MRI Software and POPIA

POPIA refers to South Africa’s Protection of Personal Information Act, which was assented to by Parliament on 19 November 2013 (“POPIA”).

POPIA gives effect to the common law and constitutional right to privacy and regulates the processing (widely defined under POPIA to include collection, recording, organising, collating, distributing, modifying, storing, using and destruction) of a data subject’s personal information. It applies not only to responsible parties domiciled in South Africa but also responsible parties outside of South Africa that use means to process in South Africa. POPIA imposes duties on both responsible parties and operators.

A responsible party, under POPIA, is defined as “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information”. An operator, under POPIA, is defined as “a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party”. Personal information, under POPIA, is defined as “information relating to an identifiable, living, natural person and, where applicable, to an identifiable, existing juristic person”. A data subject, under POPIA, is defined as “the person to whom personal information relates”.

POPIA provides for eight conditions for the lawful processing of personal information including accountability, purpose specification, processing limitation, further processing limitation, information quality, openness, security safeguards and data subject participation.

Possibly. POPIA only applies where either the responsible party is domiciled in South Africa or is using means in South Africa. POPIA does not refer to the offering of goods or services, or monitoring of individuals, from abroad. If you fall within the definition of a responsible party, and the MRI product that you are using contains a data subject’s personal information (see previous question), then POPIA will likely apply. Please also see question below for when MRI could be a responsible party.

Personal information might be stored in obvious locations, such as fields identified by the personal data label like name and address, or personal information may be stored in less obvious locations, for example as unstructured data such as comments, notes, custom fields, or file attachments. As a responsible party, the client (you) ultimately determine what personal information you will store within the system and where you store it. Your record management policies should identify where you have recorded personal information.

As an operator, MRI has taken and is continuing to take steps to protect the personal information that is intended to or likely to be stored or input into the MRI system or provided to MRI and its subcontractors. MRI is happy to assist you in determining recommended uses of the software fields and storage locations.

MRI is most commonly acting as a technology service provider to property managers, owners, and occupiers (MRI’s clients). As such, MRI processes personal information in order to perform its obligations under the governing agreement between our clients (you) and MRI. MRI processes information as permitted under that governing agreement. For SaaS (cloud) or MRI-hosted clients, the personal information is held within MRI’s systems and data centres (see more information on data centres below). For on-premise (or client-hosted) clients, the personal information is held within your own systems and not held by MRI. Additionally, clients will send personal information to MRI for implementation, testing, or support purposes.

MRI does act as a responsible party also where it holds data on its clients to perform its contracts, such as if an individual is named as a billing contact in our internal CRM system or where individuals information is collected for marketing purposes so we can share updates with you or invite you to events. You can access our privacy policy at https://www.mrisoftware.com/za/privacy-policy/

The type of personal information held will vary depending on what product lines you are using as well as how you individually are utilising the system. With that in mind, we have provided a table below that outlines what personal information is likely to be contained within MRI’s product lines and which data subjects are likely to be impacted. We will add additional information outlining the type of data and data subject which are likely to be held within the specific MRI products that you use on this page as it becomes available.

As an operator, MRI does not determine the lawful basis for processing. It’s for the responsible party – our client – to decide what the right lawful basis for processing personal data is and to make that clear to the data subjects in its privacy policies and processes. Consent is just one of several different bases for data processing.

Yes. MRI utilises state-of-the-art data centres for its cloud-based offerings. As of April 2018, MRI utilised data centres in London, Ireland, Germany, Chicago, Virginia, Georgia, Singapore, Netherlands, and Sydney for its production and backup environments. We will add additional information, specific to the MRI products that you use, on this page as it becomes available.

For quick reference, MRI’s primary and secondary data centres for MRI Property Central and Propsys products are held in South Africa.

Although we cannot guarantee against all potential loss of personal information while processing, MRI has and will continue to institute technical measures which are appropriate to ensure a level of security which takes into account the nature, scope, context and purposes of processing of personal information. Where such measures cannot be accomplished automatically, we will recommend additional steps that can be taken (by either MRI or you) to continue to enhance the security of the personal information.

To provide one example to illustrate this, within a product suite there may be transactional records that contain personal information that may need to be automatically deleted by the user real-time. Some of MRI’s products may contain routines to assist in the automated deletion or anonymisation of that personal information; others may provide you with processes to action such deletions yourself.

