COMMUNITY SCHEMES AND THE POPI ACT
Leslie Stuart - Associate
With the commencement of the Protection of Personal Information Act 4 of 2014 (“the POPI Act / the Act”) on 1 July 2020, many community schemes (which includes, inter alia, Bodies Corporate and Homeowners’ Associations) and their scheme executives have pondered the application of the Act and the duty to comply with the Act within the management of the relevant community scheme.
As stated above, the Act came into operation on the 1st of July 2020, save for specific provisions/sections which will come into operation on 31 June 2021.
The Act, broadly speaking, was enacted for the purpose of advancing the constitutional rights to privacy of persons by safeguarding personal information of such persons when it lands in the hands of a “responsible party”.
The Act applies where personal information of a person (or data subject) is processed by a responsible party.
The questions arise: does a community scheme qualify as a responsible party and against which possible data subjects are schemes liable to comply?
For purposes of further discussion, it is important to note what personal information is. The Act defines personal information as “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including but not limited to –
a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, wellbeing, disability, religion, conscience, belief, culture, language and birth of the person;
b) information relating to the education or the medical, financial, criminal or employment history of the person;
c) an identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignments to the person;
d) the biometric information of the person;
e) the personal opinions, views or preferences of the person;
f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
g) the views or opinions of another individual about the person; and
h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.”
A further important definition is that of “processing”. Processing in terms of the Act means “any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including –
a) the collection, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration, consultation or use;
b) dissemination by means of transmission, distribution or making available in any other form; or
c) merging, linking, as well as restriction, degradation, erasure or destruction of information.”
A responsible party in terms of the Act means “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information”.
In the context of a community scheme, it is clear that a member of such a community scheme (an owner of property within the scheme) or a resident or visitor to such scheme, whether or not such a member/resident /visitor is a juristic person or a natural person, shall qualify as a data subject and shall therefore enjoy the protection of his/her/its personal information through the operation of the Act.
Likewise, the management of the community scheme, whether it be a Body Corporate or the Homeowners Association (non-profit company) shall in many instances stand in the position of a responsible party in terms of the Act.
An example of the relationship between a community scheme and a member where the Act will find application is where personal records of the member are kept for security reasons or in terms of legislation (such as the Sectional Title Schemes Management Act).
A community scheme will not only be liable for the protection of personal information of its members but may also be liable towards third parties such as residents, visitors, contractors etc.
An example where the community scheme stands in a position of a responsible party where a member of the scheme is not concerned is where the scheme keeps records of visitors for security purposes which are collected upon entry of such visitor to the scheme.
Yet another relevant and current example may be where persons such as employees of members within the scheme gain access to the scheme by completing a Covid-19 questionnaire with personal information contained therein.
There can therefore be no doubt that a community scheme must comply with the POPI Act.
The question remains: how does a community scheme comply with the POPI Act?
Section 4 of The Act sets conditions for the lawful processing of personal information by or for a responsible party. These conditions are detailed in Sections 8 through to 25 of the Act.
The conditions are broadly summarised in Section 4(1) of the Act, which includes accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards and finally, data subject participation.
It is not possible in a newsletter to venture into the detail of each of the conditions for lawful processing of personal information, but it can broadly be summarised as follows:
CONDITION 1: ACCOUNTABILITY
The responsible party must determine the purpose and means of the processing and must ensure that the conditions set out in the Act and the measures that give effect to such conditions are complied with at the time of such determination and during the processing itself.
CONDITION 2: PROCESSING LIMITATION
Personal information must be processed lawfully and in a reasonable manner that does not infringe the privacy of the data subject. Personal information should only be processed if it is relevant, adequate, and not excessive for the purposes for which it is processed (i.e. the minimum amount of personal information must be processed for the purpose of such processing). There must furthermore be a reason/direction/necessity which warrants the processing of personal information (i.e. consent, an obligation imposed by law on the responsible party etc.) Finally, save for specified exclusions, the personal information of a data subject must be collected directly from the data subject.
CONDITION 3: PURPOSE SPECIFICATION
Personal information must be collected for a specific, explicitly defined and lawful purpose which is related to a function or activity of the responsible party. The responsible party must take steps to ensure that the data subject is aware of the purpose of the collection of information, save where specified exclusions exist (as briefly mentioned hereinafter). Personal information and records thereof must be retained no longer than is necessary for achieving the purpose for which the information was collected or processed unless the retention of records is required or authorised by law. The responsible party reasonably requires the same for lawful purposes related to its functions or activities, where the same is required in terms of a contract between the parties or the data subject has consented to the retention.
CONDITION 4: FURTHER PROCESSING LIMITATION
The further processing of personal information collected must also be in accordance with or compatible with the purpose for which it was collected. Further processing can therefore not deviate from the general purpose of the initial collection and processing thereof.
CONDITION 5: INFORMATION QUALITY
A responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary; all the while having regard to the purpose for which the personal information was collected or is further processed.
CONDITION 6: OPENNESS
This condition links with the Promotion of Access to Information Act (“PAIA”).
