The Protection of Personal Information Act, No. 4 of 2013 (POPI Act) is now in operation, as from 1 July 2020. What does this mean for community schemes such as sectional title developments, homeowners associations and retirement villages?
1. By when do you have to comply with the POPI Act’s requirements?
You have one year to implement POPI Act’s requirements in regard to the processing of personal information. This does not mean you can ignore its provisions, but section 114 of the POPI Act provides that “All processing of personal information must within one year after the commencement of this section be made to conform to this Act.” – effectively allowing a “phase in” period of one year before schemes are obliged to comply.
2. What exactly is the purpose of the POPI Act and what will compliance entail?
The fundamental purposes of the POPI Act are disclosed in the first two phrases of its preamble: “To promote the protection of personal information processed by public and private bodies; to introduce certain conditions so as to establish minimum requirements for the processing of personal information…” In plain language, the POPI Act exists to ensure that people’s personal information is not misused.
3. What is “personal information” for the purposes of the POPI Act?
The definition is very wide, covering all information relating to an identifiable human or artificial person. There are three classes of personal information: General, Special and Children’s personal information, with increasing restrictions on each class. Examples of general personal information are identity numbers, telephone numbers and addresses. Special personal information includes details of persons’ religious or philosophical beliefs, their race or ethnic origin, trade union membership, political affiliations, health or sex life, previous criminal behaviour, and biometric information. Any information relating to a person under the age of 18 is considered particularly sensitive.
My guess is that most community schemes will regularly keep only general personal information relating to their residents, employees, suppliers and others they deal with.
4. Lawfulness and “minimality”
Section 9 of the POPI Act requires that personal information must be processed lawfully without infringing the privacy of the “data subject” – the person whose personal information is being dealt with.
Section 11 sets out the requirements for lawful processing and it includes: (b) processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party; and (c) processing complies with an obligation imposed by law on the responsible party.
This means that community schemes are entitled to process such personal information as they need to in order to comply with the laws that govern their operations and the requirements of their governance documents. However, a community scheme must not process any personal information that it does not need to, in order to comply with its statutory and contractual obligations.
5. Legal and illegal data processing in community schemes
Schemes are entitled to use their CRM and accounting systems to carry out the processes required to comply with their legitimate purposes, for example to generate levy statements and send them to appropriate owners and to make up reports of levy defaulters or residents who have broken rules, so as to be able to initiate appropriate actions based on this information processing, these being typical examples of data processing that includes personal information. However, it will be illegal for a community scheme to generate a list of defaulting owners so as to inform a person who wishes to make offers to purchase their units, or to process their data so as to create email or address marketing lists for products or services.
6. Who is responsible for ensuring compliance with the provisions of the POPI Act?
Each community scheme will have to appoint a “responsible party”, a person to implement the requirements of the POPI Act. This person, who may be a scheme executive, an employee or an agent, will take legal responsibility to ensure that the scheme processes personal information in a responsible manner as required under the legislation.
7. Data subjects’ rights
The POPI Act requires that a community scheme keep personal information securely and that the people whose information is being stored are given an opportunity to correct it when it is wrong.
8. Will the POPI Act prevent an owner accessing other owners’ contact details?
No, there is nothing in the POPI Act that stops an owner inspecting and copying scheme records, in accordance with the relevant legislation and the scheme’s governance documents.
In my view, the ordinary operations of a community scheme will not be affected by compliance with the POPI Act, but scheme executives will need to be aware of its provisions and appoint a responsible person to ensure that the personal information they store and process is not abused and that it is kept secure from others who could misuse it
Graham Paddock is a specialist community schemes attorney, notary and conveyancer. He has been advising clients and teaching students for over 40 years, and was an adjunct professor at UCT for 10 years.
Article reference: Paddocks Press: Volume 15, Issue 7.
This article is published under the Creative Commons Attribution license.