Author: Maryna Botha
3 July 2020
POPI AND PRIVACY PROTECTION
This past week I needed to visit a client in a residential estate in Stellenbosch. On arrival, the licence disk of my car was scanned and the security officers scanned my driver’s licence. The home owner had also sent me a secure pre-generated code to enter onto a touchpad at the boom entrance. Without this, no entry would be granted. On exit, the security personnel again scanned the vehicle licence disc and driver’s licence.
This surely makes one feel uncomfortable. Why do they need all that information just to give me access; they have me on a camera and car registration number already and the home owner obtained a pass code for me personally that was sent to me on my cellphone?
In essence, this is exactly what POPI is about. Personal information being gathered and what it is used for and how and when it is discarded after it has been used, and ensuring it was used for a legitimate purpose. (Personal information in this context is specifically what is referred as “identifiable” information, in other words a telephone number with a name, an ID number with a name/address.)
Immediately from the aforegoing, it is apparent that POPI is a welcome piece of legislation, necessary to give flesh to the constitutional right to privacy.
But what does it mean for businesses, especially estate agents? It means the reverse, in other words that all businesses must have measures in place to protect the personal information that they have of clients/customers/staff, to use it only for a lawful purpose, and to delete the information in a safe way once it is no longer required for that purpose.
- POPI essentials
The purpose of POPI is to protect you and I from harm by protecting our personal information – to make identity fraud, accessing of your banking account details, and generally to protect and respect our privacy, which is a fundamental human right. (Entities are also considered to have a right to privacy and the protection is thus afforded to juristic persons as well.)
To achieve this, POPI lays down “processing conditions”, which sets out the instances and ways where it would be lawful to process someone else’s personal information. (The word “process” in this context is relevant as it deals with the whole “life cycle” from information, from cradle to grave – ie from when it is collected till when it is destroyed.)
1.3 Non-compliance penalties
What are the penalties for non-compliance? There are essentially two legal penalties or consequences for the agency:
- A fine or imprisonment of between R1 million and R10 million or one to ten years in jail.
- Paying compensation to the customer or entity for the damage they have suffered.
It is probably very unlikely that anyone will go to jail and the fines are small compared to other jurisdictions. However, the more “expensive” penalties lie in
- Reputation damage
- Losing customers (and employees)
- Failing to attract new customers
1.5 What constitutes “personal information”?
Personal information is a broad term and relates to an identifiable, natural or legal entity and includes BUT IS NOT LIMITED TO:
- Contact information – telephone number, email address etc.;
- Private correspondence;
- Biometric information – blood group, finger prints;
- Demographic information – age, gender, race, date of birth, ethnicity, etc.;
- A person’s opinions of and about a person or group; and
- A person’s history – employment, financial information, medical history, criminal history as well as educational history.
Remember that is also applies to your business internally – employment records and details of employees: employee’s salary and bank account, e-mails about an incident, a supervisor’s notebook, an individual employee’s personnel file, leave records, performance reviews, a set of leave cards depending upon how they are kept and a set of completed application forms filed in a particular order.
General exemptions exist in respect of:
- Data processed for personal reasons;
- Data that is de-identified and cannot be reinstated (ie a list of identity numbers without names);
- Data processed by (or for) a public body relating to national security, law enforcement, or the justice system;
- Data processed by a province’s Cabinet and committees or Executive Council;
- Data processed or completed for literary or artistic expression or for the purposes of journalism. (POPI deems processing for these purposes to be a matter of public interest and any limits on the processing could be seen as an infringement on freedom of expression.)
- POPI contemplates further that where personal information is processed for historical, research or statistical purposes, it is possible to be exempted from having to comply with certain conditions in the legislation. For instance, POPIA provides that the personal information may be retained for a longer period than would ordinarily be permitted, and that notification to the data subject is not required as it would be in the ordinary course. (In respect of personal information of children, this exception only applies if it is in the public interest or would constitute a disproportionate effort to obtain consent, and appropriate safeguards are established over the personal information. More about children’s data below.)
Special personal information
- POPI creates a sub-category of personal information – referred to as “special personal information” – which is afforded additional protections because of the sensitive nature of this information.
- As set out in section 26 of POPI, this includes religious or philosophical beliefs, race or ethnic origin, political persuasion, and information regarding one’s health or sex life.
- As a general principle, the processing of special personal information is not permitted unless one or more of the exceptions apply.
