Leading property management company Trafalgar and top law firm Michalsons have joined forces to launch a compliance “toolkit” that will assist community housing schemes (CHS) to prepare for the implementation of the Protection of Personal Information Act (POPIA) before the 1 July deadline.
“This toolkit contains a set of templates and documents that will guide the trustees of sectional title schemes and the directors of homeowners’ associations through many of the steps they need to take to get ready for POPIA and will require minimal customization for specific schemes,” says Trafalgar MD Andrew Schaefer.
“Our aim is to enable CHS to quickly put an effective POPIA plan into action at minimal cost.”
He says there are many aspects to POPIA and that many CHS do not even have the basic elements in place yet to achieve compliance. “For example, every scheme needs to appoint an Information Officer – preferably a trustee or director – who will be responsible for all the personal information that is collected by that scheme, and by any companies that provide services to the scheme such as managing agents or security, cleaning and insurance companies.
“This Information Officer should also be familiar with the provisions of the Promotion of Access to Information Act (PAIA) and must be registered with the Information Regulator before 1 July.”
Sicelo Kula of Michalsons notes that although POPIA does not provide for the role of the Information Officer to be delegated to a managing agent such as Trafalgar, the CHS can delegate the responsibilities that come with the role, and that a template for doing this is one of the items included in the toolkit.
“Meanwhile, CHS trustees and directors also need to make all their owners, employees and service providers aware of the provisions of POPIA, as well as the fact that this legislation does have quite wide-ranging implications for them all. They also need to communicate their plans to achieve compliance and any new measures they may be putting in place, and Trafalgar is already running a series of webinars to assist with this information dissemination.”
It is important to remember, Schaefer says, that POPIA does not forbid the collection of personal information, but rather stipulates, for example, that every person whose information is requested is entitled to be informed how that information will be used and how it will be secured to prevent it from being used for any other purpose. “Most CHS will probably already have the names, addresses, telephone numbers and email addresses of all owners on record, for example, and those owners are entitled not only to know that this information is being held, but also to be guaranteed that it is being securely held and will not be used or sold for any other purpose than that originally intended.
“And the same goes for any personal information that is collected to maintain security in CHS, whether it is in analogue form such as names and car registration numbers written into a paper register at the gate, or in digital form such as fingerprints on a biometric scanner or footage captured on a CCTV system.
“However, this information is usually gathered by third-party service providers, and one of the requirements of POPIA is that the scheme must now have a contract with each of these service providers that clearly stipulates what personal information it may collect, where and how that data must be stored and secured, and when it must either be destroyed or returned to the CHS. The toolkit also contains a template for this type of contract.”
Schaefer says other POPIA compliance issues that every CHS needs to address within the next two months include the following:
*The preparation of a written data protection policy, and a plan of action in the event of a data breach;
*The formal allocation of financial and other resources to ensure that the POPIA plan is put into action; and
*The preparation of a plan to sustain POPIA compliance, such as annual auditing and ensuring that the scheme’s practices are updated to comply with any changes in the legislation.
“Data protection is a relatively new field,” he notes, “but is increasingly important, as we have seen from some recent high-profile cases involving data breaches at companies like Facebook, Microsoft, EasyJet and even South Africa’s Postbank in which millions of people have had their email addresses, passwords, bank card numbers, ID numbers and other sensitive data exposed.
“In addition, the recent rapid increase in remote working and online shopping has created a much broader awareness of how important it is for personal information to be kept safe, not only to protect privacy but to prevent identity theft and other malicious online activity.
“In SA this is now being underlined by the importance being placed on across-the-board POPIA compliance, and many organisations being asked by consumers to prove that any data they collect and hold is being properly secured and managed. We fully expect CHS to come under similar scrutiny, which is another reason for them to make use of our POPIA compliance toolkit.”
Writer:Andrew Schaefer