Is your estate ready for POPI?6th Dec 2020
Owners and occupiers of community sectional title housing schemes and private gated developments run by homeowners associations (HOAs) have until the end of June 2021 to ensure that their record-keeping systems are compliant with the Protection of Personal Information (POPI) Act that came into effect on 1 July 2020. Failure to adhere to the new Act carries the risk of prosecution and a heavy fine.
Estate management has to keep a significant amount of personal information about home owners and tenants on record to send out levy statements, allocate payments, and communicate about annual budgets, events, meetings, and other body corporate issues. Different schemes will use different channels of communication – some will send out monthly newsletters via email, while others willpost updates on Facebook, or send out a broadcast message via a WhatsApp group. Regardless of what information you have stored, and how you use it, the Act stipulates two main requirements for HOAs and trustees of sectional title schemes.
Collecting personal information
Firstly, the owners or management of these schemes must obtain the consent of every resident before collecting, using or storing their personal information. When asking for consent, the HOA must properly inform the resident of why they are collecting this information, how they intend to use it, and how it will be protected. The residents’ permission, or lack thereof, should be given in writing.
In practical terms, trustees of sectional title housing units and HOA directors do not need to obtain the permission of home owners if the personal information they require is needed for the effective management of the scheme. However, under the terms of the Act, they remain wholly responsible for any information collected on behalf of the scheme, and this information must be used for the sole purpose of managing the estate. The sale or exchange of information between two or more organisations is prohibited under the Act.
Storing personal information
The second requirement under the Act is for trustees and HOA directors to manage and store personal information securely, regardless of whether this information is digital or paper-based, and whether it is located on- or off-site. The Act encourages trustees and HOA directors to take practical steps to protect personal information from being accessed by unauthorised third parties such as, for example, online hackers. Ensuring that computer records are encrypted and password-protected, and that up-to-date anti-virus and malware software is installed, is a good way of protecting online data. Paper-based records should be locked away securely, and only be accessible by authorised staff members to ensure that a system of accountability is in place.
So the buck stops with the HOA
Most private residential estates today have some form of controlled access where residents and visitors must provide personal information to gain entry to the development. This may include a car registration number, a fingerprint and a photograph, for example, as well as their name and telephone number. In most cases the HOA will outsource this service to a third-party company but, in terms of the Act, any company acting on behalf of the HOA or trustees must also gather, store, and use personal information correctly under the terms of the Act. It also means that the HOA must inform residents if their information needs to be shared with a third party such as a managing agent or security company, even if this is to assist with the effective management of the scheme. A failure by the third party to adhere to the new rules will be deemed as a failure of the HOA to keep the information of its residents safe.
Collecting personal information is still legal
Under Section 14 of the Constitution of South Africa, every person living in South Africa has the right to their privacy. The POPI Act aims to strengthen this right with conditions intended to protect everyday people from things like identity theft and the unauthorised use or sale of personal information for any purpose, including the creation of databases for marketing and sales campaigns.
However, the terms of the Act fall short of making it illegal for personal information to be collected. Instead, it allows for the personal information of home owners and, in some cases, visitors to be collated in the interests of security – provided that, once it is collected, it is both properly managed and protected. There isn’t much time left until the terms of the new Act become enforceable, so HOA directors and trustees need to act quickly to ensure that their scheme is compliant.