The POPI Act demystified
The long-awaited Protection of Personal Information Act (POPI) came into effect on 1 July, but whose info does it protect?
Most of the provisions of the POPI Act took effect on 1 July. The act is designed to promote the protection of personal information and to bring South Africa’s privacy laws in line with international standards. “It limits the rights of businesses to collect, process, store and share personal information. It also makes businesses accountable for protecting the privacy of this information,” says specialist sectional title attorney and BBM
Law director Marina Constas. The act has significant implications for owners, tenants and executives in community housing schemes like sectional title complexes, apartment blocks, residential estates and retirement villages. Constas says the wisest course of action for trustees is to get up to speed with what it says. What info are we talking about? In terms of the Sectional Titles Schemes Management Act, it’s compulsory for body corporate trustees to prepare and update lists of trustees, owners and tenants with their full names, ID numbers, passport numbers (if they’re not SA citizens), mailing addresses, telephone numbers and e-mail addresses, she says. This personal information is valuable and cannot be used without consent for any purpose other than that of the operational daily management and administration of the scheme. “If an owner is in arrears with levies, for example, the body corporate knows where to serve the summons or a letter of demand. If a tenant plays their music too loud, a warning letter can be sent to their e-mail address,” Constas says. How can this info be misused? If, for example, a trustee whose brother-in-law who runs a gardening service tries to get hold of the body corporate database to send out his brother-in-law’s advertising material, there would be a serious breach of the POPI Act, Constas says. “If the body corporate database with details of trustees, owners and tenants gets into the wrong hands, there may be unsolicited harassment in the form of advertising or worse still, identity theft which is exceptionally serious.” Act welcomed “I think in the past body corporate databases have been exploited.
The POPI Act is most welcome and completely overdue. The right to privacy is protected in our Constitution, and the act now enhances that right and ensures that a balance is struck between the right to privacy, and the need for the free flow of and access to information. “Trustees are under a fiduciary duty to guard personal information against the risk of loss, unauthorised access, interference, modification or destruction. If a person’s personal information has been compromised, that person must be notified immediately,” she explains. Obligated Trustees must now be able to respond when owners want to know what they are doing with their personal information. They need to consider how they’ll warn residents that their personal information may be made available to those inspecting the books of account and record. If an owner suspects that their information has been shared without their consent, they can approach the Information Regulator who’ll in turn send the complaint to the Enforcement Committee for investigation. “The final decision lies with the Regulator who can impose a penalty or a fine and/or imprisonment for 12 months. The complainant can also bring a civil claim for damages to court.” What about guards at the gates? The guard at the entrance of a scheme often requests a visitor’s ID card and proceeds to make a copy. “That card has a photo, an ID number and a date of birth. Now, under the POPI Act that visitor would have the right to demand the following from the trustees of the scheme: What’s the purpose of taking this information? How will you guarantee the safety of that information? How long will you keep the information and will it be deleted after that time period?” Trustees must be able to account when it comes to visitors who provide their personal information to the guards at the gate. Up to date policy required Constas recommends that every body corporate has a clearly expressed and up to date policy about its management of personal information. The policy should include details of the type of personal information the complex collects and holds, as well as how the complex collects and stores personal information. The purposes for which the complex collects, uses and discloses personal information must also be detailed, along with information on how an individual may access it. “The policy document must also outline how an individual can complain to the Information Regulator and how the complex will deal with that type of complaint,” she says.