by Armand Swart – Director, Hlonelwa Lutuli – Associate, Hanán Jeppie – Candidate Attorney 

On 5 January 2026, the Information Regulator (“IR“) issued an enforcement notice against the Johannesburg Stock Exchange (“JSE“), setting aside the JSE’s refusal to grant Inhlanhla Venture Proprietary Limited (the “complainant“) access to trading records under the Promotion of Access to Information Act 2 of 2000 (“PAIA“). The complainant sought these records to investigate suspected market manipulation. This decision marks a significant development in how the IR interprets PAIA, particularly in the context of financial markets. This article discusses the decision and the key takeaways for private and public organisations.

The complainant invested in enX Group Limited shares through a broker. Following a sharp decline in the share price, the complainant sold its shares to the broker. Shortly thereafter, the share price recovered substantially, with the broker realising a significant profit.

The complainant submitted a PAIA request to the JSE requesting all trading and settlement records relating to enX shares for the period 3 to 19 May 2020. The request included the identities of all parties and the value of the transactions. The JSE refused access, citing mandatory exemptions under PAIA and alleging that it was not a public body for purposes of the Act.

Public Versus Private Functions

 The IR first considered whether the JSE was a private body, as it alleged. This classification was significant because if the JSE were a private body, the complainant would need to demonstrate that the records were required for the exercise or protection of a right. Additionally, the complainant’s procedural approach would have been defective as it followed the public body process.

The IR acknowledged that the JSE can perform both public and private functions. However, in this case, the JSE had presented itself as a public body by identifying its Information Officer with reference the definition in PAIA for a public body and by aligning its PAIA manual with PAIA’s provisions relating to public bodies. The JSE relied on the grounds of exclusion for public bodies when responding to the request. Furthermore, the records were housed on the JSE’s Broker Deal Accounting System, which relates to the JSE’s public regulatory and monitoring functions under the Financial Markets Act 19 of 2012 (“FMA“). The IR considered this to be a public function.

Protection of Personal Information (section 34(1))

 PAIA requires an Information Officer to refuse a request for access if disclosure would involve the unreasonable disclosure of personal information about another person. The JSE argued that the request should be refused on this ground because its system included personal information of buyers, sellers, and others, including identity numbers, tax numbers, and contact details.

The IR found that the disclosure was not unreasonable: Information about securities trading in a public market infrastructure is not inherently private and does not attract the same privacy protection as more sensitive personal information (like medical or religious information). Accordingly, there could not be a reasonable expectation of privacy.

Protection of Commercial Information of Third Parties (section 36(1)(b))

 PAIA mandates refusal where records contain financial, commercial or technical information of a third party, the disclosure of which would be likely to cause harm to that party’s commercial or financial interests. The JSE contended that disclosure would harm the commercial interests of third-party market participants (buyers, sellers, nominees, brokers etc).

The IR found this reasoning inadequate. To rely on this ground of refusal, the JSE was required to specify the possible harm and provide supporting evidence of a causal link between disclosure and that harm. The JSE’s references to trading strategies were deemed speculative and unsupported by any facts (i.e. there was no evidence that this harm would occur if disclosure took place).

Protection of Confidential Information (section 37(1)(a))

 A PAIA request must be refused where disclosure would constitute an action for breach of a duty of confidence owed to a third party under an agreement. The JSE argued that its contractual relationships with issuers and authorised users, regulated by the listing requirements, created such a duty. It further alleged that the FMA prohibited disclosure based on confidentiality.

The IR found no causal link between the disclosure of the records and any breach of confidentiality. Importantly, the IR held that parties cannot circumvent PAIA by resorting to a confidentiality clause, and that a duty of confidence cannot be created by agreement when the underlying information is not genuinely confidential. The FMA permits disclosure where required or permitted in terms of a law, and the IR found that PAIA was such a law.

Third party notification

 The IR criticised the JSE for failing to comply with section 47 of PAIA, which requires third parties whose records may be affected by a disclosure request to be notified. This procedural requirement is mandatory and must be completed before an Information Officer can make decide to grant or refuse a request where one of the aforementioned grounds of refusal apply.

The Order

 The IR granted the complainant’s request for access, subject to affected third parties being notified and given the opportunity to lodge representations with the IR’s Enforcement Committee.

Key Takeaways for Public and Private Bodies

 This decision reinforces several important principles that organisations should bear in mind:

Understand your organisation’s classification. Organisations should be mindful of how they present themselves, including in their PAIA manuals, and how they respond to PAIA requests. Inconsistent conduct may result in being classified as a public body or vice versa.

Substantiate exemption claims with evidence. Vague references and general assertions will not suffice when refusing PAIA requests. Organisations must identify the anticipated harm and provide supporting evidence thereof.

Comply with third-party notification requirements. When refusing a PAIA request based on the unreasonable disclosure of personal or commercially sensitive information, or information that is subject to obligations of confidentiality, notifying affected third parties is mandatory.

Contractual confidentiality has limits. Organisations cannot create contractual duties of confidence simply to shield information from legitimate PAIA requests. The constitutional right of access to information may override privately agreed confidentiality provisions.

Transparency obligations are heightened in regulated markets. Securities trading occurs in a public arena, and related information may well be disclosable in response to a legitimate PAIA request.

Enforcement notices carry serious consequences. Non-compliance with an enforcement notice is an offence and can result in a fine of up to R10 million or imprisonment, or both.

Conclusion

 This decision underscores the IR’s willingness to hold significant market institutions accountable and reinforces the importance of transparency in South Africa’s financial markets. Private and public bodies alike should take note of this decision to avoid facing regulatory enforcement action.