The impact of POPIA on the property industry
25 August 2020
With the Protection of Personal Information Act 4 of 2013 (POPIA) that came into effect on 1 July 2020, it... is vital that the property industry also considers the impact and application of POPIA on themselves. Here I briefly explain what can be expected, with specific reference to Estate Agencies and conveyancing firms and their clients, with regards to the scope of consent as well as the storage and protection of personal information. These are challenging times for businesses in South Africa, because along with the economy slowly picking up pace for the first time since Covid-19 has struck, businesses who it applied to only have until 30 June 2021 to ensure that they comply with POPIA. POPIA aims to safeguard personal information, including the identity and proof of address documentation, of persons (known as Data Subjects, according to the Act) whose information is being collected, used, shared and destroyed (regarded as Process) by what is termed Responsible Parties. All businesses are now required to implement various processes to achieve this aim.Regarding consent, POPIA places an important responsibility on Responsible Parties such as Estate Agencies and conveyancing firms that process contact and identification details of Data Subjects. This means that you as the Responsible Party, can only obtain and use the personal information of Data Subjects with their consent. Consent extends to the identity and proof of address documentation obtained from both the seller and buyer of property, the Data Subjects.However, consent is not expressly needed in all cases, as the personal information referred to above can be shared with related parties, such as the bond registration attorney and the banks involved in a certain transfer, with the purpose of achieving the mandate of the Estate Agent and the Conveyancer, without the Data Subject’s consent. Moreover, it is important to remember that the personal information can only be stored until the mandate has been completed or for five years after the personal information has served its purpose, as industry practice suggests.Data Subjects may request, free of charge, from you that all original documents, including the title deed of the property, be returned to their respective and rightful owners once they have served their purpose. In as far as direct marketing is concerned, especially on the side of the Estate Agency, the Estate Agency may now only advertise its services or products (houses for sale) by way of unsolicited electronic communication such as SMS or electronic mail once the client has agreed thereto following a once-off “opt-in” request for express consent to allow the Estate Agency to use the client’s personal information for direct marketing purposes. This applies to both existing and new clients of the Estate Agency. The request should only inform the client of the services or products the Estate Agency would like to market to the client, and that their consent is required for them to receive it. However, the client should still be given the opportunity to “opt-out” of the direct marketing each time such marketing occurs. It's therefore advisable to draft or update your data privacy policy to deal with such required consent and access to personal information.As a Data Subject - which refers to the buyer or seller - the collection of your personal information should be obtained directly from you unless the information is derived from a public record or has deliberately been made public by you. For this reason, be careful what personal information you publish online as you may unintentionally be making your personal information ‘free-for-all’.In relation to obtaining consent, the practice currently being followed in the property industry by some conveyancing firms and Estate Agencies is the use of a POPI Declaration, by which the Data Subject is asked to consent, among other things, to the collection, storage and sharing of the personal information of the Data Subject with a FICA Accountable Institution that is a party to the transfer. Otherwise the Data Subject will, upon request, need to provide the necessary consent to each party. POPIA also places specific obligations on the Responsible Party that stores personal information. This is in order to protect the Data Subject from suffering damage or harm. POPIA also provides the Data Subject with remedies, should there be a breach by the Responsible Party of the obligations imposed on it by POPIA. These obligations extend to the distribution of personal information to third parties (identified by the Act, as Operators), who store or destroy such information on behalf a Responsible Party in terms of an agreement. This means that outsourcing personal information to an Operator for storage or destruction purposes does not absolve you from your obligations under POPIA. You will still be held responsible if the Operator compromises the personal information. That is why it is vital that a proper agreement is in place between the Responsible Party and the Operator in order to ensure that the Operator’s obligations regarding the storage and destruction of personal information are clearly stipulated in terms of POPIA. Furthermore, personal information should be adequately protected by the Responsible Parties, whether such information is stored digitally or in hard-copy format. This is to prevent the misuse of the information by third parties either for fraud, identity-theft or other unauthorised purposes. Estate Agencies and conveyancing firms should consider generally accepted data protection measures and procedures required in the property industry, including data encryption, installation of CCTV cameras, safes, firewalls and anti-virus software as well as password policies and secure file destruction protocols. It is also important to train employees on such measures and procedures on how to deal with data breaches as mandated by POPIA. Bear in mind that, as cumbersome as compliance may sound, the the costs involved to comply with POPIA are far much less than those of non-compliance, as not complying may cost the Responsible Parties up to R10 million in fines and/or 10 years imprisonment. Although 12 months sounds like a long time to become compliant with POPIA, compliance does take time and you are advised to comply well before this grace period ends in 2021. Acquiescence will go a long way in building client-confidence in your business. It will also create business legitimacy and attract other businesses, local and abroad, that are willing to work with a compliant business such as yours!