– PROTECTION OF PERSONAL INFORMATION
The very nature of communal living requires that the residents of a Community Scheme have reasonable access to each other’s contact details in order to exercise their rights, and to be able to get in contact with one another. Most of the remaining sections of the Protection of Personal Information Act (POPIA), referred to as the POPI Act, will commence from 01 July 2020.
The commencement of these stated sections of the Act will place certain obligations on the community schemes and their appointed Managing Agent, who may both store personal information of the members of a community scheme, to ensure that the information is protected and not misused by parties, who may have a right to access such information in terms of community scheme legislation.
The POPI Act does not operate in isolation to other legislation but is part of network of legislation with which it must be read in conjunction with each of the other legislation. Section 32 of the Constitution of the Republic of South Africa, supplemented by the Promotion of Access of Information Act 2 of 2000 guarantees that certain types of information are made available to a party requesting it, as does the Sectional Titles Schemes Management Act and the Companies Act.
So for Sectional Title schemes the POPI Act cannot be used as an excuse by any party not to make available certain personal information of the members, as the Sectional Titles Schemes Management Act and the Prescribed Management Rules found as an Annexure to the STSMA Regulations, provides for the fact that owners and other parties are reasonably entitled to the information as listed in the Prescribed Management Rules found in Part 6 – Administrative Management, which includes the personal information of members of the Body Corporate.
POPIA is not a blanket prohibition to stop “responsible parties” (in this context, scheme executives or the managing agent) from sharing “data subjects’” (the owners and residents in the scheme) personal information in every circumstance.
The over-riding principle applied would be that a person is entitled to be furnished with any available information that materially affects their interest, and this may include the personal information of another resident in the scheme being reasonably provided to such a person, by a “responsible party” such as the Managing Agent holding such information. So “data subjects” have the right to have their personal information processed lawfully, and in accordance with POPI, but may also have reasonable grounds to object to their information being processed, where such reasonable grounds may depend on the particular situation.
Section 114(1)c which will commence on 01 July 2020, is of particular importance as it states that all forms of processing of personal information must, within one year after the commencement of the section, be made to conform to the Act. This means that entities (both in the form of private and public bodies) will have to ensure compliance with the POPI Act by 1 July 2021.
Some of the applicable sections of the POPI Act are:
Section 9: personal information must be processed (a) lawfully; and (b) in a reasonable manner that does not infringe on the privacy of the data subject.
Section 10: Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant, and not excessive.
Section 11: Personal information may only be processed if – (c) processing complies with an obligation imposed by law on the responsible party; (d) processing protects the legitimate interests of the data subject;
(e) processing is necessary for pursuing the legitimate interests of the responsible party or the third party (the other owners in the scheme) to whom the information is supplied.
This will mean that a community scheme must ensure that personal information of owners and tenants and visitors provided to the scheme (for instance schemes that scan the visitor’s personal information on their driver’s license for access control or that require the writing down of information in an visitor’s log) is only processed for specific, explicitly defined and legitimate reasons that relate to their specific functions or activities.
Schemes will also have to ensure that the person providing the personal information is fully aware of the purpose for which these details are required, and ensure that personal information is only kept or stored for as long as it is required, in safe controlled environment and that the information is deleted when it is no longer required.
The provisions of the POPIA will need to be complied with by those with access to Community Scheme members’ information and by those that may request such information in terms of the community scheme’s governing legislation and governance documents.
