Author: Andrew Schaefer
Managing Director of Trafalgar Property Management
1 July 2021
Important changes for complexes and estates in South Africa taking effect from today
With the Protection of Personal Information Act (Popia) coming into effect on Thursday (1 July), community housing schemes need to urgently appoint their official information officers and ensure that they are registered with the Information Regulator, says Andrew Schaefer, managing director of property management company Trafalgar.
This is the first step in a chain of Popia compliance that the trustees and directors of community housing schemes must follow now, he said.
“It is also important for trustees and directors to note that it is currently not possible for schemes to simply appoint a managing agent as their information officer.”
Schaefer said that Trafalgar and other managing agents are lobbying for the Information Regulator to reconsider this restriction, given the need for continuity in data protection and the rotational, part-time, unpaid and volunteer nature of the trustee and director roles in community housing schemes.
“We are also already responsible for most of the personal information processing that most schemes need to do and, certainly in the case of Trafalgar, we already have stringent data security measures in place.”
Who can be an information officer?
Section 55 of Popia stipulates that the information officer of any organisation must be a person who serves in an executive capacity, says Sicelo Kula, an attorney at Michalsons who specialises in data protection.
When it comes to community housing schemes that means that in most cases the information officer will be one of the following, and can also have a deputy if necessary:
- A sectional title trustee;
- A homeowners’ association director;
- A general manager or estate manager who is the most senior person in charge of the scheme’s operations;
- An Executive Managing Agent who the owners in a sectional title scheme have appointed to take over the role of the trustees.
If a community housing scheme fails to appoint an information officer before the 1 July deadline, the chairman of the trustees or board of directors will carry the responsibilities of the position by default, said Kula.
What are the responsibilities of an information officer?
The key responsibility of the information officer is to assist the community housing scheme to comply with POPIA and give effect to the rights of individuals as outlined in this legislation.
They will be held accountable for ensuring that the scheme puts all the necessary information protection policies, procedures and agreements in place; for assessing and processing any requests for access to the personal data that the scheme holds, and for informing the Information Regulator if there is any data breach.
These responsibilities cannot be delegated. However, community housing schemes are allowed to delegate the execution of the specific tasks that come with the information officer role – to their managing agents or other service providers such as auditors, insurers and security companies, Kula said.
“This must however be done formally, by means of a formal written agreement with each service provider that clearly sets out what personal information they may collect, where and how that data must be stored and secured, and when it must either be destroyed or returned to the community housing scheme.”
The information officer does not need to be a legal or technology expert, Schaefer said.
“However, he or she will need an understanding of the principles of data protection and the reasons that it is becoming increasingly important to secure private personal information.”
“Information officers will also need good communication skills and, going forward, a willingness to learn about the development of new data gathering and protection methods.”
The appointment of an information officer for a community housing scheme can be done by means of a simple resolution taken by the trustees or directors, but it must then be put into writing, in an appointment letter that sets out all the responsibilities of the position
Once this appointment has been made, the information officer must then be registered with the Information Regulator, and this can be done digitally on the website of the Information Regulator, where there is also an official guideline for information officers.
Security and other rules to be aware of
Among other changes, the regulations also require schemes to adopt their rules to be POPI compliant, including the sharing of personal information of owners and tenants.
It also introduces stricter rules around security systems in complexes, and how information is gathered by security guards and cameras. Schemes are also required to adopt a POPI policy and compliance officer.
Schemes that do not meet the requirements face hefty fines, including fines of up to R10 million or 12 months imprisonment.
The Popia does not forbid the collection of personal information, but rather stipulates, for example, that every person whose information is requested is entitled to be informed how that information will be used and how it will be secured to prevent it from being used for any other purpose, said Trafalgar’s Schaefer.
“Most schemes will probably already have the names, addresses, telephone numbers and email addresses of all owners on record, for example, and those owners are entitled not only to know that this information is being held but also to be guaranteed that it is being securely held and will not be used or sold for any other purpose than that originally intended,” he said.
Schaefer said that the same goes for any personal information that is collected to maintain security in the scheme, whether it is in an analogue form such as names and car registration numbers written into a paper register at the gate, or in digital form such as fingerprints on a biometric scanner or footage captured on a CCTV system.
“This information is usually gathered by third-party service providers, and one of the requirements of Popia is that the scheme must now have a contract with each of these service providers that clearly stipulates what personal information it may collect, where and how that data must be stored and secured, and when it must either be destroyed or returned to the schemes,” he said.
The original article can be viewed here: