POPIA and PAIA Supplement for Residential Estates

IACT-Africa POPIA and PAIA Supplement for Residential Estates

Introduction. 1
Context, Obligations and Benefits of Protecting Personal Information. 2
POPI Act Parties. 2
- Data Subjects: 2
- Responsible Party:
- Operator:
- Third Party: 3
Internal Roles. 3
- Information Officer. 3
- Deputy Information Officer. 3
Key Activities for POPIA and PAIA Compliance in Residential Estates. 3
Privacy Governance and Management Structures. 4
Estate Constitutions. 5
Related Legislation. 5
POPIA 8 Conditions for Lawful Processing and Additional Sections in Residential Estates. 5
Ongoing Compliance. 12
Training. 12
Status of this document. 12

1. Introduction

Welcome to the Residential Estates supplement to the IACT-Africa and PTC POPIA and PAIA Implementation Guide.

The purpose of this supplement is to provide introductory information for Residential Estate Management teams regarding the implementation and maintenance of compliance measures for the Protection of Personal Information Act (POPI Act/POPIA) and the associated law, the Promotion of Access to Information Act (PAIA). This supplement is intended to provide context to impact areas regarding POPIA and PAIA compliance in residential estates. It should be read as an introduction to the POPIA and PAIA Implementation Guide and used in conjunction with information provided duration training workshops.

2. Context, Obligations and Benefits of Protecting Personal Information

Before we get started on the detail, let us think about what we are about to embark on and why are doing this.

We know that there is an obligation to comply with the POPI Act, also called POPIA, before the enforcement date is upon us. But there is another reason for doing this. It is to protect the privacy of personal information of people in estates as well as those who visit, work at and provide services to estates. In a nutshell, estate management teams and Boards have a duty to ensure that personal information is processed in a lawful manner and that it is adequately secured in accordance with relevant laws enabled by global and local practices.

The consequences of not adopting such practices for privacy and data protection can be in the form of a fine or prison sentence or a legal claim but more realistically they are likely to be reputational damage for the estate, loss of trust in the management team and Board, business disruption, a negative impact on property values and others.

The benefits of adopting these practices include avoiding penalties (prevention is better than cure), building trust among your community and other stakeholders, enhancing the image and reputation of your estate and more. As already mentioned, you will be protecting a fundamental human right regarding privacy as enshrined in the South African Constitution and in the United Nations Universal Declaration of Human Rights (UDHR).

3. POPI Act Parties

It is important to provide an introduction to the parties involved in the processing of personal information as an understanding of these is essential for your privacy journey. There are four parties (or four types of actors) who can be involved in the processing of personal information, these being:

1. - Data Subjects: The person to whom personal information relates. In a residential estate these are typically residents, home owners, visitors, estate employees, contractors and suppliers/service providers. POPIA also regards organisations as data subjects as it also includes juristic persons as data subjects. These are typically companies, trusts, bodies corporate, etc. This inclusion of juristics is fairly unique to POPIA as it is not found in many privacy and data protection laws in other countries. Note: In related international standards, data subjects are often referred to as Personally Identifiable Information (PII) Principals.
  - Responsible Party: This is a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information. It is also the party responsible for processing and protecting personal information in accordance with POPIA. In the residential estate sector this is the HOA, Body Corporate or similar entity. Note: In related international standards, responsible parties are usually referred to as PII Controllers.
  - Operator: This is an entity or person which processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party. In the residential estate sector this is a service provider which provides services to the estate which involves the processing of personal information. Examples of operators are security companies, IT service providers and other similar organisations. Note: In related international standards and laws, responsible parties are usually referred to as PII Processors.
  - Third Party: Third parties are not formally defined in POPIA but they are referred to in numerous sections with regard to certain processing activities. Third parties are organisations to which personal information could be sent but who are not typical operators or service providers to the organisation. Examples of third parties are government organisations to which returns have to be submitted e.g. employers send employee tax information to SARS, they may also send payments to medical schemes on behalf of employees. As can be seen, these organisations are not operators but recipients of personal information.

