How to protect your privacy when living in a shared space: POPIA and community housing schemes
Authors: Faatimah Essack – Candidate Attorney
*Supervised by: Penny Chenery – Director & Head of Real Estate
As of 1 July 2021, the Protection of Personal Information Act (POPIA) is in full force and effect, as evidenced by the hundreds of SMSs and emails we receive, advising us to opt in to continue to receive newsletters, etc – unavoidable consequences of POPIA.
POPIA is designed to promote the protection of personal information and to bring South Africa’s privacy laws in line with international standards. It limits the rights of businesses to collect, process, store and share personal information. It also makes businesses accountable for protecting the privacy of this information.
How will this impact owners, tenants, and trustees or managing agents in community housing schemes?
A community housing scheme can be defined as “any scheme of arrangement in terms of which there is a shared use of a responsibility for parts of land and buildings”.
Examples include sectional title schemes, apartment blocks, shareblock companies, retirement villages and residential cluster estates.
Given the nature of these schemes, the trustees or managing agents are required to collect the personal information of the owners and occupiers within the scheme, and the owners have an obligation to ensure that this information is up to date.
Section 13(1)(f) of the Sectional Titles Schemes Management Act, 8 of 2011 (STSMA) obliges the owner of a unit "to notify the body corporate of any change in ownership or occupancy of his or her section and of any mortgage without delay”.
Prescribed Management Rule (PMR) 27(2)(b) states that the Body Corporate must obtain the following information, which must be kept updated:
Lists of trustees, members and tenants with their full names, identity numbers or, in the case of non-South African citizens, their passport numbers.
Section addresses and mailing addresses, if different.
Email or other electronic addresses.
Most schemes have controlled-access points where residents and visitors alike must provide personal information to gain entry to the complex or to obtain a remote control or access card. This may include a car registration number, a fingerprint, and a photograph, for example, as well as their name and telephone number.
Scheme trustees or managing agents have a statutory and common law fiduciary obligation to act in good faith, and with due diligence and care in the interests of their community scheme at all times.
The consequences of POPIA
First and foremost, it must be noted that POPIA does not make it illegal for the trustees or managing agents to collect this information or request certain personal details from visitors and occupants of their schemes to comply with the laws that govern their operations and the requirements of their governance documents, and in the interests of security.
However, these schemes should put in place appropriate governance measures to minimise the risk of breaches and sustain the protection of personal data. Failure to do so involves the possibility of momentous financial consequences (fines of up to ZAR10 million), including reputational damage and, in more serious cases, can lead to imprisonment.
POPIA also provides for a separate category of information called “special personal information”, which includes all information relating to a person's religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information or criminal behaviour.
Practical measures (non-exhaustive)
Personal information must be securely stored and the persons whose information is being stored must be given an opportunity to correct it when it is wrong.
Special consents, where required, must be obtained with regard to biometric systems, as this type of information is under the definition of special information, and for minors, as section 34 of POPIA places a general prohibition on the processing of personal information concerning a child, unless prior consent has been obtained from a competent person (ie, the parent or guardian).
Contracts entered into with third parties and suppliers must be amended to include non-disclosure procedures and policies.
WhatsApp groups and websites must include consents and disclaimers and be carefully monitored, especially if created by the trustees.
The community scheme will have to appoint a “responsible party”, also known as an information officer, to implement the requirements of POPIA. This person will take legal responsibility to ensure that the scheme processes personal information in a responsible manner, as required under the legislation. There is also a limit to the historical information that may be kept, and certain information must be destroyed after a certain period.
POPIA automatically designates the head in an "organisation" as an information officer. In the case of a scheme, by default, the chairperson is designated. The designation and delegation of authority must be in writing and allows for the information officer to delegate some of their duties to the duly appointed deputy information officer.
By law, a community housing scheme must meet its POPIA obligations and ensure all measures are in place to protect the processing of personal information and special information of the owners and occupiers in the scheme. Therefore, it would be prudent for trustees or managing agents to update their privacy policies and statements to avoid contravention and implement a system of accountability for the benefit of all.
Lawtons Africa is a South African law firm. With roots that grew out of seeds sown in down-town Johannesburg in 1892, our history features various changes and different names. Our team of lawyers, including directors, consultants, associates and candidate attorneys is highly qualified, market-recognised and skilled. For further information, visit www.lawtonsafrica.com