PAIA Manual

Copyright © 2025, Studietrust (Registration no.: IT 3895/11(T)). All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without the express written permission of Studietrust.

Document enquiries can be directed to:

• The Information Officer
• 10 CLamart Road, Richmond 2092 South Africa
• Tel: +27 11 403 1632
• www.studytrust.org.za

The undersigned, being duly authorized, hereby authorize the execution of the work detailed herein. By their signatures, they confirm their acceptance of the contents and authorize the implementation or adoption thereof, as applicable, on behalf of the parties they represent.

National Director: Dr HM Hofmeyr   Date: 18 June 2025

2025 

1. Introduction to PAIA
2. Functions of StudyTrust
3. Structure of the Organisation
4. Contact Details
5. Guide on How to Use PAIA (Section 10 Guide)
6. Records That Are Automatically Available Without a PAIA Request
7. Records Held That Are Not Automatically Available and Require a PAIA Request
8. Grounds for Refusal
9. Prescribed Fees for Accessing Records
10. How to Make a Request for Access to Information
11. Introduction to POPIA
11.1 Categories of Personal Information Processed
11.2 Purpose of Processing Personal Information
11.3 Information Sharing (Recipients of Personal Information)
11.4 Transborder Transfers
11.5 Data Security Measures
11.6 Data Subject Rights
11.7 How to Submit a Data Subject Request for Access to Personal Information (Data Subject Access Request)
11.8 Objections to Processing
11.9 Requests for Correction or Deletion
11.10 Complaint Process
12. Data Breach Response Plan
13. Compliance Checks and Audits
14. Training and Awareness
15. Reporting and Documentation
16. Annual Report Submission
   Annex A: Abbreviations and Definitions
   Annex B: Prescribed Fees
   Annex C: Prescribed Forms
      Form C: Request for Access to a Record
      Form 1: Objection to the processing of personal
      Form 2: Request for correction or deletion of personal information
      Form 5: Complaint regarding interference with the protection of personal information / complaint regarding determination of an adjudicator

This Manual is compiled in compliance with Section 14 of the Promotion of Access to Information Act 2 of 2000 (“PAIA”) and the Protection of Personal Information Act 4 of 2013 (“POPIA”). PAIA provides individuals with the right to access information held by public and private bodies when such information is needed for the exercise or protection of any of their rights or another person’s rights. If such a request is made, StudyTrust must release the information unless PAIA or other relevant law states otherwise.

This Manual aims to inform and guide requesters through the procedural and other requirements for making a PAIA request. StudyTrust is committed to its data privacy obligations and will be receptive to any queries or requests related to personal information.

Studietrust, trading as StudyTrust, was established on 13 June 1974. It is legally constituted as:

• A Trust in terms of Section 6(1) of the Trust Property Control Act 57 of 1988 (Trust number: IT3895/11(T)).
• A Nonprofit Organisation in terms of Act 71 of 1997 (NGO number: 000-601 NGO).
• An Educational Fund in terms of Section 18A of the Income Tax Act No. 58 of 1962 (PBO number: 130000990).
• Registered with the Information Regulator (South Africa) initially with Registration Number: 8973/2021-2022/IRRTT and re-registered with number 2024-038490.

StudyTrust envisions a South Africa where potential finds opportunity. Its core services are clustered into:

• Bursary Management and Administration: Administering bursaries and scholarships to deserving students.
• Student Mentorship: Providing mentoring and support to students to help them succeed academically and personally.
• Talent Development: Facilitating the development of students’ skills and potential through various programs and workshops.

The object and functions of StudyTrust are to help young people access tertiary education, acquire professional skills, and gain meaningful employment.

StudyTrust is governed by a Board of Trustees, which appoints the National Director as the Executive Officer and Accounting Authority. The organisation operates as a Level 1 QSE B-BBEE Contributor. StudyTrust is a registered Trust and is not owned; its beneficiaries (bursary recipients) are its prime focus. More detailed information on services and structure is available on the StudyTrust website.

