Why community housing schemes should be POPI Act compliant ASAP

Schaefer further points out that it is also important for owners and occupiers in sectional title schemes and gated developments run by homeowners’ associations (HOAs) to understand that the new Act does not make it illegal for the trustees or directors to collect their personal information or to request certain personal details from visitors to their schemes in the interests of security.

“Of course everyone in South Africa has the right to privacy, as provided for in Section 14 of our Constitution, and the POPI Act actually amplifies that right with provisions intended to protect consumers against identity theft as well as the unauthorised use or sale of their personal information for any purpose, including the creation of databases for marketing and sales campaigns.

“However, the new legislation does not stipulate that personal information cannot be collected – only that when it is collected, it must be properly managed and protected,” he says.

This is especially pertinent in community housing schemes, where the trustees, directors and managing agents have to keep a significant amount of personal information about owners and tenants on record in order to:

• Send levy accounts and statements to the correct people;
• Allocate payments correctly;
• Send out communications about the annual budget, the AGM and other body corporates or HOA meetings;
• Facilitate communications with owners and tenants regarding security issues or in an emergency such as the recent Covid-19 lockdown; and
• Take swift action in the event of levy defaults.

“Some schemes also send out monthly newsletters using at least some of this personal information, and many now also have residents’ Facebook pages or WhatsApp groups where at least some member information is shared. In addition, most schemes have controlled-access points where residents and visitors alike must provide personal information to gain entry to the complex or to obtain a remote control or access card.

“This may include a car registration number, a fingerprint and a photograph for example, as well as their name and telephone number,” says Schaefer.

After 1 July next year, any business or legal entity that is not compliant with the POPI Act is risking prosecution and a high fine. This means sectional title trustees and HOA directors need to act quickly to ensure that their scheme – and any third party such as a managing agency or security company that is acting on their behalf – is gathering, storing and using personal information correctly, or currently upgrading their procedures and systems to ensure that this information is protected.

Schaefer says there are two parts of the Act that trustees need to be particularly concerned about, the first of which is the general requirement that a consumer’s consent must be obtained before any of their information can be collected or used and that they must be properly informed about the reason for collecting the information, what will be done with it and how it will be protected.

Obtaining permission and securing information

In practical terms, sectional title trustees and HOA directors do not need to obtain the permission of owners in their schemes to collect or hold whatever personal information is needed for the ‘effective management’ of those schemes, as long as that is all they do with it. However, they do need to inform them if this information is being shared with a third-party, such as a managing agent, to assist with effective management of the scheme.

“In addition, they will need to obtain permission – preferably in writing – to collect and hold any information that they intend to use for any other purpose and state what that purpose is. They may not, for example, let owners believe that their personal information will only be used for correspondence and communications like levy statements and meeting notices and then use it – or allow it to be used – by a different company for some other purpose, such as direct marketing, without permission,” says Schaefer.

The second concern for trustees and directors is the security of their information storage and management systems, whether these are digital or paper-based, and on-site or off-site. The Act provides for personal information to be kept in such a way that it is protected from unauthorised access – by computer hackers for example – and for it not to be sold to or exchanged with any other organisation.

“In short, the person or company that gathers personal information is obliged to take practical steps to protect it, such as ensuring that computer records are encrypted, or that paper records are locked away and only able to be accessed by certain people in the company. The Act does not insist that companies install very high-tech systems, only that they have procedures in place to protect the information they hold and that they implement a system of accountability,” according to Schaefer.