POPI Act and privacy in community housing schemes
MAIN IMAGE: Andrew Schaefer, managing director Trafalgar
Community housing schemes have just a few months left to ensure that their record-keeping systems and those of their managing agents are compliant with the Protection of Personal Information (POPI) Act, which became effective on 1 July this year with a transition period to ensure complete compliance by 30 June 2021.
So says Andrew Schaefer, managing director of property management company Trafalgar, who points out that it is also important for owners and occupiers in Sectional Title schemes and gated developments run by home owners’ associations (HOAs) to understand that the new Act does not make it illegal for the trustees or directors to collect their personal information, or to request certain personal details from visitors to their schemes in the interests of security.
“Of course everyone in SA has the right to privacy, as provided for in Section 14 of our Constitution, and the POPI Act actually amplifies that right with provisions intended to protect consumers against identity theft as well as the unauthorized use or sale of their personal information for any purpose, including the creation of databases for marketing and sales campaigns.
Personal data may be collected
“However, the new legislation does not stipulate that personal information cannot be collected – only that when it is collected, it must be properly managed and protected,” says Schaefer.
This is especially pertinent in community housing schemes, he says, where the trustees, directors and managing agents have to keep a significant amount of personal information about owners and tenants on record in order to:
- Send levy accounts and statements to the correct people
- *Allocate payments correctly
- *Send out communications about the annual budget, the AGM and other body corporate or HOA meetings
- Facilitate communications with owners and tenants regarding security issues or in an emergency such as the recent Covid-19 lockdown
- Take swift action in the event of levy defaults
Schaefer continues: “Some schemes also send out monthly newsletters using at least some of this personal information, and many now also have residents’ Facebook pages or WhatsApp groups where at least some member information is shared. In addition, most schemes have controlled-access points where residents and visitors alike must provide personal information to gain entry to the complex or to obtain a remote control or access card. This may include a car registration number, a fingerprint and a photograph, for example, as well as their name and telephone number.”
Compliance from 1 July 2021
But after 1 July next year, any business or legal entity that is not compliant with the POPI Act is risking prosecution and a high fine, so ST trustees and HOA directors need to act quickly now to ensure that their scheme – and any “third party” such as a managing agency or security company that is acting on their behalf – is gathering, storing and using personal information correctly, or currently upgrading their procedures and systems to ensure that this information is protected.
Schaefer says there are two parts of the Act that trustees need to be particularly concerned about to start with, the first of which is the general requirement that a consumer’s consent must be obtained before any of their information can be collected or used, and that they must be properly informed about the reason for collecting the information, what will be done with it and how it will be protected.
POPI and permission to collect personal data
In practical terms, ST trustees and HOA directors do not need to obtain the permission of owners in their schemes to collect or hold whatever personal information is needed for the “effective management” of those schemes, as long is that is all they do with it. However, they do need to inform them if this information is being shared with a third party, such as a managing agent, to assist with effective management of the scheme.
“In addition, they will need to obtain their permission (preferably in writing) to collect and hold any information that they intend to use for any other purpose – and state what that purpose is. They may not, for example, let owners believe that their personal information will only be used for correspondence and communications like levy statements and meeting notices and then use it – or allow it to be used – by a different company for some other purpose, such as direct marketing, without permission.”
The second concern for trustees and directors, he says, is the security of their information storage and management systems, whether these are digital or paper-based, and on-site of off-site. The Act provides for personal information to be kept in such a way that it is protected from unauthorised access – by computer hackers, for example – and for it not to be sold to or exchanged with any other organization.
“In short, the person or company that gathers personal information is obliged to take practical steps to protect it, such as ensuring that computer records are encrypted, or that paper records are locked away and only able to be accessed by certain people in the company. The Act does not insist that companies install very high-tech systems, only that they have procedures in place to protect the information they hold and that they implement a system of accountability.”
However, says Schaefer, this does not let ST trustees “off the hook” if they are not keeping their own records. “On the contrary, they are responsible for any information collected on behalf of their scheme, so if this is being by a managing agency, they must ensure that they deal with a reputable company such as Trafalgar, which already has a proper system in place to protect and isolate all the personal information relating to individual schemes – and a clear plan about what to do if the security of that system is breached.”