Please direct any PAIA or POPIA enquiries to our Information Officer or our Deputy Information Officer at the following addresses. The Information Officer is responsible for overseeing compliance with POPIA, monitoring data protection activities, and serving as a point of contact for data subjects and the Information Regulator.

Information Officer: Dr HM Hofmeyr (National Director)

• Postal and Physical Address: 10 Clamart Road, Richmond 2092, South Africa
• Telephone number: (+27) 011 403 -1632 x 220
• E-mail Address: m.hofmeyr@studytrust.org.za

Deputy Information Officer: Rev DC Lourens (Manager Operations)

• Postal and Physical Address: 10 Clamart Road, Richmond 2092, South Africa
• Telephone number: (+27) 011 403 -1632 x 207
• E-mail Address: d.lourens@studytrust.org.za

The Information Regulator is responsible for updating and making available a comprehensive Guide on how to use PAIA, as contemplated in Section 10(1) of PAIA. This Guide provides information needed by any person wishing to exercise their rights under PAIA and POPIA.

The Guide is available in an easily comprehensible form and manner, in three official languages (Afrikaans, English, and Zulu). It includes:

• The objects of PAIA and POPIA.
• Contact details for Information Officers and Deputy Information Officers of public and private bodies.
• The manner and form for requesting access to records of both public and private bodies.
• Information on assistance available from Information Officers and the Regulator.
• All available legal remedies concerning rights or duties under PAIA and POPIA, including how to lodge an internal appeal, a complaint to the Regulator, or an application to a court.
• Provisions for compiling and accessing manuals, as required by sections 14 and 51 of PAIA.
• Provisions for voluntary disclosure of categories of records (sections 15 and 52 of PAIA).
• Notices on fees payable for access requests (sections 22 and 54 of PAIA).
• Regulations made under section 92 of PAIA.

To obtain a copy of the Guide, you can:

• Inspect or make copies from the offices of the Information Regulator during normal working hours.
• Request it from the Information Regulator, by completing Form 1.
• Access it from the Information Regulator’s website: https://inforegulator.org.za.

Information Regulator Contact Details:

• Address: Woodmead North Office Park, 54 Maxwell Drive, Woodmead, 2191.
• Tel: : +27 80 001 7160 (Toll free).
• Email: inforeg@justice.gov.za, or PAIACompliance@infoRegulator.org.za for compliance matters / PAIAComplaints@infoRegulator.org.za for complaints.

StudyTrust also ensures that a copy of the PAIA Guide, in at least two (2) official languages, is made available at its registered head office for public inspection during normal office hours, as per PAIA Regulation 3(1).

All records or information available on StudyTrust’s website at https://studytrust.org.za, including all records in booklets and pamphlets produced by StudyTrust for public consumption, are automatically available and voluntarily disclosed. This information is available for viewing, downloading, or access without you having to make a PAIA request.

Examples of automatically available records include:

• Bursary application forms
• Annual reports
• Newsletters and other publications
• Policy summaries
• Programme brochures
• Information about StudyTrust’s programmes, services, and contact details.

The notice of these categories of automatically available records is made available on the website, at the registered head office for inspection during normal office hours and uploaded on the Regulator eServices portal as prescribed.

If records are not automatically available, a formal PAIA request will be required. The following subjects describe categories of records held by StudyTrust that are not automatically available:

• Governance: Board minutes, strategic plans, corporate planning documentation, delegation of authority, and declaration of interests.
• Legal & Compliance: Matters pertaining to StudyTrust legislation, Service Level Agreements (SLAs), Business Agreements with funders and service providers, policies, and declarations.
• Human Resources: Human resources policies manual, personnel information (including personal information, employment history, health records), training and development information, general files on employee benefits and recruitment/selection.
• Finance: Financial records, financial statements, audit reports, budgets, list of creditors and debtors, salary information, bank account information, fixed assets register.
• IT & Security: Hardware inventory, passwords policy, usage statistics, equipment details, costing of hardware and software, information on the management of StudyTrust’s operational risks, insurances, and physical security information.
• Projects: Partner and funder records, building plans, and information related to projects conducted.
• Communications (Marketing): Media releases, donor publications, StudyTrust’s brochures and publications, documents relating to Public Relations events, and StudyTrust’s media releases.
• Company Documents: Organisation Secretarial Records.
• Support Services: Delivery and collection sheets, and list of suppliers.
• Student Records: Bursary applications, academic progress reports, and mentoring records.

