POPIA Act deadline looms

The Protection of Personal Information Act No 4 of 2013 (POPIA) has commenced and compliance with every aspect of the Act by all companies/organisations/bodies is required by the 30^th June 2021. POPIA is applicable to any person, business or entity that in any way processes personal information of clients, members, subscribers, employees and the like and applies to everyone, for example profit companies, non-profit companies, organisations, schemes or any business or entity that holds or processes personal information.

The purpose of the POPIA is to ensure every South African Institution conducts themselves in a responsible manner when collecting, processing, storing and sharing information of another entity's/persons' personal information by holding them accountable. Failure to comply with the POPIA can lead to severe penalties enforced by the Information Regulator www.justice.gov.za which can be:

• A fine of one (1) to ten (10) million Rand, or;
• A prison sentence of one (1) to ten (1) years in prison;
• Or a combination of the two.

It is therefore of the utmost importance to ensure compliance with the Act. Watchprop has engaged with specialist role players to ensure that community schemes under their management have the opportunity to comply before the 30^th June 2021. Trustees have been provided with a suggested process to enable the formulation of a POPI Pack that includes a:

• Data Protection and Information Sharing Policy Statement, POPI Manual;
• Promotional Disclosure of Information Act Manual (PAIA) that reads in conjunction with the POPI Manual;
• Useful Annexures used in terms of PAIA and POPI; Privacy Policy.

The fundamental purposes of the POPI Act are disclosed in the first two phrases of its preamble: 
"To promote the protection of personal information processed by public and private bodies; to introduce certain conditions so as to establish minimum requirements for the processing of personal information..." 
Simply explained, the POPI Act exists to ensure that people's personal information is not misused.

The definition is comprehensive, covering all information relating to an individual or artificial person.

There are three classes of personal information: General, Special and Children's personal information, with increasing restrictions on each class.

Examples of general personal information are identity numbers, telephone numbers and addresses. Special personal information includes details of persons' religious or philosophical beliefs, their race or ethnic origin, trade union membership, political affiliations, health or sex life, previous criminal behaviour, and biometric information. Any information relating to a person under the age of 18 is considered particularly sensitive.

This will require community schemes to only keep general personal information relating to their residents, employees, suppliers and others they deal with.

Section 9 of the POPI Act requires that personal information must be processed lawfully without infringing the privacy of the "data subject" - the person whose personal information is being dealt with.

Section 11 sets out the requirements for lawful processing and it includes: (b) processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party; and (c) processing complies with an obligation imposed by law on the responsible party.

In terms hereof, community schemes are entitled to process such personal information as they need to in order to comply with the laws that govern their operations and the requirements of their governance documents. Important to note, a community scheme must not process any personal information that it does not need to, in order to comply with its statutory and contractual obligations.

Schemes are entitled to use their CRM and accounting systems to carry out the processes required to comply legally. This would include aspects such as the generation of levy statements and distribution thereof to appropriate owners and reporting aspects of levy defaulters or residents who have broken rules, so as to be able to initiate appropriate actions based on such information.

To use this information for external purposes will be illegal (as example, to process personal owner data so as to create email or address marketing lists for products or services, unless they have opted in to receive such communication).

Each community scheme has to appoint a "responsible party", a person to implement the requirements of the POPI Act.

In communication received from CSOS (Community Scheme Ombud Service) it is their view that the Information Officer (Officer) for private bodies in terms of Section 1 of the Protection of Personal Information Act (POPIA) must be a head of an organisation and in essence within Schemes that would limit it to either a member of the board of trustees and/or directors, including a chairman, or an Estate Manager. From the current definition, managing agents are not empowered to be appointed as the Information officer. In terms hereof, CSOS has started a process of engagement with the information regulator with a view of having a managing agent included in this definition.

The POPI Act requires that a community scheme keep personal information securely and that the people whose information is being stored are given an opportunity to correct it when it is wrong.

The question often asked, is whether the POPI Act will prevent an owner accessing other owners contact details. There is nothing in the POPI Act that precludes an owner inspecting and copying scheme records, in accordance with the relevant legislation and the scheme's governance documents. In our view, personal contact information can only be provided with the written approval of any parties info requested.

The ordinary operations of a community scheme should not be affected by compliance with the POPI Act, but scheme executives will need to be aware of its provisions and appoint a responsible person to ensure that the personal information they store and process is not abused and that it is kept secure from others who could misuse it.

There are sure to be many further points of discussion as the compliancy date is reached. It is important that schemes executives (trustees) understand the importance of compliance and exercise their fiduciary duties to ensure same.