4. Internal Roles

In additional to the parties described above, there are two key internal roles, these are outlined below:

1. - Information Officer: POPIA and PAIA both require public and private organisation to appoint an Information Officer. The primary responsibility of the Information Officer is to develop, implement, monitor and maintain a compliance framework. This is a key leadership role which forms the foundation of POPIA and PAIA compliance.

Who should the Information Officer be in a residential estate? In the definition of the Information Officer in POPIA (Chapter 1), it is stated that this is the head of a private body (including non-government organisation). It refers to section 1 in PAIA, which states that in a private body, the Information Officer is the Chief Executive Officer or equivalent. In a residential estate/HOA or body corporate, this is normally the Estate Manager (or GM or CEO). As can be seen, it is not the Chairman of the Board or a Trustee. The Board’s role is an oversight role, not a management or operational role.

1. - Deputy Information Officer: POPIA and PAIA make provision for a Deputy Information Officer to be appointed in order to assist in the execution of compliance related activities. There are no guidelines in POPIA or PAIA with relating to who this should be. We recommend that this is a person in a senior business management position in order to ensure that an appropriate level of authority is established.

It is important to note that that while Deputy Information Officers can be appointed, accountability for compliance remains with the Information Officer.

The responsibilities of the Information Officer and Deputy Information Officer are contained in the appointment Letter provided in the POPIA and PAIA Compliance Toolkit. Please refer to 1.2 in the Implementation Guide for more information.

5. Key Activities for POPIA and PAIA Compliance in Residential Estates

Key activities for POPIA and PAIA compliance activities or measures in estates are summarised below:

1. - Establishing privacy governance structures such as the key appointments (Information Officer and Deputy Information Officer) and any committees for privacy and data protection should be established;
  - A set of privacy and data protection policies and notices are required. The following are recommended:
    - A Privacy Policy or Notice as well as visible signage i.e. a summary of the privacy notice and CCTV policy should be published. These should be published on the estate website and made available in the estate office and/or practical locations;
    - Information security related policies and technical measures such as anti-virus, anti-malware, strong password practices, access controls to systems, file encryption, etc. Policies should include information security, acceptable use, CCTV polices and Biometric polices;
  - An inventory of personal information should be developed and maintained; this will enable effective and efficient responses to data subject requests;
  - Identification of processes or points where personal information is collected for example new resident registration and visitor registration processes. These should be checked to ensure that information is being collected lawfully i.e. that it is being collected and processed with the knowledge of the data subject (resident, visitor, etc.) for a clear valid purpose and with their consent. These should be amended where necessary;
  - Conducting a personal information risk assessment and establishing risk management plans. These risks are in addition to traditional estate risk management practices;
  - Conduct a Privacy Impact Assessment for any new initiatives;
  - Reviewing agreements with service providers where their services involves personal information e.g. Security companies, IT service providers, Managing Agents, Accountants, Auditors, etc. These must include a commitment by the service provider to protect personal information in line with POPIA as well as the rights of the estate for assessing their Information Security practices. We provide a Responsible Party to Operator contract template which has the appropriate clauses and references to sections in POPIA as part of the POPIA and PAIA Compliance Toolkit.

It is important to check if any of these are hosted services outside of SA as Transborder requirements exist in POPIA. If such services are used, they should be hosted in a country with a substantially similar law to POPIA (e.g. Europe or the UK and more recently the State of California) and their Terms and Conditions or Data Protection Agreements must include a commitment to protecting personal information. These will normally be found in clauses or sections relating to a Processor.

6. Privacy Governance and Management Structures

In larger organisations it is recommended that privacy and data protection i.e. POPIA and PAIA related governance structures and processes, are established. These typically include establishing a Privacy Office or function, creating a Privacy Steering Committee or forum which has responsibilities for ensuring that effective privacy monitoring and maintaining practices are carried out as well as for reporting thee status to the Board.

