Most of the sections of the POPI Act finally came into operation from 1 July 2020 (only some of its provisions having been operational since April 2014). This gives effect to section 14 of our Constitution, which states that “Everyone has the right to privacy”.
The purpose of the POPI Act in relation to community schemes is to ensure that the personal information of the owners and/or residents of units or homes in the scheme is collected, stored and managed responsibly by not only the scheme executives and managing agents, but also by unit-owners, and to protect the rights of the owners or residents not to have their personal information abused or compromised by having the information shared arbitrarily and irresponsibly with anyone.
If a community scheme or a managing agent does not comply with the POPI Act (and they have 12 months from the date of commencement to conform to the Act), there are jail sentences of up to 10 years and fines up to R 10 million, obviously depending on the seriousness of the breach.
In terms of POPI, personal information is defined as “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, inter alia, race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person, as well as the name of the person, his or her ID number, letters from or about that person that contain confidential information, and biometric information. (Further information that is regarded as personal is set out in section 1 of the Act under “Definitions”)
Section 19 of the POPI Act requires an organization, being the community scheme in this context, to ensure that suitable measures are in place to maintain the integrity and confidentiality of information pertaining to owners and residents by preventing loss, damage, and unauthorized access to this data.
In the normal course of their duties scheme executives are required to collect the personal information of the owners and occupiers of the scheme, and the owners and residents have a concomitant obligation to furnish this information to them. For example, section 13(1)(f) of the STSMA obliges the owner of a unit “to notify the body corporate of any change in ownership or occupancy of his or her section and of any mortgage without delay”.
Prescribed Management Rule 27(2)(b) states that the body corporate must obtain the following information, which must be kept updated:
All scheme executives, in this case Trustees, have a statutory and common law fiduciary obligation to act in good faith, and with due diligence and care in the interests of their community scheme at all times. It is their duty to ensure that the information obtained from members is only used for the purpose for which it was given.
What is that purpose?
The management and administration of the community scheme – nothing else.
The STSMA in the case of a sectional title scheme, and most Memoranda of Incorporation or Constitutions of HOA’s, provide for a member to have access to the documents and records of the scheme upon request. Here specific reference is made to Prescribed Management Rule 27(4) which states that: “On receiving a written request, the body corporate must make the records and documents referred to in this rule available for inspection by a member, a registered bondholder or a person authorised by a member, and provide copies to them”.
DOES THIS MEAN THAT TRUSTEES OR THE MANAGING AGENT CAN OR MUST GIVE OUT INFORMATION WILLY-NILLY?
NO, DEFINITELY NOT!
It is important to remember that a balancing of competing rights or interests comes into play in an instance such as this:
Who has the “larger” right or interest: the person asking for access to the documents, which information may include personal information of a member, such as his or her arrear levy status (which can be an indication of financial problems he may be experiencing at the time), as opposed to the member in question who is in arrears with his or her levy.
In a case such as this the scheme executives or managing agent would have to make a judgement call in order to determine whether the request for information is in pursuit of a legitimate purpose in furtherance of the proper management and administration of the scheme, or not.
An example of a case where such a request for information would not be in pursuit of a legitimate purpose, would be where a member asks for another member’s arrear levy account simply to “name and shame” him at a forthcoming meeting for the purpose of causing mischief.
If the information is not required in furtherance of the proper management and administration of the scheme, or there is a reasonable possibility that it may not be, then the scheme executives or managing agent may not distribute the information without obtaining the prior written approval of the member concerned. If the approval is not obtained, the personal information must not be shared.
In a situation such as this, it is best to err on the side of caution.
In conclusion, here are 4 initial steps that scheme executives can take to comply with the POPI Act:
Falling foul of POPI is not worth the risk!
For enquiries, email the Manager for CSOS Governance:
Johlene Wasserman , Johlene.email@example.com