Community housing schemes have just a few months left to ensure that their record-keeping systems and those of their managing agents are compliant with the Protection of Personal Information (POPI) Act, which became effective on 1 July this year with a transition period to ensure complete compliance by 30 June 2021.
Add to this, Andrew Schaefer, MD of leading national property management company Trafalgar points out that it is also important for owners and occupiers in Sectional Title schemes and gated developments run by Home Owners’ Associations (HOAs) to understand that the new Act does not make it illegal for the trustees or directors to collect their personal information, or to request certain personal details from visitors to their schemes in the interests of security.
“Personal information is an integral part of the real estate business. The more an agent knows about a client, the better equipped they are in finding the ideal home that meets the individual needs of that client. Despite the fact that the Protection of Personal Information Act has yet to be wholly implemented, responsible companies will already have to put measures in place to ensure that their clients’ data is lawfully protected,” says Adrian Goslett, Regional Director and CEO of RE/MAX of Southern Africa.
SEE | Must-knows for the POPI Act and the real estate market
“Of course everyone in SA has the right to privacy, as provided for in Section 14 of our Constitution, and the POPI Act actually amplifies that right with provisions intended to protect consumers against identity theft as well as the unauthorized use or sale of their personal information for any purpose, including the creation of databases for marketing and sales campaigns,” says Schaefer.
“However, the new legislation does not stipulate that personal information cannot be collected - only that when it is collected, it must be properly managed and protected.”
This is especially pertinent in community housing schemes, he says, where the trustees, directors and managing agents have to keep a significant amount of personal information about owners and tenants on record in order to:
- Send levy accounts and statements to the correct people;
- Allocate payments correctly;
- Send out communications about the annual budget, the AGM and other body corporate or HOA meetings;
- Facilitate communications with owners and tenants regarding security issues or in an emergency such as the recent Covid-19 lockdown; and
- Take swift action in the event of levy defaults.
“Some schemes also send out monthly newsletters using at least some of this personal information, and many now also have residents’ Facebook pages or WhatsApp groups where at least some member information is shared. In addition, most schemes have controlled-access points where residents and visitors alike must provide personal information to gain entry to the complex or to obtain a remote control or access card. This may include a car registration number, a fingerprint and a photograph, for example, as well as their name and telephone number.”
If your business has not already ensured compliance, you may be wondering what your obligations are exactly?
Legal experts pop.law put it quite simply stating, “The Act requires that all personal information needs to be processed lawfully and in a reasonable manner. This means that you are not required to have iron-clad fool proof processes in place, but that you must be able to defend your actions if called upon to do so."
After 1 July next year, any business or legal entity that is not compliant with the POPI Act is risking prosecution and a high fine, so ST trustees and HOA directors need to act quickly now to ensure that their scheme - and any ‘third party’ such as a managing agency or security company that is acting on their behalf - is gathering, storing and using personal information correctly, or currently upgrading their procedures and systems to ensure that this information is protected.
In a nutshell, you need to position your business to be able to say - "we did everything that could have been reasonably expected in the circumstances to comply with our obligations'. It will not be good enough to say that you weren’t aware of your obligations or that it wasn’t your fault that personal information was abused."
SEE | PODCAST | POPI Act Compliance for Real Estate Practitioners
Schaefer says there are two parts of the Act that trustees need to be particularly concerned about to start with, the first of which is the general requirement that a consumer’s consent must be obtained before any of their information can be collected or used, and that they must be properly informed about the reason for collecting the information, what will be done with it and how it will be protected.
'No need to consent for use of information for effective management'
In practical terms, ST trustees and HOA directors do not need to obtain the permission of owners in their schemes to collect or hold whatever personal information is needed for the “effective management” of those schemes, as long as that is all they do with it. However, they do need to inform them if this information is being shared with a third party, such as a managing agent, to assist with effective management of the scheme.
“In addition, they will need to obtain their permission (preferably in writing) to collect and hold any information that they intend to use for any other purpose – and state what that purpose is. They may not, for example, let owners believe that their personal information will only be used for correspondence and communications like levy statements and meeting notices and then use it – or allow it to be used – by a different company for some other purpose, such as direct marketing, without permission.”
READ | POPI Compliance | Five effective steps your business can take right now
The second concern for trustees and directors, he says, is the security of their information storage and management systems, whether these are digital or paper-based, and on-site of off-site. The Act provides for personal information to be kept in such a way that it is protected from unauthorised access – by computer hackers, for example – and for it not to be sold to or exchanged with any other organization.
'Take practical steps to protect information'
“In short, the person or company that gathers personal information is obliged to take practical steps to protect it, such as ensuring that computer records are encrypted, or that paper records are locked away and only able to be accessed by certain people in the company. The Act does not insist that companies install very high-tech systems, only that they have procedures in place to protect the information they hold and that they implement a system of accountability.”
However, says Schaefer, this does not let ST trustees ‘off the hook’ if they are not keeping their own records. “On the contrary, they are responsible for any information collected on behalf of their scheme, so if this is being done by a managing agency, they must ensure that they deal with a reputable company such as Trafalgar, which already has a proper system in place to protect and isolate all the personal information relating to individual schemes – and a clear plan about what to do if the security of that system is breached,” he says.
Print