A responsible party must maintain the documentation of all processing operations under its responsibility as required by PAIA. It is important for a community scheme therefore to also have an up-to-date PAIA manual. The PAIA manual has a basic objective to indicate the procedure of how information can be requested or accessed and from whom.
Earlier I stated that the data subject must be made aware of the purpose of the collection of the information unless some exclusions are applicable. The Act provides that a responsible party must take reasonably practicable steps to ensure that the data subject is aware of the information being collected, the name and address of the responsible party, the purpose for which such information is being collected, whether or not the supply of the information is voluntary of mandatory (amongst other requirements) when personal information is collected.
Some instances where it is not necessary for a responsible party to comply with the aforesaid is where consent is provided for non-compliance, non-compliance will not prejudice the legitimate interest of the data subject as set out in the POPI Act, compliance would prejudice a lawful purpose of the collection, where compliance is not reasonably practicable in the circumstances of the particular case, amongst other circumstances.
CONDITION 7: SECURITY SAFEGUARDS
A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent the loss of, damage or unauthorised destruction of the personal information as well as unlawful access to or processing of personal information. The responsible party furthermore has the obligation to notify the regulator and the data subject (unless the identity of such subject cannot be established) where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.
CONDITION 8: DATA SUBJECT PARTICIPATION
A data subject who can prove his/her/its identity adequately may request a responsible party to confirm whether or not the responsible party holds personal information about him/her/it. This confirmation must be done by the responsible party free of charge. The data subject may furthermore request the responsible party to provide a record of a description of the personal information about the data subject held by the responsible party, including information about the identity of all third parties or categories of third parties to have or have had access to the information. This must be done within a reasonable time and at a prescribed fee and must furthermore be done in a reasonable manner and format and in a form that is generally understandable.
A data subject may also request a responsible party to correct or delete personal information about the data subject that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully and may even request that the responsible party destroy or delete a record of personal information about the data subject which the responsible party is no longer authorised to retain.
THE DUTIES OF THE INFORMATION OFFICER OF A SCHEME:
An information officer is defined as “the head of a private body as contemplated in section 1 of the Promotion of Access to Information Act [“PAIA”]”.
PAIA refers to this person as the “chief executive officer or equivalent officer of the juristic person or any person duly authorised by that officer”.
The Act provides that an information officer has the responsibility to:
- encourage compliance by the relevant body (in this case the community scheme, as also hereinafter referred to) with the conditions for the lawful processing of personal information (mentioned above);
- deal with requests made to the scheme pursuant to the POPI Act;
- work with the Regulator where investigations in terms of the Act are launched;
- ensure compliance with the Act by the scheme; and
- comply with further responsibilities which may be prescribed (in the regulations).
Regulation 4 of the regulations made under the Act expands the aforesaid responsibilities by requiring that the information officer ensures that:
- a compliance framework is developed, implemented, monitored and maintained;
- a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
- a manual is developed, monitored, maintained and made available as prescribed in sections 14 and 51 of the Promotion of Access to Information Act, 2000 (Act 2 of 2000);
- internal measures are developed together with adequate systems to process requests for information or access thereto; and
- internal awareness sessions are conducted regarding the provisions of the Act, regulations made in terms of the Act, codes of conduct, or information obtained from the Regulator.
This will mean that the information officer of a scheme shall be a person authorised by the scheme executives (trustees/directors) of the community scheme (Body Corporate/ Homeowners Association).
The Act refers to the head of the private body as being a single person. Therefore, if no specific person is nominated as such, it is debatable whether the chairperson of the Board of scheme executives or scheme executives collectively will be responsible for compliance. It is the view of the writer that the latter shall apply.
A community scheme, as discussed above, may in various instances be in the position of a responsible party and must comply with the POPI Act.
At this juncture, it is important to note that the Act allows for a period of one year from the date of commencement (1 July 2020) for all processing of personal information to conform to the provisions of the Act. Community schemes therefore still have time to act by conforming to compliance measures prescribed in the Act.
One aspect on which community schemes should focus is the compliance framework referred to in the regulations. A compliance framework should be set out in a policy document, stipulating requirements of the Act, the implementation thereof and guidelines to scheme executives and any collector of personal information on behalf of the scheme.
Another aspect to focus on, since it relates closely to this Act, is the PAIA manual. Every community scheme needs to ensure that they have implemented a PAIA manual and that it is up to date.
Once the aforesaid policies and manuals are in place, compliance with the aforesaid responsibilities will either fall in place or will be much easier to achieve.
As one can glean from the aforesaid, it is impossible to give “one-size fits all”- advice to community schemes and it is therefore highly advisable to obtain advice regarding compliance with the POPI Act for your specific community scheme, since special circumstances, exclusions and the level of exposure may have a unique effect on each and every community scheme.
It should be noted that the purpose of this newsletter is to provide a very broad guideline and it does not constitute legal advice. All of the exclusions contained in the Act and some other mandatory obligations on the part of a responsible party have not been addressed in this newsletter.
For more information regarding POPI Act compliance within your community scheme (as well as PAIA compliance) contact, a legal practitioner for tailor-made advice.