But after 1 July next year, any business or legal entity that is not compliant with the POPI Act is risking prosecution and a high fine, so ST trustees and HOA directors need to act quickly now to ensure that their scheme - and any “third party” such as a managing agency or security company that is acting on their behalf - is gathering, storing and using personal information correctly, or currently upgrading their procedures and systems to ensure that this information is protected.
There are two parts of the Act that trustees need to be particularly concerned about to start with, the first of which is the general requirement that a consumer’s consent must be obtained before any of their information can be collected or used, and that they must be properly informed about the reason for collecting the information, what will be done with it and how it will be protected.
In practical terms, ST trustees and HOA directors do not need to obtain the permission of owners in their schemes to collect or hold whatever personal information is needed for the “effective management” of those schemes, as long is that is all they do with it. However, they do need to inform them if this information is being shared with a third party, such as a managing agent, to assist with effective management of the scheme.
In addition, they will need to obtain their permission (preferably in writing) to collect and hold any information that they intend to use for any other purpose – and state what that purpose is. They may not, for example, let owners believe that their personal information will only be used for correspondence and communications like levy statements and meeting notices and then use it – or allow it to be used – by a different company for some other purpose, such as direct marketing, without permission.
The second concern for trustees and directors, is the security of their information storage and management systems, whether these are digital or paper-based, and on-site of off-site. The Act provides for personal information to be kept in such a way that it is protected from unauthorised access – by computer hackers, for example – and for it not to be sold to or exchanged with any other organization.
In short, the person or company that gathers personal information is obliged to take practical steps to protect it, such as ensuring that computer records are encrypted, or that paper records are locked away and only able to be accessed by certain people in the company. The Act does not insist that companies install very high-tech systems, only that they have procedures in place to protect the information they hold and that they implement a system of accountability.
However, this does not let ST trustees “off the hook” if they are not keeping their own records. On the contrary, they are responsible for any information collected on behalf of their scheme, so if this is being by a managing agency, they must ensure that they deal with a reputable company such as Trafalgar, which already has a proper system in place to protect and isolate all the personal information relating to individual schemes – and a clear plan about what to do if the security of that system is breached.
Courtesy of PrivateProperty & Andrew Schaefer of Trafalgar