PAIA Manual

This manual is prepared for Aloe Clinic under the Promotion of Access to Information Act, 2000 (PAIA), read with the Protection of Personal Information Act, 2013 (POPIA). It helps patients, staff, suppliers, regulators, and other requesters understand what records may be held and how to request access.

This app-specific manual should be reviewed against Aloe Clinic's registered legal entity details, physical address, information officer, and full operational record categories before publication.

• Responsible party: Aloe Clinic.
• Information officer: the clinic manager or the person formally appointed by Aloe Clinic.
• Contact channel: use the clinic's current published contact details until a dedicated PAIA and privacy email address is added to this app.
• Service described by this manual: online appointment booking, staff booking administration, practitioner availability checks, and calendar synchronisation.

The South African Information Regulator publishes a PAIA guide that explains how to exercise access to information rights. A requester may obtain the guide from the Information Regulator or ask Aloe Clinic to assist with access to the guide.

• Public website pages and public booking information.
• The Privacy Policy, Terms of Use, and this PAIA Manual.
• Appointment confirmation details already provided to the patient or authorised representative.
• Other records that Aloe Clinic decides to publish without a formal PAIA request.

Aloe Clinic may hold records in the following categories. Listing a category does not mean every record will be disclosed; each request is assessed under PAIA, POPIA, confidentiality duties, and healthcare recordkeeping laws.

• Patient and booking records, including contact details, appointment history, consent records, booking notes, and appointment status history.
• Practitioner and staff administration records, including approved staff profiles, roles, working hours, calendar connection status, access logs, and audit logs.
• Operational records, including clinic schedules, policies, procedures, incident records, access reviews, and internal correspondence.
• Technology and security records, including database records, integration logs, application configuration, and records relating to authentication, hosting, backups, and security controls.
• Supplier and service provider records, including contracts, invoices, support records, and data processing arrangements.
• Legal, compliance, tax, accounting, and regulatory records that Aloe Clinic is required or permitted to keep.

Requests should be made in writing and should give enough detail for Aloe Clinic to identify the requester, the requested record, the right the requester wants to exercise or protect, and the preferred method of access. Aloe Clinic may require proof of identity or proof of authority to act for another person.

If PAIA requires a prescribed form or fee for a specific request, Aloe Clinic may ask the requester to complete the form or pay the fee before the request is processed.

Aloe Clinic may refuse access where PAIA allows or requires refusal, including where disclosure would unreasonably reveal another person's personal information, breach patient confidentiality, disclose confidential third-party or commercial information, compromise security, reveal legally privileged information, or conflict with another law.

Data subjects may ask Aloe Clinic to confirm whether it holds their personal information, request access to that information, correct or delete it where permitted, or object to certain processing. These requests should be made through the process in this manual and read with the Privacy Policy.

Aloe Clinic may share personal information and records with authorised staff, practitioners, hosting and database providers, Google services, support providers, professional advisers, regulators, courts, and other parties where necessary or lawful. Some service providers may process information outside South Africa, depending on the production hosting and integration setup.

Current app controls include staff-only access to the back office, approved Google email checks, role-based permissions, encrypted Google OAuth tokens, audit logs, and server-side booking validation. Aloe Clinic should supplement these controls with production infrastructure security, access reviews, backups, incident response procedures, and vendor agreements appropriate for healthcare information.