1. INTRODUCTION

This article aims to highlight the duty and obligations of Community Schemes to ensure the protection of its owners and/or residents in the scheme, in adherence to the Protection of Personal Information Act 4 of 2013 (“POPIA”) which came into operation on the 1st of July 2021.  We intend to provide you with the basic knowledge with regard to the collection, storage and management of such personal information in a responsible manner and to prevent liability and/or breaches of POPIA.

This article does not only find application to Community Schemes, but also to managing agents as well as unit owners and residents alike, who are all subject to the provisions of POPIA for the protection of personal information which may be abused or compromised in an arbitrary or irresponsible manner.

  1. IMPORTANCE OF COMPLYING WITH POPIA
  • All Community Schemes had until the 1st of July 2021 to ensure that they have complied with all the provisions of POPIA.
  • Should a Community Scheme fail to comply with POPIA, it may lead to the scheme facing a fine of up to R10 million or imprisonment of the responsible party of up to 12 months, and the aggrieved party may further institute legal action for damages.
  1. APPLICABILITY OF POPIA
  • POPIA applies to any natural or juristic person, such as a company or organization as in the case of a Community Scheme, that processes personal information by entering such personal information into its records.
  • Community Schemes must also adhere to other legislation, including the Sectional Title Schemes Management Act, which requires the owners to provide a body corporate with personal information such as the change of ownership or occupancy of a unit/section or the mortgage of a unit/section. The Prescribed Management Rules set rules and regulations in place that both body corporates and owners/residents must strictly adhere to, including the obligation on body corporates to continuously be aware of any change in ownership, by keeping updated records of the full names, identity numbers, addresses and contact information of all trustees, owners and residents.
  1. DUTY ON COMMUNITY SCHEMES AND MEASURES TO PUT INTO PLACE

Since the commencement of POPIA, processing of all personal information by a responsible party (the Community Scheme in this case or a managing agent) must be done subject to the conditions as set out in Section 4 of POPIA, which entails the following:

  • The Community Scheme is accountable for the personal information that it processes as well as information passed on to a third party. Should a Community Scheme delegate certain duties to a managing agent for the collection and processing of such personal information, the accountability will remain with the Community Scheme.
  • The purpose for the collection of personal information must be specific, explicitly defined and documented. The processing of personal information must also occur in the least evasive manner and therefore the minimum amount of information must be collected as required to comply with the Community Scheme’s duties and functions. Information must not be retained longer than necessary and all personal information of a former tenant or owner must be destroyed as soon as that tenant or owner ceases to be a member of the Community Scheme, subject to a reasonable time of retention to protect the rights of the Community Scheme. The Community Scheme may only process personal information for such intended purpose.
  • The processing of personal information must be transparent. The member of the Community Scheme whose personal information has been requested must be informed of:
  • The purpose for which the information is being processed;
  • Who is collecting the information;
  • How the information is being collected; and
  • When information would be shared or transmitted to any other party than the Community Scheme.
  • Any processing of personal information must be for a lawful purpose. In the case of a Community Scheme, personal information of a member needs to be processed in compliance with statutory obligations such as the Sectional Titles Act, Sectional Titles Schemes Management Act, Companies Act, the Prescribed Management Rules (specifically Sections 26 and 27) and all associated regulations to these Acts.
  • A Community Scheme may authorize and appoint a managing agent to administer the collection of levies and exercise other administrative duties on behalf of the scheme. This is seen as the further processing of information and the managing agent is known as an “operator” under POPIA. The Community Scheme must first obtain the consent of the members for the secondary processing of information. The operator, who then has the authority to process the personal information on behalf of a responsible party, must also adhere to POPIA and be compliant with the provisions of POPIA.
  • The information gathered and processed must be of good quality, meaning it must be complete, accurate and continuously updated to set out the true facts.
  • Section 19 of POPIA requires a Community Scheme to take certain measures to maintain the integrity and confidentiality of the owners’ and residents’ personal information and safeguard it against loss, damage or abuse by any unauthorized parties. POPIA requires the securing of information by technical measures such as firewalls and antivirus software, to name a few, and organizational measures for the implementation of internal policies, procedures and training.
  • Members or other stakeholders in the Community Scheme are entitled to request which personal information is being held by the scheme and request copies of such information or request that their information be deleted where the necessary consent was not obtained.
  1. A BALANCE BETWEEN THE RIGHT TO PRIVACY AND THE DUTY TO DISCLOSE
  • Prescribed Management Rule 27(4) provides:

“On receiving a written request, the body corporate must make the records and documents referred to in this rule available for inspection by, and provide copies of them to –

  • a member;
  • a registered bondholder; or
  • a person authorized in writing by a member or registered bondholder”.
  • It is clear from the above conditions that a Community Scheme may not disclose personal information of its members as it wishes and to anyone who requests it, as a balancing of the right to privacy and the duty to disclose comes into play.
  • The Community Scheme’s executives would have to make a judgement call to determine whether a request is in pursuit of a legitimate purpose or not. If the request does not further the proper management and administration, the member’s consent will be required for such disclosure. A request will, for instance, not be in pursuit of a legitimate purpose if one member simply requests the status of another member’s levy account to “name and shame” such a member at the next Annual General Meeting of the scheme.
  1. STEPS TO TAKE TO BE COMPLIANT WITH POPIA
  • All Community Schemes had to appoint an information officer who is duly registered and had to implement a POPIA policy for the processing of personal information on or before the 1st of July 2021. The Community Scheme also had to conduct a gap analysis to evaluate which personal information it holds and how such information is processed as well as evaluate the existing protection measures it has in place. This analysis is a necessary exercise to determine what is lacking in order to be compliant with POPIA and this process needs to take place on a regular basis to ensure continued compliance with POPIA.
  • Community Schemes must act pro-active, rather than reactive, to ensure adherence to the regulations implemented on the 1st of July 2021, by doing regular training and gap analysis to ensure the continued upkeep of and compliance with POPIA, avoiding facing compromises of the personal information it holds or being penalized by a fine or the responsible person’s imprisonment.

 

Lisa Radyn     

LLB

Associate

Property and Commercial Law 

E-mail: lisar@sstlaw.co.za

Phone: 012 361 9823