In residential estates, however, it is not likely to be financially viable to establish such structures. Estate managers should, however, establish adequate mechanisms for ensuing that the Board is engaged and that they are kept informed of the status of privacy compliance in their estates. Boards should also add privacy and data protection to their agenda and should provide direction and support to estate management.

As a general recommendation, Board and management team members should make it their business to gain a general understanding of privacy and data protection practices.

7. Estate Constitutions

As part of an estate’s governance structure and process, it is recommended that key aspects of POPIA, PAIA and privacy compliance are included in the estate’s constitution. These should include references to the key roles and policies.

8. Related Legislation

There are numerous laws with which organisations need to comply. In the residential estate sector, the important sector related laws are the Sectional Titles Schemes Management Act (STSMA) and the Community Schemes Ombud Service Act (CSOS Act). As at February 2021, there is no linkage or alignment between these laws and POPIA and PAIA which is likely to result in confusion and uncertainty in the near term. IACT-Africa will endeavour to monitor developments in this regard and to provide updates where appropriate.

9. POPIA 8 Conditions for Lawful Processing and Additional Sections in Residential Estates

The responsibilities for the Information Officer and Deputy Information Officer aim to addresses the POPIA contains 8 Conditions for the lawful processing of information. These can also be seen as the principles for the lawful processing of personal information. They are based on the 8 principles contained in the EU Data Protection Directive of 1995. POPIA also contains 5 additional sections which must be applied in conjunction with the 8 Conditions.

Table1 below contains a list of the 8 Conditions and 6 additional sections as well as guidance for applying these in the Residential Estate sector.

