Community housing schemes in South Africa have until 30 June 2021 to ensure complete compliance with the Protection of Personal Information (POPI) Act, warn property experts.
Among other changes, the regulations require schemes to adopt their rules to be POPI compliant, including the sharing of personal information of owners and tenants.
It also introduces stricter rules around security systems in complexes, and how information is gathered by security guards and cameras. Schemes are also required to adopt a POPI policy and compliance officer.
Schemes that do not meet the requirements face hefty fines, including fines of up to R10 million or 12 months imprisonment.
The POPIA does not forbid the collection of personal information, but rather stipulates, for example, that every person whose information is requested is entitled to be informed how that information will be used and how it will be secured to prevent it from being used for any other purpose, said Andrew Schaefer, managing director of property group Trafalgar.
“Most CHS will probably already have the names, addresses, telephone numbers and email addresses of all owners on record, for example, and those owners are entitled not only to know that this information is being held, but also to be guaranteed that it is being securely held and will not be used or sold for any other purpose than that originally intended,” he said.
Schaefer said that the same goes for any personal information that is collected to maintain security in the scheme, whether it is in analogue form such as names and car registration numbers written into a paper register at the gate, or in digital form such as fingerprints on a biometric scanner or footage captured on a CCTV system.
“This information is usually gathered by third-party service providers, and one of the requirements of POPIA is that the scheme must now have a contract with each of these service providers that clearly stipulates what personal information it may collect, where and how that data must be stored and secured, and when it must either be destroyed or returned to the CHS,” he said.
Schaefer said other POPIA compliance issues that schemes needs to address include the following:
- The preparation of a written data protection policy, and a plan of action in the event of a data breach;
- The formal allocation of financial and other resources to ensure that the POPIA plan is put into action;
- The preparation of a plan to sustain POPIA compliance, such as annual auditing and ensuring that the scheme’s practices are updated to comply with any changes in the legislation.