- The exceptions provided in respect of special personal information are much narrower than ordinarily applies, and for instance, does not include the legitimate interests of the data subject as one of the grounds on which processing is permissible. Grounds that can, however, be relied on include consent from the data subject, or where the information has deliberately been made public by the data subject.
- Sections 34-35 of POPI put in place special protections for the processing of personal information of children. As with special personal information, it would be advisable to limit such processing to the extent possible given the heightened protections that apply.
- As a general principle, POPI contemplates that the processing of personal information of children is not permissible unless one or more of the exceptions apply. These exceptions include the prior consent of a competent person, or where the personal information has deliberately been made public by the child with the consent of a competent person.
1.6 How does the application of the Act work practically?
The protection of personal information spans the full “life cycle” of personal information. In other words, taking an estate agent’s interaction with a client as example, the process POPI will apply to all of the below activities:
- GATHERING/COLLECTING INFORMATION – eg, when you conclude a mandate with a client and you ask him or her for certain details (ID, Cell Number, Address).
- PROCESSING – you record – on your cellular phone, laptop, desktop, a mandate form, in your office – these details; your office’s security gate asked the seller to provide his driver’s licence and scanned his vehicle’s registration details before he could enter the premises to come to your office; and the pricey CCTV camera at the entrance to your agency that you have just installed for valid security reasons, makes a visual recording of him; whilst you have him in the office, you make a copy for your file of his ID and a proof of residence document that he brought along, in order to pre-empt your FICA compliance; Your printer gives problems and the first copy of his ID appeared slightly smudged, so you throw that in the bin next to the printer and make another copy. The second one is better and you put that in your file.
The concept “processing“ in POPI means broadly anything that can be done with the personal information, including collection, usage, storage, dissemination, modification or destruction (whether such processing is automated or not). Processing means, in effect, doing something with the data. Examples of activities that constitute the processing of personal data include:
- Collecting an email address via a web form;
- Storing a list of customers’ addresses;
- Sending a person marketing communication.
- STORE – you keep all this detail with you (in your office computer system, on your phone and laptop as will sometimes, and a hard copy file that you keep in a drawer or cabinet. There are keys to the drawer/cabinet, but everyone trusts each other and you never lock up. Everyone has spare keys in any event and can access the cabinet.
- DISSEMINATE – You forward the ID of the seller that you collected during mandate stage, or after, as well as that of the seller, to the appointed conveyancers, by post, email, scan, whatsapp image. Because the name of the conveyancer was not specifically indicated, you sent the agreement and accompanying documents to the firm’s general address address, email@example.com. You also give the property address and name and contact number of the seller to the firm that you use to do inspections for purposes of issuing compliance certificates.
- DESTROY – Some time later after registration, you close your file and put it in your archive files/closed files shelves in your office. There you keep files for a year or so, and then destroy them by sending it to a company to shred. But you keep the seller and purchaser’s details on your laptop, add a reminder to contact the seller later because he intimated you thought that he was interested in investment properties and your colleague will have a new development on her books shortly, which you think would be something that he could be interested in., So you plan to contact him then. On the other hand, you keep the purchaser’s details because he mentioned that his son was emigrating from South Africa and would be selling his home shortly. Your agency has a branch in the area where he stays and you would like to pass on that lead to your colleague.
2. How is the personal information protected?
Protection is achieved by the eight “processing conditions” laid down in POPI. In other words, if you collect and process data in accordance with these (very stringent) conditions, your handling thereof will not breach the Act nor the person’s right to privacy. Think of these as legally-binding principles that must underpin all processing of personal information within your company.
These conditions are explained by way of an example. Pretend that on behalf of your agency, you were requested to find a suitable tenant for home that your client, the landlord, wishes to rent out. Summarised, these conditions for processing stipulate:
- Accountability: The agent/agency must ensure compliance with POPI when collecting data from the prospective tenant.
- Lawfulness: The collection of personal information must not be excessive, it must be legally justifiable, and it must not be collected from third parties without good reason.
There are 6 justification grounds in order to lawfully process personal information. The lawful basis will have to be determined before a company may start processing personal information. The 6 justification grounds include:
- Consent: The individual has given clear consent for a business to process the data subject’s personal data for a specific purpose.
- Contract: The processing is necessary for the performance or conclusion of a contract to which the data subject is a party.
- Legal obligation: The processing is necessary as it complies with an obligation imposed by law.
- Legitimate interest of the individual: Processing protects the vital interests of the data subject (ie an individual or entity).
