Four things you should know about the POPI Act
The Protection of Personal Information Act (more commonly known as POPI Act) came into operation on 1 July 2020. A grace period of 1 year has been granted to all organisations to ensure compliance with the POPI Act, and the deadline of 30 June 2021 is fast approaching.
This article is not a step-by-step guide to POPI compliance but rather aims to simplify the four main points of the POPI Act in plain language, to help all stakeholders in community schemes better understand their rights and obligations under the POPI Act.
The first point to understand about the POPI Act is that it is a principle-based piece of legislation. In other words, it does not set hard and fast rules or a checklist which every organisation needs to meet to be POPI compliant. Instead, it sets out principles or conditions for lawful processing of personal information.
The nature and scope of personal information which each community scheme processes depends on a number of factors and will differ from scheme to scheme. Every community scheme needs to study and apply these processing conditions within its own context. POPI compliance will invariably look different for each community scheme.
The second point to know about the Protection of Personal Information Act which might not come as a shock, is that it aims to protect personal information. But what exactly is personal information? In a nutshell, personal information can be defined as any information that relates to an identifiable, living, natural person and where applicable, an identifiable, existing juristic person.
The scope of personal information is extremely wide and includes everything from information relating to a person’s race, gender, age, disabilities and religion, to any identifying number, e-mail address, physical address, telephone number or other particular assignment to the person, as well as the personal opinions, views or preferences of the person. Personal information also includes correspondence sent by the person of a private nature and the biometric information of the person.
The third point to understand is that the POPI Act applies to any person or organisation who processes personal information. “Processing” means any operation or activity concerning personal information including the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use, dissemination or distribution and the erasure or destruction of personal information.
Almost all community schemes will need to conduct some form of processing of personal information, whether it be for purposes of communicating with owners, collecting levies, keeping a register of members, conducting opinion surveys, using CCTV security cameras or using biometric security access systems.
The last thing, and most important thing to understand is that the main purpose of the POPI Act, put simply, is to ensure transparent processing of personal information. Specifically, it requires organisations to provide transparency about the following:
- Why personal information is collected;
- How personal information is used;
- How personal information is stored;
- When and how personal information is shared;
- What process will be followed if a data breach occurs;
- How personal information held by the organisation can be accessed and corrected;
- When personal information is deleted; and
- Who the appointed information officer is.
To achieve practical compliance with these principles of transparency, each community scheme must ensure that a number of appropriate policies, notices, procedures and safety measures are put in place before 30 June 2021.
Most if not all, community schemes in South Africa will undoubtedly process some form of personal information relating to the owners and occupiers in the scheme and it is therefore advisable that the trustees or directors of the community scheme consult with a suitably qualified professional to assist them in achieving POPI compliance before 30 June 2021.
Author: Auren Freitas dos Santos, Director of The Advisory, a boutique law firm specialising exclusively in community schemes law.
Article Date: 28 April 2021
Article Reference: Paddocks Press: Volume 16, Issue 4.
This article is published under the Creative Commons Attribution license.
ALSO READ: Who is responsible to ensure body corporate compliance with relevant legislation?