A lot has been said in recent years about the Protection of Personal Information Act 23 of 2013 (Hereinafter referred to as the “POPI Act”) and the uncertainty surrounding the official date of assenting and implementation thereof. Hopefully this article will put your mind at ease and provide some much needed information regarding the various aspects of this Act.
POPI has its foundations set firmly on the Constitutional right to privacy and as such protects and promotes the personal information of individuals. The POPI act applies to anyone (including attorneys, public entities, private companies and estate agents etc.) who collects and processes personal information of clients. Personal information includes identity numbers, names and surnames, physical-, postal- and electronic addresses, telephone numbers, personal banking information and salary advises, just to name a few. The term processing relates to the collection, storage, usage, modification and destruction of personal information.
In terms of POPI, it is required that anyone who processes personal information, do so in accordance with the Act without infringing a client’s right to privacy, failing which the party responsible for the personal information may be imprisoned or be held liable for a fine or penalty.
It will therefore be necessary for anyone responsible for processing personal information to appoint or assign obligations to a specific person, also known as the Information Officers, who must ensure that every employee complies with POPI. The Information Officer, will also need to be familiar with the different ways in which the company processes its personal information in order to implement compliance structures aligned with POPI.
Some compliance structures, specifically relating to estate agencies may include the following:
- Safeguarding the office space
Every office, file, computer and data base which contain personal information of clients will need to be safeguarded to ensure that the personal information remains secure and confidential. These safeguard regulations can include encrypting emails, password/fingerprint protected computers, securing workspaces, preventing unauthorized personnel from entering offices or handling files. These are merely suggestions as to what may be considered for implementation, but more certainty surrounding this aspect may come to light once the Regulations and Guidelines for POPI are released. The Information Officer will play an important role pertaining to the education and training of personnel with regards to the above.
- Direct marketing and consent
Direct marketing includes sending listings or advertisements to clients on your company’s database and / or calling them with information regarding new listings or developments. Once POPI comes into effect, direct marketing will be strictly monitored whether it is done by way of fax, email or electronic newsletters. All of these direct marketing initiatives will be prohibited unless consent is given by a client and is subject to the person being a client or new client of the company. The company may only approach the client for consent once and if it is denied, the client may not be asked again unless the client voluntarily consents thereto.
It is unclear as to whether or not sharing personal information with conveyancers, bond originators or other third parties without the specific consent of the client may be deemed as an infringement in terms of POPI. It is therefore recommended that pre-authorization be obtained from a client when an offer to purchase or sale agreement is signed by the client. The conditions thereto may and should include consent to share the client’s personal information with other parties who has a direct interest in the matter and will be necessary to give effect to the terms of the offer to purchaser of sale agreement.
How long will you need to safeguard your client’s personal information and how will it be destroyed?
The Act makes provision that personal information should not be retained any longer than what is specifically necessary. In other words once the transaction has been dealt with, one should either hand over the records to your client or destroy it upon instruction of the client. Destruction of records may include shredding, but the manner of destruction as well as retention of records will be specified once the Regulations is published.
The recent Constitutional Court case of Black Sash Trust v Minister of Social Development  ZACC 8, provides the benchmark for a new era in processing of personal information. The Court held that the use of a data subject’s personal information may only be used for the purpose of the matter, in this case the payment of grants, and may not be shared with third parties to “opt-in” or with the purpose of direct marketing, for instance.
Once POPI gets fully assented, the parties to whom it applies, will have a 1 year compliance grace period, which may be extended to 3 years depending on each unique situation. During this period companies/agencies will need to implement the necessary changes in order to ensure compliance with the Act. With reference to the above it is very important to appoint an Information Officer who will have the responsibility of educating personnel and ensure that all personal information being processed on a daily basis is done with the utmost care and accountability towards clients and the Act. Practical implementation guidelines will assist companies/agencies to comply and safeguard their client’s personal information.
It is quite evident that the implementation of POPI may come with administrative issues. In this regard, the Information Regulator also will play an important role in ensuring that the implementation process runs smoothly and education surrounding POPI will be of utmost importance.
by Landie Saaiman