News

The Protection of Personal Information Act (POPIA) is due to come into effect in July

Private Property South Africa
Sarah-Jane Meyer |
The Protection of Personal Information Act (POPIA) is due to come into effect in July

The Protection of Personal Information Act 4 of 2013 (POPIA) was enacted on 1 July 2020, and estate agents have until 30 June 2021 to ensure that they comply with it, says Ulrik Strandvik, director of Gunston Strandvik Attorneys.

“POPI gives effect to the constitutional right to privacy by ensuring information is processed in a responsible manner to prevent security breaches, theft, and discrimination. It is important to note that POPI does not impose an obligation of obtaining consent from data subjects - a person giving over information - before processing their data but rather creates conditions for the lawful processing of personal information of South Africans.

“Property practitioners regularly process personal information – from sellers signing mandates to concluding sales or receiving bond applications from buyers. Estate agents will therefore be fully subject to POPI and its regulations.”

The Information Regulator will begin enforcing the Act from 1 July 2021. The key is to understand your current realities with regards to how you process personal information, determine the gaps and vulnerabilities, and then take appropriate action to make sure those gaps are filled.

Failure to comply with the Act may attract a fine of up to R10 million and/or imprisonment of up to 10 years, so the penalties of non-compliance are too severe to ignore.

Eight conditions

The Act prescribes eight conditions for the lawful processing of information. These are:

  1. Accountability, which means that you, as the responsible party, must ensure that all the conditions are met before processing the data.

  2. Processing Limitation, which provides strict controls on what it means to lawfully process data.

  3. Purpose Specification, where you must collect information for a specific person and the data subject must be aware of this purpose. Further, once you no longer need the information for processing purposes you must delete or destroy it unless required by law to retain it for a fixed period.

  4. Further Processing Limitation explains how you may and may not process data. You may only process data for the purpose it was collected.

  5. Information Quality refers to the steps to take to ensure that the data you collect and process is accurate and complete.

  6. Openness refers to the Promotion of Access to Information Act 2 of 2000. It is your duty to maintain strict documentation of all the processing activities you undertake.

  7. Security Safeguards is arguably the most important condition. The responsible party must employ appropriate, reasonable technical and organisational measures designed to prevent both unlawful access and the loss or damage of the personal information.

  8. Data Subject Participation is the condition that stipulates the rights of the data subject in respect of the information provided.

Impact on estate agents

Estate agents need to be extremely careful how they deal with personal information when conducting business.

Recommendations for compliance:

  • The first step is to appoint a person as the Information Officer to ensure compliance with POPI. We suggest that this person must have an in-depth knowledge of the Act and also hold a senior position in the business. The Information Officer will be responsible for drafting and implementing your POPI policy. The Information Regulator recently published a notice indicating that the date for the registration of information officers - which would have been 31 March 2021 - has been postponed. Registration of Information Officers started on 1 May 2021, and it will be an ongoing process where you can update details from time to time.

  • Carry out an audit of how your business handles personal information to determine the vulnerabilities and changes you need to make to be compliant. Consider the current sources, the storage, the protection, and the destruction of information that you hold. Also, consider the type of information you hold and the purpose of holding the information. Do you outsource any functions in your business? If so, do service providers hold any of your clients‘ information? You will also need to have POPI compliance agreements with service providers.

  • Undertake an IT stress test. Make sure your IT systems have the necessary protective measures in place to avoid access to your information by outsiders. Ensure all your devices are password protected and where possible implement two-factor authentication. POPI requires that you put reasonably practicable measures in place. Provided your solution is reasonable in the circumstances and you are not reckless with the personal information you hold; you should be compliant. We suggest that you check with an IT specialist to confirm that the measures you have in place are reasonable.

  • Ensure your marketing practices are POPI compliant. As a responsible party, you cannot hold more information than is required for the function you are undertaking. To conclude a sale, for example, you do not require information about the client’s hobbies, although it is important information for future marketing purposes. In this case, we recommend you obtain the client’s consent to request additional information for marketing purposes. Your client will need to explicitly agree for you to hold the information and for you to contact them in the future.

Although consent is not one of the eight conditions of lawful processing, it will be an important aspect of managing your POPI compliance. You may not have a blanket consent at the bottom of your mandate or bond application covering all marketing aspects. The consent must be specific, for instance, ‘you can contact me every year on my birthday or add me to your database for your newsletter’. You must bring the clients’ attention to the clause by asking them to initial it.

  • Be careful when dealing with special personal information such as bank account details, medical history, and political affiliation. There are serious sanctions in the Act for not being extra careful with such information.

“The above recommendations are not exhaustive - there are many more aspects of POPI that have not been dealt with here. We encourage agents to contact a POPI specialist to assist with compliance and with drafting POPI policies and processes,” says Strandvik.

Engaging with a specialist to assist you with POPI compliance and updating your policies and practices would be a step in the right direction to avoid any legal action being taken against you. There are only a few weeks before the POPIA implementation date, so estate agents who have not yet ensured compliance need to get the process started without further delay.

Related Articles

The definitive glossary of common real estate jargon and legalese
Private Property Reporter | 02 Nov 2021

The definitive glossary of common real estate jargon and legalese

From the initial online search to the reams of legal documentation, getting to grips with all the jargon and legalese can be overwhelming, especially for first-time buyers.

6 ways for agents to manage the health of their rental book in a tough economy
Press | 04 Nov 2022

6 ways for agents to manage the health of their rental book in a tough economy

It’s possible to manage your rental stock in a secure and rewarding manner. How can this be done?

Holiday season tips for estate agents
Sarah-Jane Meyer | 13 Dec 2021

Holiday season tips for estate agents

You can avoid an unwanted break in business by keeping in touch with clients.

sample image of property alerts

Get instant property alerts

Be the first to see property alerts for your area.
;