Arabella Country Estate’s Homeowners’ Association (HOA) management have always viewed the protection of the personal information of residents, visitors and other stakeholders on the estate as an important issue.
In early 2016, the estate management initiated a project to implement measures to address their concerns and reinforce their strong commitment to good leadership, governance and compliance practices.
Overseen by Dirk Uys, estate manager, the Protection of Personal Information (POPI) Act compliance preparation project ran for close to 11 months and was managed by Michelle Wood, environmental officer at the estate. Valuable assistance was provided by John Cato and José Cardoso, consultants from IACT Africa, a specialist provider of POPI Act (POPIA) compliance tools and implementation support services.
The project was carried out on a part-time basis alongside the usual priorities of the estate, including the ISO14001 project for environmental management, which again demonstrated the estate’s commitment to good governance and compliance.
The success of the POPIA project was largely due to the strong sponsorship and commitment displayed by Dirk and Michelle, and the result is that Arabella HOA’s residents, visitors and other stakeholders can now feel confident that their personal information is protected and processed in a confidential and responsible manner. Even though IACT Africa have successfully completed similar projects with multiple clients across three other provinces in South Africa, across multiple industries, Arabella is the only estate to have completed a POPI Act compliance project and is thus the only estate that has been issued with a POPIA compliance certificate.
Why was the project initiated?
The HOA at Arabella foresaw that it was necessary to prepare for compliance with the POPI Act sooner rather than later. From a compliance perspective, the costs that come with non-compliance of a statute are usually far higher than the costs of preparing for compliance with legislation.
The protecting and processing of personal information of homeowners, residents, staff, visitors, business associates and suppliers in line with the POPI Act and international practices was equally important to the estate and its management. It gave stakeholders confidence that their personal information was being protected in a lawful and responsible manner, and it would further cement Arabella’s reputation and image in the residential estate sector as one that was compliant and ahead of the curve.
Processes and touch points
A number of processes and touch points were followed and began with the identification of what personal information is stored and where it is processed in the estate as well as within the business partner and supplier ecosystem. Those who have access to this information and their access rights were also identified. In general, the main groups of personal information were those related to residents, access control/security, external community portals, cameras/CCTV, visitors, homeowners, staff and finance. All the information was a mixture of both digital and hard copy media.
Company information falls under personal information as the company, while a legal entity, is regarded as a juristic person under South African law outside POPIA, and for this reason, financial information was also included.
The key areas of concern were identifying how homeowner and resident information was collected, amended and destroyed as well as the process of recording visitors, staff recruitment and publication of personal information to external organisations such as the media. The location of personal information including digital devices was also identified and recorded.
As various aspects of personal information are processed and stored by external service providers, it was necessary to have agreements between Arabella and these parties that included the responsibilities of the external party and the rights of the estate with regard to the lawful processing of personal information. This is a prerequisite contained in Condition 7 of the Act and provides legal recourse for the estate should a breach or compromise occur.
Governance of the POPIA implementation
A number of governance and management aspects, including the appointment of an information officer and deputy information officer within the HOA, were implemented, as well as a number of policies and notices that provided much of the evidence of the POPIA preparation project.
Risks relating to personal information were also identified and included in the estate’s risk management processes. The HOA team were also trained in the various aspects of the Act to ensure that they fully understood the implications of the legislation when handling personal information.
Benefits of the POPIA project
The key benefits of the project are to ensure that appropriate and reasonable measures for protecting personal information are implemented, and in the event of a legal claim arising, that they will be able to demonstrate due care with regard to POPIA compliance.
It is hoped that this will result in greater leniency should penalties be imposed than would be the case if the estate had not implemented the appropriate measures. Further benefits include gaining the invaluable trust of residents and prospective homeowners as well as external stakeholders. The tools and support provided by IACT Africa have given the project a sound foundation on which to build, enabling Arabella to accelerate implementation and reduce their costs.
Being awarded POPIA compliance certification
Complying with laws and regulations is often seen as a necessary evil, but compliance can be a positive practice that results in benefits, provided the appropriate focus is in place.
As with any law, the steps that an organisation takes to comply are often open to interpretation. In the case of POPIA, organisations are expected to apply appropriate and reasonable organisational and technical measures as stated in the security safeguards condition in the Act and apply these as a guiding principle.
The approach recommended by IACT Africa and applied during the project was based on implementing appropriate and reasonable measures in line with the eight conditions for the lawful processing of personal information as well as six other areas in the POPI Act.
The measures included internal and external assessments:
- Compliance accountability structures
- Publication of a POPI Act compliance privacy notice and related policies
- Amendments to existing contracts and policies in line with POPI Act compliance requirements
- Identification and recording of areas in which personal information is stored and processed
- Stakeholder training and employee commitment to protecting personal information
“The purpose of the POPI Act is to ensure that all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information by holding them accountable should they abuse or compromise your personal information in any way,” explains Dirk Uys, Estate Manager of Arabella Country Estate.
“We are very pleased to have received our compliance certification and believe this is just another step that we as the estate are taking to show our stakeholders how much we value their and our own privacy.”
While there is no POPI Act related case law as yet, the significance of Arabella’s compliance measures will stand up strongly in a test of reasonableness in the event of a court hearing. The adoption of international privacy and data protection legislation will also become important as time goes by, in particular the European Union General Data Protection Regulation.