Prepping for POPI
Although the internet is generally an all-too-easy source of personal information, and client-agent relationships elicit personal details as well, the enforcement of the Protection of Personal Information Act (POPI) is set to have far-reaching implications for the real estate industry.
While many companies have started planning how they are going to adjust to POPI, too few have started the sizeable task of implementing those changes, a process that in itself could be very time consuming.
The Protection of Personal Information Act was signed into South African law by President Jacob Zuma in November 2013, and expectations are that the Act will be proclaimed by the end of 2015, carrying with it a one-year grace period. After that, POPI will be enforceable and non-compliance will be punishable with a fine up to a maximum of R10 million or imprisonment of up to 10 years. In its aims of bringing South African legislation regarding privacy principles on a par with international law, the POPI act has advantages for the real estate industry, despite its challenges.
COMPLYING WITH POPI WILL MEAN
• Increased customer trust because of transparency regarding what information is collected and how it is processed and used.
• Improved efficiency and reliability of a company’s databases through capturing the minimum required data, ensuring accuracy, and removing data that is no longer required.
• Reduced storage and archiving costs because of less data being held.
• Minimised risk of data breach because of improved measures for identifying and protecting data.
• Positive overall effect on the controls and good business practices of a company.
THE DISADVANTAGES INCLUDE
• Increased administration and documentation regarding any use of personal information.
• At times, agents may find themselves in compromising situations if they become aware of information they feel they should pass on (such as a fraudulent buyer, seller or tenant), but are unable to because of the rulings of the Act.
IN REAL TERMS
In agencies countrywide, management and staff are still sizing up what POPI will mean in concrete terms. “The implications, I think, to real estate and its agents go way beyond what agents currently comprehend,” says Jonathan Acutt, managing director of Acutts Estate Agents.
“While agents may have good intentions about how we handle the information at our fingertips, we need to remember that there are other people out there who do not share the same value systems,” says Acutt. “The Act sets out to prevent parties from selling their clients’ information to a third party. And while this is not a common practice among agents, how you protect information from falling into the wrong hands is now utterly crucial. In the past, agents were required to store sale information for five years and then they could throw the paperwork away. POPI is dictating that we destroy that information in a proper way so that it can’t be used by anyone else.”
Acutt goes on to say that POPI also seeks to control how we communicate with our clients through newsletters. “Before, it was acceptable to have an ‘opt out’ facility at the bottom of your mail, but now I believe we will need to have an ‘opt in’ facility, instead.”
He says Acutts haven’t made any great changes in their marketing strategy, but they are educating their agents to be more aware about what they do with client information, to be aware of the fact that they are collecting personal information and that the loss of this information can have serious consequences. “We are also instructing agents on how to deal with old and unwanted client information in the appropriate manner, and this includes copies of IDs, payslips and utility bills. Another source of information is old printers that are thrown away. Often, these printers have onboard memory that records anything that has been copied or scanned,” explains Acutt.
POPI AT A GLANCE
The POPI Act seeks to regulate the processing (collection, usage, storage, dissemination, modification and destruction) of personal information (information relating to an identifiable, living person, company or CC), including:
• Contact information (email, telephone, address)
• Demographic information (age, gender, race, birth date, language, ethnicity)
• History (employment, financial, educational, criminal, medical)
• Biometric information (fingerprints, iris recognition, blood type)
• Opinions of and about the person
• Private correspondence
SOME OF THE OBLIGATIONS UNDER POPI ARE
• Being open and transparent when collecting information and making sure the parties know their rights and obligations.
• Making sure the reason for collection, the data collected and the manner of collection are lawful and appropriate, and that any further processing is in compliance with POPI.
• Taking all reasonable steps to ensure that information is accurate, correct and secure.
• Allowing the subject of the information to see it on request.
Many companies and businesses rely on the possession and use of the types of information listed. The Act allows for this in certain instances, but it must be justified by the holder thereof.
THE INDUSTRY’S TAKE
Geoff Stroebel, from RealNet Premier in Cape Town’s southern suburbs, raises some complex points. “We don’t use personal information once it has been gathered after the relevant deal has been concluded, and all the necessary steps are taken to protect the information that we do have,” he says.
“POPI requires that there must be a valid reason as to why an institution would share information. In the real-estate environment, the parties that have access to personal and private information are the agents, support staff and the conveyancing attorneys, and none of these parties should have any valid reasons to spread this information around,” Stroebel says.
“The Estate Agency Affairs Act prescribes that sufficient measures be taken to protect data on site by means of secure and protected data connections and hardware, lockable and fire-proof storage for hard copies, and regular back-ups of electronic data. After this, we rely on our trusted conveyancing attorneys, mortgage originators and banks to follow their own protection policies in adherence with POPI.”
Michela Soukop, from the Soukop Property Group in Durban, says POPI also raises questions in the letting arena. “We will no longer be able to reveal a tenant’s identity, bank statements or letter of employment to a landlord. It’s an interesting issue – for example, a landlord will ultimately be letting their property to someone they know absolutely nothing about. I think it will be a learning curve for us all, with some unexpected situations likely to arise.”
THE CLOUD: HOW SAFE IS IT?
“Today’s cloud services, including the likes of Microsoft Office 365, Google Apps and Amazon Cloud Services, are unparalleled in their attention to data security and integrity,” says Henry Craythorne, technical director at Instaweb. “Most, if not all, mainstream cloud service providers use encryption and security measures comparable to military standards. This means that data stored on a cloud service is far more secure than data stored on a personal computer, laptop or server, which anyone with a little computer know-how can access.”
However, Craythorne says using an encrypted cloud storage solution is “useless if you haven’t used secure passwords and the correct policies, procedures and protocols while securing your data.” Password strength is paramount, Craythorne says, so don’t use the obvious birth dates, pets’ names or nicknames. Also, “by far the biggest threat to data security is not where you store your data, but the person using the data. It only takes a single user who gains another user’s password to compromise a system. Instaweb works with all the major cloud service offerings and we come across companies daily who are in dire need of the correct protocols within their organisations to secure their information.”
Words: André Fiore