MAIN IMAGE: Maryna Botha, STBB Cape Town
The office of the Information Regulator has asked President Cyril Ramaphosa to sign the Protection of Private Information (POPI) Act into effect by 1 April 2020. His office has not made a public announcement whether this will happen or not, yet it is best that all affected businesses, and this includes the real estate sector, be prepared.
What is POPI about?
How would you react if your pregnancy status, employment history, financial position, cell phone number, sexual orientation, political views and other information personal and private to you are furnished to a potential employer without your consent, leaked on Google, or made known to owners in a complex where you live?
The above examples offer a tiny glimpse into the arena where the Protection of Personal Information Act (POPI) will play a role, once it is fully operational. It has as aims to ensure that details which are private, whether it relates an individual or an entity, are dealt with in a responsible and careful way so as to avoid, as far as reasonably possible, that the information becomes available to third parties who are not entitled thereto, without the consent of that individual or business. Entities in sectors such as financial services and telecommunications, which require the collection of immense amounts of personal information, will be particularly harshly affected by the new regime.
As mentioned, it has been reported in the news that the Information Regulator has asked President Cyril Ramaphosa to make the Act operational with effect from 1 April 2020. The Act does however state that there is a window period of 12 months from the date that the Act is made operational before the Regulator will expect full compliance. In essence therefore, it will only be from 1 April 2021 that formal compliance is required. However, taking the costs of reputation damage into account, one would strongly advise all businesses to put steps into place to become compliant.
What must you do?
Estate agencies, just like all other businesses, should partner with a service provider that can properly assist them in:
- identifying where in their business are they dealing with personal information;
- ensuring that this information is carefully treated, as prescribed in the eight conditions of processing (explanation follows);
- obtain consent from the persons on their databases to be able to continue to lawfully direct market to this databasis;
- staff training and put compliance policies in
How is protection of personal information achieved?
Without going into the details of the separate provisions, one can summarise as follows:
Firstly, the Act gives wide definitions to what is considered to be personal information that must be protected. This includes information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; information relating to the education or the medical, financial, criminal or employment history of the person; any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person; bio-metric information; the personal opinions, views or preferences of the person, and more.
This is a broad definition and applies to entities, where appropriate.
The Act lists eight “processing conditions” which must be adhered to when such information is collected, stored, disseminated, used and/or deleted (all of which are considered to be “processing” of data). These are briefly:
Accountability: All businesses, private persons need to be responsible, accountable and must comply with the conditions of the Act.
Processing limitation: Businesses must justify why they are processing and capturing private information. This implies that there should be limits in place as to what information are processed and how much is collected. Generally, the consent of the relevant person or business to whom the information belongs, must be obtained. Any processing must be compatible with the original purpose for which the information was collected.
Purpose specification: The personal information must be captured for a specific and justifiable reason and the party must be aware of this. A record must not be kept for longer than deemed necessary.
Further processing limitation: Any further use or processing of information collected must be related to the original purpose of the information being collected.
Information quality: All information collected must be correct, up to date and not misleading.
Openness: In order to fulfill the openness condition, notification must be sent to the party whose information is being captured. The party must be able to view your name and/or company name and address, be informed of the reason why you are collecting this data, what the information is.
Security safeguards: Businesses need to identify which of the data they hold are “personal information” and treat it with adequate care. All such information must be kept securely and a business must be able to show that it has done its best to ensure proper safe-keeping if the data. If there is a security breach, the business must inform the Information Regulator and the party whose data is affected.
Data subject participation: The party whose information you have, has the right to ask for any data that you have about them. They can also request that you permanently delete this information, or update it.
A very basic example would be the following: If an estate agent assists a buyer to obtain a loan from a bank or mortgage originator, the agent will obtain certain private details of the buyer for this purpose. The agent is ‘processing’ this data (‘personal information’), but he has consent from the client to do so and this is therefore legitimate. He may not collect more information than is necessary, for example details of the buyer-applicant’s health (unless this plays an important role for some reason or other). It is clear also that the client knows that this data has been obtained and within the hands of the estate agent and what the purpose thereof are. The agent must in addition make sure that the information is only accessed by those entitled to see it (for example the bank or mortgage originator) and must not be left lying on a desk or be stored on a laptop that is left in the back of a car that can be stolen. Once the application has been finalised, the paper and electronic file versions must be deleted in a safe way, after any statutory period that may be prescribed for the retention of such documents, have lapsed.
Various exceptions and qualifications apply to the above, but those are outside the ambit of this article. Take note: with regards to the personal data and reporting requirements set by the Financial Information Centre Act (FICA), the latter will trump over requests from the client to delete information.
Direct marketing is a further important activity that is regulated by the Act. The consent from a consumer must be obtained before any direct electronic marketing may take place. A consumer must thus ‘opt-in’ before a business may market to him or her or it and may be contacted once-off to ‘opt-in’ for direct marketing purposes. Where a consumer is an existing client or customer of the business, the position is slightly different. In this instance, certain direct marketing is allowed, provided there is always an opt-out option.
Penalties for non-compliance
The third leg of the Act relates penalties for non-compliance. Jail terms and fines of up to R10 million can be imposed. However, it is generally agreed that the more severe penalty probably leis in the extensive reputational damage that can follow on an information breach.
About the author: Maryna Botha is an admitted attorney, notary and conveyancer and the marketing director of national law firm, STBB Smith Tabata Buchanan Boyes. She currently specializes in all aspects of property law and conveyancing, as well consumer and credit law. She lectures widely on these topics and publishes regularly on all aspects related to property law.