Access to records may be denied in certain circumstances as stipulated by PAIA. These grounds for refusal balance the right of access with other rights in the Bill of Rights. Access may be denied if disclosure:

• Invades the privacy of individuals (e.g., records containing personal information about a third party).
• Endangers public safety.
• Breaches contractual confidentiality.
• Infringes intellectual property rights (e.g., commercial or research information of a third party, or private body).
• Relates to privileged legal communications.
• Would reveal evidence of a substantial contravention of, or failure to comply with the law, where the public interest in disclosure does not clearly outweigh the harm.
• Is clearly frivolous or vexatious.
• Would result in a substantial and unreasonable diversion of StudyTrust’s resources.

All requests should be submitted to StudyTrust’s Information Officer on the prescribed Form C. Form C is attached to this Manual (see Annexures).

To ensure the correct record is provided, the requester must:

• Provide enough detail on the request form to identify the requester and the record needed.
• Indicate the preferred form of access (e.g., hardcopy, electronic format) and any additional contact methods (e.g., telephone).
• List the right that the requester wants to exercise or protect and provide an explanation of why the requested record is required for that purpose.
• If making a request on behalf of another person, submit proof of the capacity in which the request is made.

The Information Officer will decide on the request within thirty (30) days of receipt. The requester will be notified whether the request has been rejected or accepted. The requester will also be advised on:

• The access fee to be paid.
• The format in which access will be given.
• The fact that a complaint may be lodged with the Information Regulator or an appeal with the High Court against the access fee charged or the format in which access is granted.

If the request is refused, the Information Officer will provide written reasons. The requester may lodge a complaint with the Information Regulator and an appeal with the High Court against the refusal. Failure to respond within thirty (30) days is deemed a refusal. An extension may be requested for a large number of records, or if the search is not at the head office, or with the requester’s consent.

All payments must be made to:

• Account name: Studietrust
• Bank: ABSA Bank
• Branch Name: Commercial Premium Clearwater
• Account Number: 28-4080-0299
• Branch Code: 630504
• Swift address: ABSA ZA JJ
• Account Type: Business Current Account
• Reference: Name of requestor and date of request.

Value-Added Tax (VAT) is only payable by institutions registered as VAT vendors as required under s23 of the VAT Act, 89 of 1991.

All requests for access to records must be submitted to StudyTrust’s Information Officer in writing, using the prescribed form. StudyTrust provides Form C (which corresponds substantially with Form 2: Request for Access to Record [Regulation 7] available from the Information Regulator). The completed form should be sent to the Information Officer via email or postal mail.

Required details for your request:

• Sufficient Personal and Record Detail: Provide enough detail on the request form to enable StudyTrust to identify you and the specific record you need. This includes your full names, identity number, contact details, and a clear description of the record or relevant part of the record, including any known reference numbers.
• Proof of Identity: Requesters must attach proof of identity.
• Capacity for Requests on Behalf of Another: If the request is made on behalf of another person, proof of such authorization must be attached.
• Preferred Form of Access: Indicate the format in which you would like to access the records (e.g., hardcopy printouts, electronic format, inspection).
• Preferred Manner of Notification/Correspondence: Inform StudyTrust on how you wish to be notified of the decision (e.g., postal address, electronic communication, etc.).
• Right to be Exercised or Protected: List the right you wish to exercise or protect and provide an explanation of why the requested record is required for the exercise or protection of that right.
• Preferred Language: Indicate if the record is preferred in any particular language (access may be granted in the available language if your preferred language is not available).