Table 1: Summary of 8 Conditions and 5 Additional Sections

#	Condition/ Section	Residential Estate Context	Compliance Measure Implemented
1	Accountability/ Governance	Appoint Information Officer and Deputy Information Officer as appropriate.	An Information Officer and Deputy Information Officer have been appointed through an appointment letter. The appointment letter includes the Information Officer responsibilities as required by both POPIA and PAIA.
		Who should this be?	This should be the Estate Manager or the most senior manager, not the chairman of the Board. POPIA refers to PAIA which states that it should the CEO. It is important to have the Board as part of the privacy governance structure from a sponsorship and oversight perspective.
2	Processing Limitation	Personal information should only be collected if there is a lawful basis for doing so. These are: You have consent from the data subject for collecting and storing their personal information; ·You are fulfilling a contract; You are meeting an obligation of another law; Your action is in public interest.	The POPIA Consent Compliance Assessment tool provided in the toolkit was used to build a list of personal information processing activities and to assess them. Please refer to 2.2.1, POPIA Consent Compliance Assessment, in the Implementation Guide. Examples of processing activities in an estate are: New resident registration; Visitors registration; New contractor registration; New service provider registration; New employee registration; New club member (golf or other) registration. Once you have assessed your processes and identified any changes, you should make the necessary changes to forms, systems, etc. These are likely to include obtaining consent and adding a link to your Privacy Notice. We recommend that these are only done after you have completed the Purpose Specification below as changes from this are likely be similar to the Purpose Specification requirements.
3	Purpose Specification	Personal Information should only be collected for a clear and valid purpose. Appropriate purposes in estates are typically: Resident account management; Visitor to the estate; Contractor management; Service provider management; Employee record management; Club membership management registration.	Assess processes or points in which personal information is collected to ensure that you state the purpose clearly. The POPIA Processing Lawfulness Assessment tool provided in the toolkit should be used to build a list of your processing activities. Please refer to 2.2.2, POPIA Processing Lawfulness Assessment, in the Implementation Guide. As per the recommendation in 2 above, you should amend your forms to include the purpose for collecting purpose in conjunction with changes for 2 above.
4	Further Processing Limitation	POPIA allows you to extend the purpose for which you are processing personal information as long as it is compatible with the original purpose it as obtained.	An example of further processing limitation may be where the personal information of an employee is collected for the purpose of managing his or her employee record but it is also necessary to send personal information to a medical scheme, SARS or other organisation.
5	Information Quality	You should ensure that personal information is accurate, up to date and not misleading. The reason for this to ensure that incorrect decisions are not made based on inaccurate information.	Establish processes for enabling residents, staff and other data subjects to check the accuracy of the PI on a regular basis.
6	Openness	You should inform individuals that their information has been obtained and the purpose thereof.	As part of your estate’s processing involving the collection of personal information, you should inform the data subject that you have obtained their information as well as the purpose for which it was collected. It is also good practice to provide a link to your Privacy notice wherever possible.
7	Security Safeguards	POPIA requires that all reasonably foreseeable risks to personal information are identified;	A Personal Information Risk Assessment should be conducted. Mitigation plans for risks should be defined and carried out on an ongoing basis. The POPIA Physical Security Risk Management tool has been provided. Please refer to 4.2.2.10 in the Implementation Guide.
		Personal information risks should be managed through appropriate policies and procedures	Policies and Notices for POPIA and Data Protection should be implemented in your estate. These are provided in the POPIA and PAIA Compliance Toolkit and are covered in 4.4.2. in the Implementation Guide.
		POPI requires the Responsible Party to establish appropriate, reasonable, organisational and technical measures to protect the confidentiality and integrity of personal information against unauthorised access or use. Consideration to generally accepted information security practices or procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.	An Information Security Assessment should be conducted and any gaps/ shortfalls should be addressed. Please refer 2.2.5 for information about the Information Security Assessment. This is based on the UK ICO Information Security assessment and is regarded as providing generally accepted information security practices and procedures.
		The Responsible Party is also required to ensure that Operators implement and maintain appropriate and reasonable, organisational and technical measures, and that written contracts are establish with Operators to this effect.	A list of Operators (Service Providers whose services include personal information) should be developed and the agreements you have in place with them assessed for clauses in which Operators commit to protecting personal information in accordance with the Security Safeguards in POPIA. These can be found in the Responsible Party to Operator clauses template contained in the Contracts folder in the POPIA and PAIA Compliance Toolkit.
			The Existing Contracts and Policies Review tool should be used to identify, list and assess your contracts and policies. Please refer to 2.2.3 in the Implementation Guide for more information.
8	Data Subject Participation	Data subjects have the right to request access to their personal information that you hold; to request that the information is deleted or corrected if appropriate. Resident, visitors, staff and anyone external to the estate has a right to ask what information your estate hold about them. In order to cater for this requirement, a PAIA Manual with a request form will be required.	A PAIA manual should be prepared for your estate and published on your website. It should also be made as a hard copy in your estate office. A PAIA Manual template has been provided in the POPIA and PAIA Compliance Toolkit, please refer to 4.2.2.5 in the Implementation Guide for more information.