MRI has and will continue to institute organisational measures which are appropriate to ensure a level of security which takes into account the nature, scope, context and purposes of processing of personal information. Specifically, MRI maintains a document information security plan which outlines the physical, technical, and organisational security guidelines, including outlined training, awareness and employee vetting procedures. MRI’s information security plan also outlines the encryption of client data, disaster recovery and business continuity plans, vulnerability testing, security audits, and data breach procedures.

As one example, MRI maintains employment policies relating to the handling of personal information, which ensures that access is restricted to authorised personnel only. These policies include password requirements, user authentication, and confidentiality obligations. MRI regularly trains its staff and management on these policies and monitors compliance with the same. Additionally, MRI’s Information Security Team and Data Privacy Practitioner(s) regularly monitor the policies, training and compliance with the same.

Personal information of a data subject can be protected by establishing suitable controls and policies with respect to this information within your organisation which are aimed at preventing unauthorised access to the software and infrastructure where the data will be stored. Your controls may include education, and training to users about the importance of protecting the data, user authentication policies, user roles, privileges, security rights, segregation of duties and access management.

In addition, MRI provides its clients with tools which enable you, as the responsible party, to set security controls to protect the personal information within your company. These tools will vary based on the products and delivery mechanism purchased (i.e. SaaS/cloud-based v. on-premise installation).

MRI is committed to protecting the security of the client data within its systems. MRI has processes and protection in place to investigate any potential data breach, notify affected client(s) of such breach, provide information to the client related to the data breach, contain and correct the data breach, and to mitigate the effects of the data breach. Additionally, if a data breach were ever to occur, MRI will work with its clients to comply with the clients’ own obligations under POPIA.

You will need to identify through your record management policies where that personal information is held (for example in structured and unstructured data fields) and then use the reporting features of the software to provide this, which could be a mixture of screen copies, spreadsheets or reports. Please contact MRI’s support team if you are having trouble extracting this information. Support will be provided in accordance with your governing agreement in place with MRI.

Most of our products provide you with the ability to delete personal information manually from the user interface within the active system. For those records that cannot be deleted using the user interface, you may have the ability to anonymise it so that it no longer identifies that individual by overwriting the fields that store the personal information, thus eliminating the data as personal information. In circumstances where neither are available, you may contact MRI for technical support. Support will be provided in accordance with your governing agreement in place with MRI.

MRI does not proactively delete personal information while you are still a client of MRI’s. If during that time you need to delete personal information, you will need to make those changes through the user interface or contact MRI support for assistance. Support will be provided in accordance with your governing agreement in place with MRI. While you are a still a client of MRI’s, MRI will make regular backups of the database for backup and data restoration purposes.

Once you are no longer an active client and your contractual term has expired, MRI will remove your database, including all data, from its active environment and the database will not be included in periodic backup logs that are captured in the future. Any information previously backed up will be held for a reasonable retention period and then permanently deleted in accordance with your governing agreement.

MRI protects the privacy and security of the personal information that is entrusted to it. In order to maintain that privacy, we do not allow any of our clients to audit our systems or records, as such an audit could expose personal information of other data subjects and other clients. However, MRI does maintain records and information that are necessary to demonstrate its compliance with the data protection laws applicable to it in the processing of Personal Information. This information can be made available to our clients upon request.

If you feel that an audit of MRI’s systems is fundamentally required for your organisation, then we encourage you to reach out to your Account Manager to discuss alternatives. Such alternatives can only be considered if your database is housed within a dedicated SaaS environment, which you will need to purchase, and will come with restrictions.

Many of our products provide you with the ability to correct personal information manually from the user interface within the active system. To start, you will need to identify, through your record management policies, where the personal information in question is being held and then update it.

If you are unable to perform this task within the user interface, please contact MRI’s client support for assistance.

MRI has a Data Privacy Practitioner(s) who oversees the organisation’s privacy practices and ensures ongoing POPIA compliance. The Data Privacy Practitioner can be reached at DataPrivacyPractitioner@mrisoftware.com.

We include a specific Data Protection and Security Schedule in our Master Agreement that deals with data protection considerations. You can access this at – www.mrisoftware.com/termsandconditionsza

You can also access our privacy policy at https://www.mrisoftware.com/za/privacy-policy/