Processing and Decision:

• StudyTrust’s Information Officer will process the request as soon as reasonably possible and within 30 days of receipt.
• The 30-day period may be extended once for a further period of not more than 30 days under certain circumstances:
• If the request is for a large number of records or requires an extensive search that would unreasonably interfere with StudyTrust’s activities.
• If the search for records is at an office not in the same town/city as the Information Officer and cannot be reasonably completed within the original period.
• If consultation among StudyTrust divisions or with another body is necessary and cannot be completed within the original period.
• If multiple such circumstances exist.
• If the requester consents in writing to such an extension.
• You will be notified in writing whether your request has been approved or denied.
• If approved, you will be advised on the access fee to be paid and the format in which access will be given.
• If your request is refused, StudyTrust’s Information Officer will provide written reasons, including the provisions of the Act relied upon for the refusal.
• Deemed Refusal: If StudyTrust fails to respond within 30 days (or the extended period), the request is deemed to have been refused.

Remedies for Dissatisfaction:

• You may lodge a complaint with the Information Regulator using Form 5 [Regulation 10]. For a private body, this can be done if you are not satisfied with the decision.
• You may also lodge an appeal with the High Court against the refusal of the request, excessive fees, or the format of access granted. An application to court must be made within 180 days after the decision.

PAIA requires StudyTrust to provide information related to the Protection of Personal Information Act 4 of 2013 (“POPIA”). This includes how personal information is processed, used, disclosed, and destroyed, as well as data subjects’ rights. StudyTrust is committed to its data privacy obligations and upholds the eight conditions for lawful processing under POPIA. This commitment is formalized through a comprehensive POPIA Policy.

StudyTrust collects and processes personal data in line with the eight conditions for lawful processing under POPIA:

• Accountability (Section 8): StudyTrust acknowledges responsibility for processing personal information lawfully and with due consideration for data subjects’ rights.
• Processing Limitation (Section 9): Personal information is collected and processed only for lawful, specified, and legitimate purposes, and not used incompatibly with those purposes.
• Purpose Specification (Section 11): Purposes for collection are clearly specified, ensuring data subjects understand why their information is processed.
• Further Processing Limitation (Section 11): Personal information is not processed for purposes other than originally collected without further consent, unless permitted by law.
• Information Quality (Sections 12, 24): Reasonable steps are taken to ensure personal information is accurate, complete, and up-to-date.
• Openness (Section 14): StudyTrust is transparent about data processing practices and provides information to data subjects on handling their personal information.
• Security Safeguards (Section 19): Appropriate technical and organisational measures are implemented to protect personal information against unauthorized access, disclosure, alteration, or destruction.
• Data Subject Participation (Sections 11, 22, 23, 24): Data subjects’ rights (access, rectify, erase, object, and port) are acknowledged, and mechanisms are provided to exercise them.

StudyTrust processes personal information relating to various data subjects:

StudyTrust processes personal information for lawful, specified, and legitimate purposes. The type of personal information processed depends on the purpose for which it is collected. StudyTrust will always inform data subjects why their information is being collected and will process it for that purpose only.

Purposes include, but are not limited to:

• Funding administration (Bursary Management): Application for and administering bursaries, scholarships, and mentoring programs.
• Employment obligations: Staff administration and job applicants, including recruitment and alumni engagement.
• Regulatory compliance: Fulfilling statutory obligations under PAIA and POPIA. This includes compliance with other relevant legislation such as PFMA, Tax Administration Act, ECT Act, FICA, and National Archives and Records Service Act.
• Organisational management: Keeping accounts and records, procurement processes, managing visitors to premises.
• Monitoring and evaluation: Conducting compliance assessments, investigating complaints, and enforcement mechanisms.
• Processing of applications for: Codes of conduct, exemptions, prior authorisations, authorisations for processing special personal information, and authorisations for processing personal information of children.

StudyTrust may supply the personal information of data subjects to the following recipients or categories of recipients:

• Internal stakeholders: Management, employees, temporary staff, and board members, as part of executing its statutory mandate.
• Legal and regulatory authorities: Any regulatory authority or tribunal, law enforcement agencies (e.g., National Prosecuting Authority, South African Police Service for criminal investigation), and Courts (for judicial review matters). This may include sharing information with the Information Regulator during complaint investigations.
• International scholarship bodies: Where applicable.
• Accredited service providers (Contracted Operators): StudyTrust engages service providers for various services, and personal information may be supplied to them for purposes such as capturing and organising information, storing information, sending correspondence, conducting due diligence/criminal/qualification checks, forensic investigations, auditing, administration of provident/pension funds and medical aids, and ICT infrastructure.

StudyTrust has agreements in place to ensure that other parties comply with its confidentiality and privacy requirements. Personal information may also be disclosed where StudyTrust has a legal duty to do so.

StudyTrust has not planned Transborder flows of personal information. However, should it become necessary to transfer personal information to another country for any lawful purposes, StudyTrust will ensure that:

• Anyone to whom it passes personal information is subject to a law, binding corporate rules, or a binding agreement which provides an adequate level of protection.
• The transfer will be with the data subject’s consent. If obtaining consent is not reasonably practicable, StudyTrust may transfer the information if it will be for the data subject’s benefit and they would have given consent had it been reasonably practicable.

StudyTrust is required to implement appropriate, reasonable technical and organisational measures to prevent loss of, damage to, or unauthorised destruction of personal information, and unlawful access to or processing of personal information.

Measures taken by StudyTrust include, among others:

• Access Controls: Restricting access to authorised personnel only, using role-based access and least privilege principles.
• Encryption: Protecting personal information both at rest and in transit, especially when sensitive data is involved. Encrypted cloud backups are utilized.
• Authentication and Authorisation: Employing strong authentication mechanisms (e.g., MFA on critical systems) and role-based access control.
• Defensive Measures: Implementing measures to protect against threats.
• Robust Monitoring, Auditing and Reporting capabilities: Implementing monitoring and logging systems to detect and respond to security events. Device monitoring and endpoint protection are used.
• Data Backups: Regular data backup and testing of data recovery processes.
• Anti-virus and Anti-malware Solutions.
• Awareness and Vigilance: Providing security awareness training to employees.
• Agreements with Operators: Concluding agreements with operators to implement security controls that ensure data protection.
• Data Minimisation: Collecting personal information only to the extent necessary for the specified purpose.
• Security Policies and Procedures: Establishing comprehensive security policies and procedures covering all aspects of data protection.
• Data Transfer Controls: Implementing secure data transfer protocols.
• Physical Security: Measures to secure physical storage and processing environments from risks like fire, flood, and unauthorized access.
• Information Security Incident Response Plan: Maintaining an incident response plan to detect, report, and respond to data breaches promptly and effectively.
• Security Testing and Audits: Regular assessments, penetration testing, and vulnerability scans to identify and address weaknesses.
• Data Disposal: Securely disposing of personal information when it is no longer needed.

StudyTrust continuously establishes and maintains appropriate safeguards against identified risks and regularly verifies their effective implementation, updating them in response to new risks or deficiencies

StudyTrust recognizes and respects the rights of data subjects under POPIA:

• Right to Access (Section 23): Data subjects have the right to request confirmation from StudyTrust, free of charge, whether it holds personal information about them, and to request the record or a description of the personal information, including the identity of all third parties who have had access to it.
• Right to Rectify (Section 24): Data subjects can request corrections to their personal information if it is inaccurate, incomplete, or outdated.
• Right to Erasure (Section 24): Data subjects have the right to request the deletion or destruction of their personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, unlawfully obtained, or no longer authorised for retention.
• Right to Object (Section 11(3)): Data subjects can object to the processing of their personal information if it’s based on legitimate interest, necessary for a public law duty, or for direct marketing purposes.
• Right to Data Portability: StudyTrust will facilitate data subjects’ requests to transfer their personal information to other organizations under certain conditions.
• Right to Lodge a Complaint: Data subjects have a clear and accessible process to lodge complaints regarding the processing of their personal information.

StudyTrust provides data subjects with mechanisms to exercise these rights and will respond to requests promptly and transparently.