		A Personal Information inventory is also required in order to enable to locate the personal information of a data subject.	In order to be able to locate the personal information of a data subject, we recommend that an inventory is developed using the Personal Information Diagnostic tool provided in the Implementation Guide. Please refer to 2.2.10 for more information.
		Additional Sections in POPIA
In addition to the 8 Conditions described above, consideration to the sections below should be given to the sections below by Estate Management Teams.
#	Condition/Section	Residential Estate Context	Recommendation
Part B	Processing of Special Personal Information	Within the definition of personal information in POPIA, there are a number of items which are regarded as Special Personal Information. These include: Religion; Race or Ethnic Origin; Trade Union membership; Health information; Biometric information; DNA; Sexual Preferences; Criminal History. Part B, Section 26, states that special personal information may not be processed by the Responsible Party unless the requirements of section 27 are met. These include: Obtaining consent from the data subject; Exercising or defending a right or obligation in law; Processing is necessary to comply with an obligation of an international law’ The purpose serves a public interest and the processing is necessary for the purpose concerned. In a residential estate, the most common use of special personal information is through the use of biometrics devices.	Since the most common use of special information in residential estates is with biometric devices, consent should be obtained from data subjects for the use thereof. This requirement should be included in conjunction with Condition 2, Processing Limitation, if your estate uses biometric technology.
Part C	Processing of personal information of children	Part C, Section 34, states that the personal information of children (under 18 years of age) is not permitted unless the requirements in section 35 are met. These include: Obtaining consent from a competent person. In reality this is the parent or legal guardian of the child. The other requirements are fundamentally the sale as those in the Processing of Special Personal Information section above.	It is common for the personal information of children to be used in newsletters and other similar communications in estates. This requirement should be included in conjunction with Condition 2, Processing Limitation if your estate processes the personal information of children.
Section 5	Rights of data subjects	Section 5 states that data subjects have the right to have their personal information processed in accordance with the conditions for the lawful processing. These are the 8 Conditions covered earlier in this document. This section also covers the rights as outlined in Condition 8, Data Subject Participation.	Since the Rights of Data Subjects will be protected through the measures for your implement for complying with the 8 Conditions, no specific action is required.
Section 55, Part B	Duties and responsibilities of Information Officer	The duties and responsibilities of Information Officer form the foundation of compliance in estates. The appointment and responsibilities of the Information Officer and, where appropriate, a Deputy Information Officer, are covered in the appointment letter provided in the POPIA and PAIA Compliance Toolkit.	The POPIA and PAIA Information Officer Appointment letter includes the responsibilities as required by POPIA and PAIA. Please refer to 1.2 in the Implementation Guide.
Chapter 8	Electronic Direct Marketing	Chapter 8 in POPIA covers the Rights of Data Subjects regarding Direct Marketing by means of unsolicited Electronic Communications. Section 69 states that the practices of using personal information for electronic marketing by means such as SMS, email and other technologies are prohibited unless consent has been obtained from the data subject and that it was not previously withheld. It also states that the responsible party may only approach the data subject once and should not do so again if consent for marketing is refused. Form 4 in the POPIA Act Regulations describes the appropriate manner in which consent should be obtained for direct marketing.	If your estates carries our Direct Marketing, it is important to follow the requirements contained in Section 69 which can be largely achieved through obtaining consent by using Form 4. This can be found in Appendix A in the Implementation Guide.
Chapter 9	Transborder Information Flows	Chapter 9 in POPIA includes requirements for ensuring that certain safeguards are implemented when a Responsible Party intends sending personal information to a recipient in another country. These include the following: Ensuring that a law or binding agreement which provides an adequate level of protection is in place; That the law or agreement are substantially similar to the conditions for lawful processing contained in POPIA are incorporated, including adequate Security Safeguards.	If your estate sends personal information to recipients in another country or uses a cloud service in another country to store personal information, it is necessary to: Check the location (country) of the recipient or the cloud service; There should be a substantially law to POPIA in that country. Europe and the UK have similar legislation to POPIA; Check that the service provider has a Data Protection agreement (or similar) in which there is reference to their role as a Processor and reference to security safeguards; Check that the service provide has and publishes certification against Information Security standards such as ISO 27001 and 27018; Inform Data Subjects that their personal information is being stored in another country.

10. Ongoing Compliance

It is essential to continue with the ongoing monitoring of your POPIA compliance efforts and to ensure that you maintain your assessments, policies, contracts and other documents once your compliance preparation project has been completed. Please refer to section 5 in the Implementation Guide for more information on the Post Implementation Compliance Checklist.

11. Training

We strongly recommend that you attend the POPIA training workshops which are being scheduled by ARC before commencing your POPIA Compliance Preparation Project.

12. Status of this document

This document and the Implementation Guide should be treated as practical advice and guidance to assist you in your POPIA & PAIA compliance activities. They do not represent to be neither do they constitute legal advice.

Date Published: February 2021

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.