MAIN IMAGE: Maryna Botha, director STBB
Maryna Botha
The bulk of the provisions of the Protection of Personal Information Act (POPI) finally became operational on 1 July 2020. This means that businesses have 12 months within which to put measures in place that adequately safeguard the personal information that they have of clients, customers and business partners.
After 1 July 2021 non-compliance could result in fines of up to R10 million and even prison.
What does this mean for the real estate profession and role players in this sphere? At first glance, it appears to require no more than applying proper business governance measures which should include respecting the privacy of those that you deal with.
It is indeed that, but also substantially more, which are briefly touched on below.
As background, it is important to view the requirements against the backdrop that (i) the definition of what constitutes “personal information” is wide, including details such as gender and religious beliefs; (ii) that estate agencies and businesses nowadays collect a lot of personal information from prospective clients, whether via online profiles or completion of forms, especially in transactions relating to the sale and purchase or letting and hiring of property, FICA compliance affidavits, bond approvals; (iii) that system hackers often seem to be quite successful; and (iv) that apart from huge penalties for non-compliance, an estate agency will be very hard hit by reputational damage resulting from a data breach.
Some of the new obligations on estate agencies include:
- It is necessary to maintain records of the personal information collected from the client (or data subject, as he/she or it is referred to the Act). The agency may further only collect such data as is necessary for the instruction at hand. For example, in a lease agreement it is reasonably related to the transaction at hand for the agent to collect details of the remuneration of the prospective tenant, but to ask him about his employment history may fall foul of the requirement that only necessary information may be called for. The conditions for lawful processing of personal information notably also require the consent of the client to the processing of the personal information. Preferably the consent should be in writing. For example, landlords, tenants, sellers, purchasers and their authorised representatives should be requested to consent to the processing of their personal information for the purposes of the transaction, prior to receiving any personal information.
- Furthermore, the collection of the personal information must be obtained directly from the client (‘data subject’) unless (i) the information contained is derived from a public record (for example a telephone directory, deeds office print-out or Google search); or (ii) has deliberately been made public by the client (e.g., on Facebook or other social media); and (iii) was collected for a specific purpose related to a function that the estate agency is performing. The client must further be informed hereof. Thus, all real estate role players must adapt their processes to notify all clients that personal information will be collected and processed by the agency for a specific purpose.
- Rules regarding the sharing of data with third parties, such as with a vendor software operator, require that the estate agency must conclude a service level agreement with the third party to ensure that compliance with POPI is included as one of the obligations of their contract. Service level agreements must therefore be adapted to ensure that the third party receiving personal information from the estate agency to provide a service – such as online payment portals, inspection services, cleaning services and the like – adheres to that agency’s privacy policy and implements the necessary steps to ensure the safeguarding of the information received.
- Direct marketing practices must be adapted. Many businesses nowadays, estate agencies included, collect information from clients and customers via their website (often by asking the client to create a profile) or directly in order to provide their service. Any such collection of data requires consent and awareness on the side of the client or customer that his information is being collected for a particular purpose. Direct marketing is now restricted to persons who have given you consent to market to them in this way. Where the marketing is to an existing customer, you may send direct marketing material to that person once if the marketing relates to the service for which that client first contacted you and he or she has been given a reasonable opportunity to object to such marketing (at the time that his or her personal information was collected, and every time he or she is marketed to).Failing consent, you may approach a person once only to obtain consent. In any communication sent, there must always be an option to opt-out, and you must record such request in your database so that you do not send direct marketing to that person again.
- Employment agreements generally requires the provision of a good amount of personal information. This is stored by the employer-business. These agreements, whether for permanent employment, fixed term employment, independent contractors or consultancy arrangements, must have relevant clauses advising the individual about the collection, storage and dissemination of the relevant individual’s personal information, and his rights in terms of the Act.
- Drafting and implementation of privacy policies and training staff on their obligations in terms of the Act.
- Appointment of an Information Officer.
Penalties for non-compliance
As mentioned, from 1 July 2020 all businesses will have 12 months to implement measures to ensure they are compliant with the new legal requirements to protect the personal information of clients. After 1 July 2021 businesses who are found to be in contravention of the Act’s requirements could face stiff penalties for non-compliance. Jail terms and fines of up to R10 million can be imposed. However, it is generally agreed that the more severe penalty probably lies in the extensive reputational damage that can follow on an information breach.
Also read: What will happen if POPI comes into effect on 1 April 2020?
STBB has a Privacy Compliance Team and property professionals are welcome to contact them for assistance to become fully compliant at marynab@stbb.co.za. Their 6 month Gearing Up programme offers a set period to put the necessary in place in a structured way.
About the author: Maryna Botha is an admitted attorney, notary and conveyancer and the marketing director of national law firm, STBB Smith Tabata Buchanan Boyes. She currently specializes in all aspects of property law and conveyancing, as well consumer and credit law. She lectures widely on these topics and publishes regularly on all aspects related to property law.
