing measures like encryption, firewalls, and intrusion detection systems.
• Physical safeguards: Protecting physical access to data storage and processing facilities.
• Organizational safeguards: Establishing policies, procedures, and training programs to ensure compliance. We require the use of strong passwords, multi-factor authentication, and regularly updating security software.
• Data Inventory: Regularly conducting a data inventory to identify and document all the personal information your organization processes.

NUMERAL XII treats all personal information with the utmost confidentiality. Any personal information which comes to anyone in the organisation’s knowledge in the course of their duties and responsibilities, is handled appropriately during and after their employment.

As per Condition 5 of POPIA, NUMERAL XII has taken steps to ensure that personal information records are complete, accurate and up to date. All Data Subjects information which we possess is available to the respective Data Subjects, and all Data Subjects have the right to update and rectify their personal information.

Issued by
Neville Graham
Director/Information Officer