After coming into effect in July 2020, South Africa’s Protection of Personal Information Act (POPIA) becomes enforceable on the 1st July 2021. Any business that processes or stores the personal information of clients, tenants, vendors, or suppliers needs to be fully POPIA compliant by this date or be in breach of the law.
As a company working within South Africa, these regulations affect both us at MRI and many of our clients, as many of our solutions work with client or tenant data, the most widely used being MRI Property Central.
It’s therefore important that we work together with our clients to ensure full compliance of the regulations and protect the personal data we store and use to run our businesses.
If you’re unsure how best to bring your operations in line with POPIA, we always recommend seeking legal advice and referring to the official POPIA wording.
What is POPIA?
POPIA refers to South Africa’s Protection of Personal Information Act, which was assented to by Parliament on 19 November 2013.
The purpose of POPIA is to:
- give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party
- regulate the manner in which personal information may be processed (widely defined under POPIA to include collection, recording, organising, collating, distributing, modifying, storing, using and destruction)
- provide persons with rights and remedies to protect their personal information
- and establish voluntary and compulsory measures to promote, enforce and fulfil the rights protected by the Protection of Personal Information Act.
The act imposes duties not only on responsible parties domiciled in South Africa but also on responsible parties outside of South Africa that process data in South Africa. POPIA places obligations on both responsible parties (“a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information”) and operators (“a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party”). Personal information, under POPIA, is defined as “information relating to an identifiable, living, natural person and, where applicable, to an identifiable, existing juristic person”.
POPIA provides for eight conditions for the lawful processing of personal information including accountability, purpose specification, processing limitation, further processing limitation, information quality, openness, security safeguards and data subject participation.
How are MRI clients affected?
In practical terms, POPIA lays out a number of responsibilities that businesses need to act upon to ensure the security and lawful process of people’s data. The property industry might process personal information for several reasons, but the most widespread amongst our clients is for the effective management of tenancies and property transactions, as well as the marketing of products or services. When gathering and using this data, businesses need to show that they have put into action measures to address the requirements laid out by POPIA.
At MRI, we’ve been adapting many of our solutions since 2019 to make adherence to the POPIA requirements easier, our solutions are already developed to help you maintain compliance. We also have several further developments in the pipeline to make observance of the POPIA regulations even easier.
Businesses should build processes into their operations to address the following requirements:
When gathering personal information, consent must be given by the individual before that data can be processed. For direct marketing etc. this means obtaining clear consent from the subject that their information can be used for marketing purposes, as well as keeping a record to prove that this consent has been given.
However, in situations other than marketing, consent is often implied via a contractual agreement where the processing of personal data is essential to carry out the contract. For many of our clients, consent of data processing is essential in order to manage tenancies and fulfil the service obligations of the business. By entering into a tenancy or transaction with the business, they are agreeing to the processing of whatever personal data is essential for the completion and management of that contract.
Within most MRI systems, the level of personal information required is very basic, with the exception of clients within the affordable housing sector that need to store more sensitive information like income, race etc. It’s important to ensure that tenants have consented to the collection and processing of this data, and that you have proof of their consent to ensure compliance.
When storing personal data, the responsibility for its safeguarding lies with the responsible party. Under POPIA, organisations
must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to protect against loss, damage, or unlawful access to the data.
To meet this requirement, organisations can implement certain controls including education and training to users about the importance of protecting the data, user authentication policies, user roles, privileges, security rights, segregation of duties and access management.
MRI provides its clients with tools which enable the responsible party to set security controls to protect the personal information within your company. These tools will vary based on the products and delivery mechanism purchased (i.e., SaaS/cloud-based v. on-premise installation).
Data subjects (the individual to whom the stored personal data relates) have the right to know exactly what data an organisation holds on them, as well as request amendments, deletion, or anonymisation of their data. This means that it’s important that the systems in place to store and manage personal data are able to securely retrieve and process the data according to the individual’s wishes.
Some systems on the market do not allow for the deletion of personal information, however, MRI solutions have the in-built capability to amend and delete stored information at the end of its retention period or on a right to be forgotten request.
POPIA states that
Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party, and that data subjects should be made aware of how their information is going to be used before they give their consent.
This includes when using third-party software, and integrating your existing MRI products, like Property Central, with other outside systems. It’s important, therefore, that consent is gathered not only for data capture, but also sharing with third-party systems.
MRI’s Service and POPIA
While at MRI we’ve been working to ensure our solutions are ready for POPIA, there are still some updates and developments we’re planning for Property Central in order to make adherence to the regulations even easier. We’re keen to work with our clients to identify developments that will make the management of personal information simpler for your teams.
First, we’re looking at improving the data search functionality within our systems create a more streamlined way of accessing all the data stored within an individual record. By developing the ability to search for tenant/data subject records via email address or name, answering requests for data openness or validation from the data subject will be much simpler, quicker, and more efficient.
We’d also like to work with our clients on simplifying the process for anonymising data. When tenants are no longer a client, and their personal data is no longer needed for the business to fulfil its obligations, the data should be either removed or anonymised to meet POPIA requirements. Anonymised data can be useful for businesses for historical reporting purposes. While anonymisation can be done currently within Property Central, we’re looking at ways in which this process can be streamlined.
To find out more about how MRI are meeting the POPIA requirements, take a look at our POPIA FAQs. If you have any questions regarding how your systems can be used to comply with POPIA, or any feedback on how we can improve our services, get in touch.