Background to the POPI Act
The Protection of Personal Information Act 4 of 2013 (“POPI Act”) was signed into law by the President on 19 November 2013 and published in the Government Gazette Notice 37067 on 26 November 2013. The provisions relating to definitions, the establishment of the office of the Information Regulator, and the making of the regulations came into force on 11 April 2014. The POPI Act came into operation on 1 July 2020, and the one-year grace period to become compliant ended on 30 June 2021.
Purpose of the POPI Act
The POPI Act gives effect to the constitutional right to privacy while advancing the right of access to information. The purpose of the POPI Act is to promote and introduce certain conditions for the protection of personal information processed by public and private bodies; to provide for the establishment of an Information Regulator; and the issuing codes of conduct. This includes the protection against the unlawful collection, use, disclosure, and destruction of one’s personal information.
To whom does the POPI Act apply?
The POPI Act applies to any person or organisation that processes personal information. Any person or organisation that processes personal information is now legislatively required to implement and maintain reasonable, commercially acceptable security procedures to protect it from breaches of confidentiality, unauthorised access, destruction, use, modification, or disclosure.
What is processing?
Processing is defined as any operation or activity or any set of operations, whether or not by automatic means, concerning personal information including the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, or use, dissemination or distribution and the erasure or destruction of personal information.
Almost all persons and organisation conduct some form of processing of personal information, whether it be for purposes of communication or the provision of services.
The POPI Act includes eight conditions for lawful processing including:
- Accountability
- Processing limitation
- Purpose specification
- Further processing limitation
- Information quality
- Openness
- Security safeguards
- Data subject participation
What is “personal information”?
“Personal information” has a wide definition in section 1 of the POPI Act, and can be defined as any information that relates to an identifiable, living, natural person and where applicable, an identifiable, existing juristic person. The scope of personal information is extremely wide and includes everything from information relating to race, gender, pregnancy, marital status, sexual orientation, age, physical or mental health, religion, language, education, financial history, identifying number, e-mail address, physical address, telephone number, location information, online identifier, personal opinions, views or preferences, confidential correspondence, biometric information, views or opinions of another individual about the person, and the name of the person if it appears with other personal information.
Effect of POPI Act on sectional title schemes
The POPI Act could have an effect on the access to and processing of information in sectional title schemes. The body corporate, trustees, and managing agent have the responsibility in terms of various provisions in the STSM Act to process the owner’s personal information, thus making them the “responsible party” and the owners, tenants, employees, contractors, etc to whom the personal information will relate, will be the “data subject.”
Within the context of sectional titles, the POPI Act requires that the body corporate not intrude on the owner’s privacy to an unreasonable extent. All the information must be collected for a specific, defined, and legitimate purpose and it cannot be further processed for a different purpose. The body corporate must maintain the information quality in that it must be accurate and complete and not misleading and must be updated where necessary. Furthermore, the body corporate must have appropriate technical and organisational security safeguards for the information. The owner must know why the personal information is kept and must have the opportunity to amend or correct it. Therefore, the trustees, on behalf of bodies corporate, will have to consider what data they keep, and how it is stored, secured, used, and made available to others.
Section 32 of the Constitution of the Republic of South Africa, 1996 supplemented by the Promotion of Access of Information Act 2 of 2000 guarantees the making available of information. The principle is that a person is entitled to be furnished with all available information that affects his interest. An interesting question, in light of the POPI Act, is whether the owners are entitled to the scheme’s debtors age analysis reports that sets out which owners are in arrears with their levies and for what period of time they have been in arrears. PMR 26 requires that the trustees keep books and records that fairly explain the financial position of the body corporate, and owners are entitled to inspect these records. Furthermore, PMR 27 requires the body corporate to keep governance documents and records that must be available for inspection by the members. It is for these reasons that we are of the opinion that all the members of the body corporate are entitled to information regarding any owner who is in arrears with their levies.
The body corporate has access to the contact details of the owners. Section 3(1)(n) of the STSM Act requires that the body corporate comply with any reasonable request for the names and addresses of the persons who are the trustees of the body corporate or who are members of the body corporate. PMR 26(2) provides that on the application of any owner, registered mortgagee, or managing agent the trustees must make all or any of the books of account and records available for inspection and copying by such owner, mortgagee, or managing agent. PMR 4(5) provides that the domicilium citandi et executandi (service address) of each owner shall be the address of the section registered in his name. The owner is entitled at any time, by written notice to the body corporate to change that address, for purposes of receiving notices, to another physical, postal, or fax address in the Republic of South Africa or to an email address, and that the change in the service address of the member is effective when the body corporate receives notice of such a change. This rule implies an obligation on the body corporate to keep a list of owners and their addresses, while section 3(1)(n) requires that the body corporate must comply with any reasonable request for the names and addresses of its members. Whether or not the trustees must make the names or addresses available will depend on the reasonableness of the request.
The very nature of communal living requires that the inhabitants have reasonable access to each other’s contact details to exercise their rights. The POPI Act cannot be used as an excuse not to give this personal information, as the STSM Act provides legitimation to the fact that owners are entitled to this information. On the other hand, it also does not mean that the trustees must give all the contact information, but merely the name and domicilium as is required in terms of PMR 4(5).
Conclusion
In order for bodies corporate to become compliant they must complete some training and education on the POPI Act; develop a POPI Act compliance framework to guide compliance; and appoint an information officer.
In conclusion, the principles of compliance with the Sectional Title and POPI Act require that trustees must:
- Know how personal information is collected;
- Obtain consent before collecting data (or processing, storing, or sharing it)
- Know what personal information is collected;
- Only collect data needed for legitimate purposes;
- Use the information in a way that matches the purpose of the collection;
- Know how personal information is stored;
- Take reasonable security steps to protect the integrity of the information;
- Store the information only as long as required;
- Who has access to the personal information processed;
- Uphold data subjects’ rights by providing access and corrections to information;
- Know how personal information is maintained;
- Know how personal information is destroyed; and
- Create policies to notify the Regulator about your processing activities, such as a Privacy Policy.
URGENT, ACT NOW!
With the CSOS deadline coming into effect on the 10th of May 2023, it is your responsibility to ensure that your Community Scheme is POPI and PAIA Compliant with the necessary manuals in place otherwise you could be facing a R10 MILLION FINE
ARE YOU COMPLIANT?
Request your POPI and PAIA Manuals