The POPI Act is a new piece of legislation that safeguards the integrity and sensitivity of private information. The Act was signed into law in November 2013, but the bulk of the provisions only became operational on 1 July 2020.
The POPI Act does not aim to stop the free flow of information or restrict the collection of personal details. Instead, it sets strict guidelines on how to obtain personal information while balancing the interests of businesses and the right to privacy for individuals and juristic persons. Companies have until 30 June 2021 in which to get themselves ready to comply with the Act. This means that estate agencies have just 12 months in which to ensure that the way they manage and safeguard the personal information of sellers and buyers, as well as employees, is in accordance with the new regulations.
Purpose
The purpose of the POPI Act is to ensure that individuals and juristic persons know exactly what is being done with their personal information. It deals with the following:
• What is done with personal information.
• How personal information is processed or shared.
• Who receives personal information and with whom is it shared.
• What type of information is processed or shared?
• Why information is processed or shared.
The POPI Act applies to any organisation that collects, records, uses, stores, transmits, destroys, or otherwise processes personal information, including that of employees, clients, potential clients, suppliers and service providers. Special protection applies to the personal information of children, and sensitive information such as criminal records, health data and sexual history.
Organisations need to secure the integrity and confidentiality of personal information in their possession or under their control by taking appropriate, reasonable technical and organisational measures to prevent the risk of:
• Loss;
• unlawful access;
• interference;
• modification;
• unauthorised destruction;
• and disclosure of personal information.
Compliance
Each organisation must appoint an information officer (responsible party) to ensure conditions for lawful processing of personal information collected. It is the responsible party’s duty to take reasonable steps to ensure that any personal information collected is complete, accurate, not misleading and updated where necessary. Information officers must ensure that:
• A compliance framework is developed, implemented, monitored and maintained.
• A personal information impact assessment is done to ensure adequate measures and standards to comply with the conditions for the lawful processing of personal information.
• A manual is developed, monitored, maintained and made available as prescribed in sections 14 and 51 of the Act.
• Internal measures are developed together with adequate systems to process requests for information or access thereto.
• Internal awareness sessions are conducted regarding the provisions of the Act, regulations made in terms of the Act, codes of conduct, and information obtained from the Information Regulator. Data collection
The overarching principles of the POPI Act are that personal information may only be collected with the consent of the person whose information is being collected (data subject), and may only be processed for specific, explicitly defined and legitimate reasons.
In the normal course of business, companies - including estate agencies - collect personal information from prospective clients. This includes details in FICA compliance documentation, offers to purchase, sale agreements and loan applications.
Estate agencies must therefore adapt their processes to notify all clients that personal information will be collected and processed by them for a specific purpose.
• Data subjects must be made aware of the fact that their personal information is being collected, and for what purpose the information will be used. The information may only be processed for a specific purpose, and may not be processed for a secondary purpose unless that processing is compatible with the original purpose.
• Data subjects may enquire whether an organisation holds personal information about them, and are entitled to request that the information held be corrected or deleted.
Consequences of non-compliance:
Some of the penalties of non-compliance are heavy, with fines of up to R10 million in some cases. Anyone convicted in terms of the Act is liable to a fine or imprisonment - varying from less than 12 months to 10 years, depending on the section of the Act contravened – or both imprisonment and a fine.
However, more severe penalties probably lie in the extensive damage to business reputation following a breach of clients’ personal information. Estate agents therefore need to be sure to put processes in place to comply with the POPI Act before July 2021.
Read the POPI Act here.