• Data subjects can request access to their personal information held by StudyTrust free of charge, upon providing adequate proof of identity.
• To make this request, complete Form C (which corresponds substantially with Form 2: Request for Access to Record [Regulation 7]).
• Once StudyTrust receives your request on Form C, it will provide a written estimate of any applicable fees for reproduction. The requested record or description will only be released once proof of full payment is received.
• Requests are processed within a reasonable time, in a reasonable manner and format, and in a generally understandable form.

• Data subjects have the right to object to the processing of their personal information in certain situations, unless legislation provides for such processing. These situations include when the processing is based on:
• Legitimate interests (either of the data subject or a third party)
• Necessity for a public law duty
• Direct marketing purposes
• To object, data subjects objection must be submitted on Form 1: Objection to the processing of personal information [Regulation 2]. StudyTrust will provide reasonable assistance free of charge with completing this form.
• Data subjects also have the right to object if StudyTrust processes their personal information for direct marketing purposes.

• Data Subjects may make a request to StudyTrust to correct or delete personal information in its possession that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.
• Data Subjects may also request StudyTrust to destroy or delete a record of personal information about you that StudyTrust is no longer authorized to retain (e.g., if the purpose for which it was collected has been achieved and retention is not required by law, contract, or consent).
• To make this request, Form 2: Request for correction or deletion of personal information or destroying or deletion of record of personal information [Regulation 3] should be completed.
• Once StudyTrust receives a Data Subjects request, it will, as soon as reasonably possible, correct or destroy/delete the information or provide the Data Subject with credible evidence supporting the information to your satisfaction.
• If an agreement cannot be reached regarding correcting the personal information, the Data Subject may request that StudyTrust attach a note indicating the Data Subjects’ request for correction was made but not implemented.

If Data Subjects are unhappy with the way StudyTrust processes their personal information and believe that it is interfering with the protection of their personal information, they may lodge a complaint with the Information Regulator.

• This complaint must be submitted on Form 5: Complaint regarding interference with the protection of personal information / complaint regarding determination of an adjudicator [Regulation 7] (Part 1 thereof).
• The Information Regulator may defer investigating or reject a complaint if the complainant has not first given the public or private body an opportunity to respond and attempt to resolve the issue.
• Data Subjects are required to attach copies of relevant documents, such as the initial request form, StudyTrust’s response, and any appeal forms/responses.
• The Information Regulator will only accept the complaint once prerequisites (e.g., submitting the PAIA form to the body, 30 days lapsed, exhausting internal appeal if applicable) are met.

StudyTrust maintains a documented security compromise response plan to detect, report, and respond to data breaches promptly and effectively, in accordance with POPIA. This plan includes:

• Detection Mechanisms: Procedures to detect and classify potential data breaches, including incident reporting.
• Incident Response Team (IRT): An IRT, including the Information Officer and legal counsel, is activated to address data breaches.
• Assessment: The nature and scope of data breaches are assessed, and risk assessments are conducted to determine potential impacts.
• Notification: StudyTrust will notify affected data subjects and the Information Regulator in the event of a data breach, as required by POPIA.
• Investigation: The root cause of data breaches is investigated, including forensic analysis if necessary. Security incidents are logged, investigated, and documented.
• Remediation: Corrective actions are taken to mitigate the impact of data breaches and prevent future occurrences.
• Documentation: Thorough documentation of data breach incidents, responses, and remediation efforts is maintained.

This commitment is formalized through a comprehensive Information Security Incidence Response Plan and a Risk Management Policy.

StudyTrust conducts regular compliance checks and audits to ensure that its data processing activities align with POPIA principles and requirements.

• Audits assess data processing procedures, security measures, personnel training, and compliance with data subject rights.
• Results are documented, and corrective actions are taken as necessary.

StudyTrust provides training and awareness programmes to employees and stakeholders to ensure they understand POPIA requirements and their responsibilities in safeguarding personal information.

• Training needs are assessed based on roles and responsibilities.
• A comprehensive training plan is developed, with tailored content for different roles.
• Records of training sessions, attendance, and assessment results are maintained.

StudyTrust maintains comprehensive documentation of all data protection practices, including policies, procedures, and assessments.

• Documentation is regularly updated to reflect changes in regulations and best practices.
• Detailed records related to data protection activities, including Personal Information Impact Assessments (PIIAs), audits, training, security compromise incidents, and data subject requests, are maintained.
• Employees are encouraged to report concerns or incidents related to data protection and POPIA compliance.

This commitment is formalized through a comprehensive POPIA Policy, Whistleblower Policy, and Data Retention and Destruction Policy.

The Information Officer submits its Annual Report to the Regulator in the previous financial year, as required by Section 32 of PAIA. This is an ongoing compliance activity to report on PAIA requests and their outcomes.

• Act: Refers to the Promotion of Access to Information Act, 2 of 2000 (PAIA).
• Deputy Information Officer (DIO): The designated individual responsible for assisting the Information Officer with PAIA and POPIA requests and duties.
• Data Subject: The individual to whom personal information relates. This includes StudyTrust bursary applicants, recipients, donors, employees, and any other individuals whose data is processed.
• Information Officer (IO): The head of a private body (e.g., National Director) responsible for ensuring compliance with PAIA and POPIA, overseeing data protection, and serving as a contact point.
• PAIA: Promotion of Access to Information Act, 2 of 2000.
• Personal Information: Information that can identify an individual, directly or indirectly, including but not limited to names, contact details, identification numbers, and demographic information.
• POPIA: Protection of Personal Information Act, 4 of 2013.
• Processing: Any operation or set of operations performed on personal information, including collection, storage, retrieval, use, sharing, and deletion.
• Record: Any recorded information, regardless of form or medium, in the possession or under the control of StudyTrust, whether or not created by StudyTrust.
• Regulator: The Information Regulator, established in terms of section 39 of POPIA, responsible for monitoring and enforcing compliance with POPIA and PAIA.
• Requester: Any person (other than a Public body) making a request for access to a record of a body, or a person acting on their behalf.

(Please refer to Section 9: Prescribed Fees, for a detailed breakdown of applicable fees and payment details).

Request Fee: A request fee of R140.00 is generally payable by every requester for access to records, unless exempted. Exemptions:

1. Persons requesting access to their Personal Information are exempt from paying a fee.
2. Persons whose annual income is less than R14,712 (if single) or whose joint income (if married or with a life partner) is less than R27,192 per annum, after permissible deductions (e.g., PAYE and UIF), are also exempt from paying the request fee.

Access Fees (for reproduction and preparation of records):

1. Photocopy per A4 page: 00.
2. Printed copy per A4 page (held on computer/electronic/machine-readable form): 00.
3. Electronic copy (CD, USB flash drive):
   40. If provided by requestor: 00.
   41. If provided to the requestor: 00.
4. Transcription of visual images per A4 page: Service to be outsourced (cost depends on quotation from service provider).
5. Copy of visual images: Service to be outsourced (cost depends on quotation from service provider).
6. Transcription of an audio record per A4-size page: 00.
7. Copy of an audio record (flash drive/compact disc):
   40. If provided by requestor: 00.
   41. If provided to the requestor: 00.
8. Search and prepare record (per hour, excluding the first hour, if search exceeds six hours): 00.
9. Deposit: One third of the total access amount (calculated on items 2-8 above) is payable if the search exceeds six hours. This deposit is repayable if the request is refused.
10. Postal charges (postage, email, or other electronic transfer): Actual expense, if any.

All fees are prescribed by the Information Regulator and are subject to change.

The following forms are used for requests and complaints:

• Form C: Request for Access to a Record (StudyTrust’s internal form, substantially similar to Form 2 [Regulation 7] of PAIA for requests for access to records).
• Form 1: Objection to the processing of personal information (in terms of Section 11(3) of POPIA and Regulation 2).
• Form 2: Request for correction or deletion of personal information or destroying or deletion of record of personal information (in terms of Section 24(1) of POPIA and Regulation 3).
• Form 5: Complaint regarding interference with the protection of personal information / complaint regarding determination of an adjudicator (in terms of Section 74 of POPIA and Regulation 7).