The real estate sector consists of various responsible parties and operators for the purposes of POPI. All these role players collect personal information from data subjects in the performance of their duties. The data gleaned from data subjects are used to complete various commercial instruments such as lease agreements, sales of property, FICA compliance affidavits, bond approvals, mortgage bonds, notarial bonds, antenuptial contracts and deeds of transfer.
The processing of personal information by various persons is integral to the operation of the real estate industry. Conveyancers, for example, receive personal information from purchasers, sellers, developers, estate agents, insurers, auditors, homeowners’ associations and financial institutions. Some of the information is, in turn, passed onto government institutions such as SARS, deeds registries and municipalities for further processing either directly or via various vendor software packages.
A responsible party like an estate agent, broker, mortgage originator or conveyancer is defined in section 1 of POPI as a “public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.”
A responsible party has the duty to ensure that it meets the conditions of lawful processing of personal information and adheres to the security measures on integrity and confidentiality in respect thereof under section 19 of POPI.
In terms of the security safeguards, a responsible party must take appropriate, reasonable technical and organisational measures to prevent the loss of, damage to, or unauthorised destruction and unlawful access to or processing of personal information. This includes the duty to take reasonable measures to identify all reasonably foreseeable internal and external risks to personal information; establish and maintain appropriate safeguards against the risks identified; regularly verify that the safeguards are effectively implemented; and to ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
A data subject is the person to whom personal information relates and POPI provides a non-exhaustive list of what constitutes personal information in terms of section 1. In addition, POPI awards rights to data subjects, which include the right to have their personal information processed in accordance with prescribed conditions for its lawful application.
Processing of personal information and what is required from a real estate perspective
Section 11 of POPI provides for the consent, justification and objection of processing of personal information. Processing of information includes the collection, recording or use thereof, the dissemination thereof and the merging or destruction of such personal information. Personal information may only be processed if the “processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party; for the proper performance of a public law duty by a public body; for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied”. Processing personal information, in addition must, “comply with an obligation imposed by law on the responsible party” and protect the interests of the data subject.
The conditions for lawful processing of personal information notably also require the data subject to consent to the processing of the personal information. Examples of data subjects include landlords, tenants, sellers, purchasers and their authorised representatives. It is required that a consent be obtained from a data subject prior to receiving any personal information and we would recommend that such consent be in writing.
Furthermore, the collection of the personal information must be taken directly from the data subject unless the information contained is derived from a public record or has deliberately been made public by the data subject (section 12 of POPI) and obtained for a specific purpose related to a function of the responsible party (section 13 of POPI), which the data subject must be informed of.
All real estate role players are required to notify all data subjects (section 18 of POPI) of inter alia the collection of and the manner in which their personal information will be processed. We recommend that such notification be advanced in writing and is to specifically be brought to the attention of the data subject who is to confirm that they understand the contents thereof. It should be noted that the notification must be provided prior to the personal information of a data subject being disclosed to the responsible person.
It is also important to note that responsible parties who authorise operators like a vendor software operator to collect personal information on their behalf, must ensure that POPI compliance is included as one of the obligations of their contract. Operators must ensure that they maintain security safeguards and must notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.
Contravention of POPI could result in far-reaching sanctions, these include the imposition of fines, imprisonment for a period of 12 months to 10 years and/or a damages claim by the data subject. Each role player has one year within which to ensure that their business practices comply with POPI, failing which, they will fall foul of the statutory provisions.