- Public law: The processing is necessary to perform a public law duty by a public body.
- Legitimate interests of the responsible party (ie the estate agency/business that collects or holds the personal information): The processing is necessary for pursuing the legitimate interests of the responsible party or the legitimate interests of a third party to whom the information is supplied.
In our example and under this heading, were the agent to ask for the tenant’s banking details and FICA documents, as well as proof of employment, these could be justified under these exceptions. His consent will be obtained as your request will be legitimate in light of the transaction you are processing, and to ensure that he is financially capable of paying the rental amount.
- Purpose limitation: Personal information must only be collected in connection with a specific purpose and must not be stored for longer than necessary.
In our example, were the agent to ask other details such as church affinity, gender, sexual orientation, it would exceed the purpose of what the agent is required to do, and will not be compliant with this principle.
- Restriction on further processing: Personal information may only be processed for a purpose other than that for which it was collected under specific conditions.
In our example, were the agent to keep the email address and contact numbers of the landlord and/or tenant with the plan to market other properties to them for sale or to rent in future, without a specific request to do so, this condition will be breached.
- Information quality: Personal information must be complete and accurate and must ideally be obtained from the person himself, where possible. Only where this is not possible, may other sources be approached.
In other words, in our example, the information obtained must come from the tenant himself, or from the landlord and the agent must make effort to ensure that it is recorded correctly.
- Openness: Personal information must be processed in a transparent manner. In our example, the tenant must therefore be made aware of the fact that his data is being collected for purposes of his application for the lease.
- Security safeguards– Personal information must be processed securely and the responsible party must provide notification of any data breaches. This simply means that the agent must take care, when collecting and storing the information to take care that all is kept secure and not accidentally lost or made known to third parties.
- Data subject participation– People must be allowed to access their personal information and request that it is corrected or deleted if it is inaccurate. This is self-explanatory.
In our example, the agency must have a system/process in place to answer a person’s enquiry regarding what information of him/her, the agency is holding; they are allowed to view it and allowed to ask for it to be rectified if the information is incorrect.
3. Practical application in an estate agency
Generally, the following must be implemented:
- GAP analysis (“Follow the personal information”. Ie do an analysis of how and where it is collected, and how it is dealt with in each stage, until deletion/destroying.)
- Record keeping (of what personal info you have)
- Service level agreements: Review terms and conditions of agreements with third parties to make sure that any data shared with them is treated by that service provider with the same privacy measures as you have in place.) The agency may be outsourcing certain functions to third party operators, for example, external service providers that perform the accounting and auditing functions, facilitate payroll, manage the pension fund. Most of these functions will require the organisation to share personal information about its staff, clients and others with the third party operator in order for this function to be effectively completed.
Section 20 of POPI provides that where an operator processes personal information on behalf of the organisation, the operator must treat the personal information as confidential and not disclose it, unless required by law or in the course of their duties. In the event of there being a data breach, the operator is required to notify the organisation immediately where there are grounds to believe that personal information has been accessed or acquired by an unauthorised person.
It is therefore particularly important, when engaging the services of third party operators, to ensure that there is a written contract in place with the operator, requiring the operator to take appropriate, reasonable technical and organisational measures to prevent a data breach. This contract should also require that the operator, among other things, ensures that its safeguards are continually updated and that it has due regard to generally accepted information security practices and procedures. In addition to the written contract, it would also be good practice for the estate agency to exercise a reasonable measure of due diligence over whether the operator is appropriately implementing this contract, and taking the necessary steps to protect the personal information that it has under its control. Ultimately, in the event of a data breach, it will remain the responsibility of the estate agent (the party that instructed the third party) to notify the Information Regulator and the affected data subjects; it is also the estate agency that faces the risk of reputational harm if appropriate measures have not been taken.
- Requests in terms of data correction: do you have a system in place that clients can come up and ask what info you have of them? Can they view it? Can you accommodate corrections? If it has been deleted/destroyed, can you confirm to them how it was deleted, destroyed and when?)
- Appoint an Information officer
- Notification of security compromises (What is your procedure for notification to data subjects (natural persons and entities) that there was a breach?)
- Employee training (Your employees must understand their responsibilities in terms of POPI; not use office paper as scrap paper for children to draw on; or give our details about transactions to 3rd parties in conversations, etc)
- Adapting marketing methods in general, and specifically direct marketing.
The original aticle can be viwed here: