PAIA Manual

Objective

Prepared in terms of section 51 of the Promotion of Access to Information Act 2 of 2000 (as amended).

Scope

Note: See Compliance Register.

  1. Section 51 of the Promotion of Access to Information Act 2 of 2000

Definitions

  • PAIA – Promotion of Access to Information Act No. 2 of 2000(as Amended
  • POPIA – Protection of Personal Information Act No.4 of 2013
  • Organization/private body – Mezzanine Ware (Pty) Ltd

Purpose of the PAIA Manual

This PAIA Manual is useful for the public to:

  • check the categories of records held by a body that is available without a person having to submit a formal PAIA request
  • have a sufficient understanding of how to make a request for access to a record of the body, by providing a description of the subjects on which the body holds records and the categories of records held on each subject
  • know the description of the records of the body which are available in accordance with any other legislation
  • access all the relevant contact details of the Information Officer and Deputy Information Officer who will assist the public with the records they intend to access
  • know the description of the guide on how to use PAIA, as updated by the Information Regulator, and how to obtain access to it
  • know if the body will process personal information, the purpose of the processing of personal information and the description of the categories of data subjects and of the information or categories of information relating thereto
  • know the description of the categories of data subjects and of the information or categories of information relating thereto
  • know the recipients or categories of recipients to whom the personal information may be supplied
  • know if the body has planned to transfer or process personal information outside the Republic of South Africa and the recipients or categories of recipients to whom the personal information may be supplied
  • know whether the body has appropriate security measures to ensure the confidentiality, integrity, and availability of the personal information which is to be processed

Key contacts

(Key contact details for access to information of the organization/private body)

Information officer

Jacques De Vos
021 880 2033
data-protection-officer@mezzanineware.com

Deputy information officer

Ricky Farrer
021 880 2033
data-protection-officer@mezzanineware.com

Head office (Street and postal address)

14 Quantum Rd, Techno Park, Stellenbosch, 7600
Suite 173, Private Bag x14, Die Boord, 7613
021 880 2033
data-protection-officer@mezzanineware.com
https://mezzanineware.com/

PAIA guide use and access

A guide, detailing the below information form the PAIA section 51, and required by PAIA section 10 is available from the Information Regulator here: https://inforegulator.org.za/paia-guidelines/

Guide available as of 11 May 2023: Guide on how to use the Promotion of Access to Information Act 2 of 2000, as amended [Oct 2021].

PAIA section 51:

  • The Information Regulator has, in terms of section 10(1) of PAIA, as amended, updated and made available the revised guide on how to use PAIA (“guide”), in an easily comprehensible form and manner, as may reasonably be required by a person who wishes to exercise any right contemplated in PAIA and POPIA
  • The guide is available in each of the official languages and in braille
  • The aforesaid guide contains the description of:
    • the objects of PAIA and POPIA
    • the postal and street address, phone and fax number, and, if available, electronic mail address of:
      • the Information Officer of every public body, and
      • every Deputy Information Officer of every public and private body designated in terms of section 17(1) of PAIA and section 56 of POPIA
    • the manner and form of a request for:
      • access to a record of a public body contemplated in section 11
      • access to a record of a private body contemplated in section 50
    • the assistance available from the information officer of a public body in terms of PAIA and POPIA
    • the assistance available from the Information Regulator in terms of PAIA and POPIA
    • all remedies in law available regarding an act or failure to act in respect of a right or duty conferred or imposed by PAIA and POPIA, including the manner of lodging:
      • an internal appeal
      • a complaint to the Information Regulator
      • an application with a court against a decision by the information officer of a public body, a decision on internal appeal or a decision by the Information Regulator or a decision of the head of a private body
      • the provisions of sections 14 and 51 requiring a public body and private body, respectively, to compile a manual, and how to obtain access to a manual
      • the provisions of sections 15 and 52 providing for the voluntary disclosure of categories of records by a public body and private body, respectively
      • the notices issued in terms of sections 22 and 54 regarding fees to be paid in relation to requests for access
      • the regulations made in terms of section 92
  • Members of the public can inspect or make copies of the guide from the offices of the public and private bodies, including the office of the Information Regulator, during normal working hours
  • The guide can also be obtained:
  • A copy of the guide is also available in the following two official languages, for public inspection during normal office hours:
    • English
    • Afrikaans
    • Other

Publicly available records

(Categories of records of the organization/private body which are available without a person having to request access)

The below-listed categories of records held by the organization/private body are available without a person having to request access by completing Form C (Information Regulator), the types of the records, and how the records can be accessed.

publicly-available-records

Records available as required by other legislation

(Description of the records of the organization/private body which are available in accordance with any other legislation)

The below-listed records are created and available in accordance with other South African legislation.

records-available

Information subject and records

(Description of the subjects on which the body holds records and categories of records held on each subject by the organization/private body)

information-subject

Processing of personal information

Purpose of processing personal information

Mezzanine Ware RF (Pty) Ltd, a South African company founded in 2012, delivers digital solutions to companies doing business in Africa. With an estimated 800 million mobile subscribers in Africa, we see mobile technology as a major enabler for creating productive societies. We deliver last-mile mobile, IoT, and digitally-enabled solutions that cut costs, increase efficiency, improve risk management, and provide unrivalled access to citizens across the continent. We work with our customers to co-create solutions in the industries of agriculture, health, social services, education, and utilities, and financial management.
Your Trusted Partner on Your Digital Journey.

The world we live in is changing and so is the way companies do business. Mezzanine Ware RF (Pty) Ltd is creating new, efficient, transparent, and accessible business models to connect our customers with last-mile users across Africa.

We use our shared services platform to provide cost-effective and scalable solutions.

Our hands-on experience in understanding, creating, and scaling digital mobile solutions means we are your trusted technology and advisory partner. We lead you through this digital journey to benefit your business and society as the recipient of your service.

We have successfully developed and deployed solutions in South Africa, Ghana, Kenya, Tanzania, Zambia, Mozambique, and Nigeria.

Data subjects and their data

(Description of the categories of data subjects and of the information or categories of information relating thereto)

The privacy notices, as per the Privacy Notice Process, details the data subjects and what data is collected (Mandatory and voluntarily) per processing activity / product. The privacy notices are available to the data subjects applicable to the processing activity / product via the mobile or web applications.

This information is also captured in the Inventory of Processing Activities which is available on request to authorised parties.

Data recipients

(The recipients or categories of recipients to whom the personal information may be supplied)

The privacy notices, as per the Privacy Notice Process, details the data recipients per processing activity / product. The privacy notices are available to the data subjects applicable to the processing activity / product via the mobile or web applications.

This information is also captured in the Inventory of Processing Activities which is available on request to authorised parties.

Cross-border transfers

(Planned cross-border flows of personal information)

The privacy notices, as per the Privacy Notice Process, details an cross-border transfer of data subjects PII per processing activity / product. The privacy notices are available to the data subjects applicable to the processing activity / product via the mobile or web applications.

This information is also captured in the Inventory of Processing Activities which is available on request to authorised parties.

Information security

(General description of information security measures to be implemented by the responsible party to ensure the confidentiality, integrity, and availability of the information)

ISO 27001 Certified: IS 686196

Information Security Management System, including:

  • Bring Your Own Device (BYOD) Policy
  • Mobile Device and Teleworking Platform
  • Personnel Security Policy
  • Termination Policy
  • Acceptable Use Policy
  • Information Classification Policy
  • Access Control Policy
  • Password Policy
  • DevOps Security Policies
  • Cryptographic Controls Policy
  • Clear Desk and Clear Screen Policy
  • Disposal and Destruction Policy
  • Procedure for Working in Secure and Non-Secure Areas
  • Backup Policy
  • Change Management Policy
  • Operating Procedures for Information and Communication Technology
  • Technical vulnerability management
  • Information Transfer Policy
  • Secure Development Policy
  • Source Code Management Policy
  • Penetration Testing Policy
  • Supplier Security Policy
    • Security Clauses for Suppliers and Partners
  • Incident Management Procedure
  • Data Breach Response and Notification Procedure
  • Continuity and Redundancies
  • Compliance with legal and contractual requirements
  • Security Policy and Objectives
  • Certification Scope
  • Identification of Requirements
    • EU GDPR 2016-679
    • Information Regulator (South Africa)
    • List of Legal, Regulatory, Contractual, and Other Requirements
  • Security Officer Job Description
  • Document and Record Control
  • Risk Assessment and Risk Treatment Methodology
  • Business Continuity Plan
  • Data Protection Impact Assessment Methodology
  • Inventory of Processing Activities, Assets, Entities, and Vendors
  • Competency, Awareness, Training and Communication Plan
  • Procedure for Internal Audit
  • Management Review
  • Procedures for Corrective Actions
  • Monitoring and Measurements
  • Anonymization and Pseudonymization
  • Personal Data Protection Policy
  • Data Retention Policy
  • Data Retention Schedule
  • Cross Border Personal Data Transfer Procedure / Standard Contractual Clauses (SCC’s)
  • Privacy Notices

Availability of the manual

A copy of the Manual is available:

  • to any person upon request and upon the payment of a reasonable prescribed fee
  • to the Information Regulator upon request
  • at the Mezzanine Ware (Pty) Ltd head office
  • on the Mezzanine Ware (Pty) Ltd website https://mezzanineware.com/

A fee for a copy of the manual, as contemplated in Annexure B of the Regulations, shall be paid per each A4-size photocopy made.

Issued by
Jacques De Vos
Information Officer