POPIA and community housing schemes
MAIN IMAGE: Marina Constas, director BBM Law; Andrew Schaefer, managing director Trafalgar; Sicelo Kula, Michalsons Attorneys
With less than 50 days to go to meet the compliance requirements of the Protection of Personal Information Act (POPIA) – how ready are SA’s community housing schemes?
Stiff fines for community housing schemes
There are many aspects to POPIA and many community housing schemes (CHS) do not even have the basic elements in place yet to achieve compliance says Andrew Schaefer, managing director of Trafalgar property management company. This state of affairs appear to apply to other sectors within the property sector as well as a recent TPN Credit Bureau survey found most of the businesses they surveyed were not yet ready to meet POPIA compliance requirements – of the 200 companies TPN surveyed, only 8% scored above 80% for their POPIA readiness.
Community housing schemes (CHS) like sectional title complexes, apartment blocks, residential estates and retirement villages that fail to meet POPIA compliance requirements by 1 July 2021 could be liable for a fine of up to R10 million or face up to 12 months’ imprisonment warns specialist sectional title attorney and BBM Law director Marina Constas.
The task to ensure their development’s POPIA compliance readiness falls on the shoulders of the trustees in sectional title schemes and directors of homeowners associations. Constas says they should have a well advanced POPIA plan of action by now. “By now, every community housing scheme should have a POPIA policy; or be close to finalising this important document. They should have appointed an information officer who is the POPIA oversight representative of the scheme; amended their rules, if necessary, to comply with POPIA; and they should have POPIA agreements with stakeholders like auditors and managing agents who have access to the personal information of owners and tenants,” she advises.
Registration of information officers
Every scheme needs to appoint an information officer – preferably a trustee or director – who will be responsible for all the personal information that is collected by that scheme, and by any companies that provide services to the scheme such as managing agents or security, cleaning and insurance companies. This information officer should also be familiar with the provisions of the Promotion of Access to Information Act (PAIA) and must be registered with the Information Regulator before 1 July explains Schaefer.
Online registration platform not yet ready. According to the new POPIA regulations the commencement date for the registration of information officers is 1 May 2021. The regulations request that, due to the current Covid-19 pandemic, registration should preferably be done via email or on the online platform of the Information Regulator on the website of the Department of Justice. However, as many estate agents and other affected businesses have since discovered, the online registration portal is not yet operational and therefore they are not yet able to register. The department has a notice on their website that says while the 1 May date is only ‘the commencement for registration of information officers … and not the deadline’, all affected businesses are encouraged to register as soon as the portal is up and ready. The deadline for the registration of information officers is the end of June.
Sicelo Kula of legal firm Michalsons notes that although POPIA does not provide for the role of the information officer to be delegated to a managing agent, the CHS can delegate the responsibilities that come with the role.
Most importantly, CHS trustees and directors need to make all their owners, employees and service providers aware of the provisions of POPIA, as well as the fact that this legislation does have quite wide-ranging implications for them all. They also need to communicate their plans to achieve compliance and any new measures they may be putting in place, Kula explains.
POPIA policy for a housing complex
The POPIA policy for a housing complex should include details of whose personal information is collected and held by the complex. According to Constas this includes trustees, owners and tenants, as well as visitors. The type of personal information that the complex collects and holds, as well as how the complex collects and stores personal information, must be specified. The purposes for which the complex collects, uses and discloses personal information must also be detailed, along with information on how an individual may access personal information.
“It is important to remember, Schaefer says, that POPIA does not forbid the collection of personal information, but rather stipulates, for example, that every person whose information is requested is entitled to be informed how that information will be used and how it will be secured to prevent it from being used for any other purpose. “Most CHS will probably already have the names, addresses, telephone numbers and email addresses of all owners on record, for example, and those owners are entitled not only to know that this information is being held, but also to be guaranteed that it is being securely held and will not be used or sold for any other purpose than that originally intended.
“And the same goes for any personal information that is collected to maintain security in CHS, whether it is in analogue form such as names and car registration numbers written into a paper register at the gate, or in digital form such as fingerprints on a biometric scanner or footage captured on a CCTV system.
“However, this information is usually gathered by third-party service providers, and one of the requirements of POPIA is that the scheme must now have a contract with each of these service providers that clearly stipulates what personal information it may collect, where and how that data must be stored and secured, and when it must either be destroyed or returned to the CHS,” Schaefer says.
Other POPIA compliance issues that every CHS needs to address within the next two months include the following:
- The preparation of a written data protection policy, and a plan of action in the event of a data breach;
- The formal allocation of financial and other resources to ensure that the POPIA plan is put into action; and
- The preparation of a plan to sustain POPIA compliance, such as annual auditing and ensuring that the scheme’s practices are updated to comply with any changes in the legislation.
Data protection is a relatively new field but is increasingly important, continues Schaefer. Just think of some recent high-profile cases involving data breaches at companies like Facebook, Microsoft, EasyJet and even South Africa’s Postbank in which millions of people have had their email addresses, passwords, bank card numbers, ID numbers and other sensitive data exposed.
“In SA this is now being underlined by the importance being placed on across-the-board POPIA compliance, and many organisations being asked by consumers to prove that any data they collect, and hold is being properly secured and managed. We fully expect CHS to come under similar scrutiny,” Schaefer ends.
To enable community schemes to quickly put an effective POPIA plan into action at minimal cost, Trafalgar and Michalsons have joined forces to launch a compliance “toolkit”. The toolkit contains a set of templates and documents that will guide the trustees of sectional title schemes and the directors of homeowners’ associations through many of the steps they need to take to get ready for POPIA.