POPI Act
The key things for body corporate trustees to know
This guide answers your frequently asked questions (FAQ) about the legal issues related to us, Online Network Systems, and personal information. As the representative of a body that runs a property (for example, the trustees of a body corporate) you will find this guide interesting and useful.
Securing your property while lawfully processing any personal information involved in the process is very important for you. You have a high risk of being held liable for failing to secure your property or lawfully processing personal information. Using us will only help you by reducing your risk. We are invested in ensuring that you achieve good security while lawfully processing any personal information involved. At Online Network Systems we do not discriminate against or infringe anyone’s constitutional rights.
Key points and possible actions
1. You may lawfully verify visitors’ IDs by scanning their driver’s licences.
2. We care about helping you provide security and protect personal information.
3. We are your operator under POPIA and process personal information for you.
4. It is impossible to always protect all personal information, but we try.
5. You benefit from using our products by managing many different risks.
What is POPIA?
It is the Protection of Personal Information Act, No 4 of 2013, passed by the South African parliament, which sets the conditions that you must follow to lawfully process the personal information of natural and juristic persons. POPIA commenced on 1 July 2020 and has a one-year grace period. This means everyone has until 1 July 2021 to become compliant with POPIA or risk facing serious consequences.
Why did POPIA come into existence?
POPIA protects people (like you and me) from harm (both physical and financial, like loss of money) by requiring those who process personal information to protect it. The Act gives effect to our Constitutional right to privacy. For this reason alone, POPIA is important. The protection of personal information is definitely needed now, more than ever. With the rise of computing power and devices like tablets and smart watches, personal information is at a greater risk than ever before. POPIA enables personal information to be transferred to South Africa, which will benefit the country economically.
Does POPIA apply to everybody?
POPIA applies to everybody who processes personal information. It applies to all public (like Home Affairs and SARS) and private bodies (like financial institutions, healthcare providers, and direct marketers) that process personal information. POPIA defines “process” extremely broadly. In terms of POPIA, processing means any operation or activity (either automated or not) that involves the collection, receipt, recording, organisation, collation, storage, updating, retrieval, dissemination, distribution, merging, and degradation, or erasing of data. We strive to comply with POPIA in all our operations.
Does POPIA require you to have accurate data?
Yes, as the responsible party, you must take steps that are reasonably practicable to ensure that the personal information in your possession is accurate and complete. As your operator, we endeavour to help you achieve this by collecting information that’s reasonably accurate. Our Identiscan products will help you gather information accurately. The time for manual visitor record books, which are an ineffective means of management as the information is largely inaccurate and illegible, is over. Who is the responsible party? The party with whom the customer contracts, is the responsible party. It is the person that, alone or in conjunction with others, determines the purpose of (why) and means for (how) processing personal information. If we are processing personal information on behalf of somebody else, we are their operator (or third party) and the mandator is the responsible party.
Who is exempt from complying with POPIA?
Very few people, but some are. For example, South African Police Service (SAPS), the Cabinet, and journalists who process personal information for journalism. Some processing of personal information is exempt. For example, if we process personal information in the course of a purely personal or household activity.
Do you have to comply with POPIA?
Yes, you must comply with POPIA (and the consequences for non-compliance are quite severe), but you will also want to do it efficiently, and get business value out of those efforts. Our products have built-in security for personal information and can help you get that efficiency and business value. You must comply with the conditions of POPIA and protect the personal information that you collect. If we are suspected of not complying with POPIA, the Information Regulator will notify us.
What are the consequences for not complying?
There are significant consequences for non-compliance. You could:
- suffer reputational damage,
- lose customers (homeowners, tenants) and fail to attract new ones,
- pay out millions in damages in a civil class action,
- be fined up to R10 million or face no more than 10 years in jail for committing an offence.
Who regulates POPIA?
The Information Regulator regulates POPIA (www.informationregulator.co.za). Parliament has gone to great lengths to give the Regulator teeth. The Information Regulator can ask an organisation to produce a record to enable the Information Regulator to investigate a complaint (section 81 of POPIA). We need to be able to comply with such a request.
What is personal information?
It includes information such as ID numbers, race, gender, age, or marital status of a natural person. It also includes information relating to the education, medical, financial, criminal or employment history of such person. And contact details like an email address, telephone number, or location information. It is any information that relates to an identifiable, living, natural person. In other words, it is information that identifies a human being. But in some circumstances, it can also be information, which identifies an existing juristic person like a company, close corporation or trust.
What information does IdentiScan process about visitors?
IdentiScan processes various personal information about visitors, including:
- their name, ID number,
- information that appears on a driver’s licence (including sex and age)
- details about their vehicles, including vehicle registration number,
- their access to a property (location information).
Do we process account numbers or credit card holder
information?
No, we do not process the account numbers of your data subjects. This is a good thing because it means that you are not exposed to the risks associated with processing that kind of personal information (which are significant). We do not need to comply with PCI DSS. But we may process your bank account number when we receive payment. We take protecting your bank account number seriously.
Does POPIA require you to have accurate data?
Yes, as the responsible party, you must take steps that are reasonably practicable to ensure that the information is accurate and complete. As your operator, we endeavour to help you achieve this by collecting information that’s reasonably accurate. Our Identiscan products will help you gather
information accurately. The time for manual visitor record books, which are an ineffective means of management as the information is largely inaccurate and illegible, is over.
Who is the responsible party?
The responsible party is the service provider with whom customer’s contract. Whoever decides to process personal information in a certain way, is the responsible party. It is the person that, alone or in conjunction with others, determines the purpose of (why) and means for (how) processing personal information. If we are processing personal information for somebody else, we are their operator, and they are the responsible party.
Who is the operator?
The operator is a third party who is contracted to process personal information on behalf of the responsible person. A responsible party is enitled in terms of POPIA to outsource the processing of personal information to a third party defined as an “operator” in the Act, provided the operator signs an agreement agreeing to protect the personal information in line with the principles of POPIA. If we are processing personal information for somebody else, we are their operator. If we do not determine the purpose and the means for processing the personal information, we are the operator. An operator usually processes personal information for a responsible party under a contract. Operators are required to process information only under authorisation from the responsible party concerned. Operators must also treat all information in their knowledge as confidential unless disclosure is required by law. An operator is also someone who has access to personal information being collected, processed, and stored by the responsible party. Even if the operator has no personal use for such information, if they have access to it, the operator must apply the principles of POPIA to that personal information in order to safeguard the privacy of the data subject to whom it relates.
Who is responsible for protecting the personal information that we process?
You, the user of our products, are the responsible party. Because you decide why (to control access or secure the property) and how (by monitoring or identifying) the personal information will be processed . As the responsible party, you must ensure that the personal information is being processed lawfully. What role does Online Network Systems play? We process personal information for you as your operator. POPIA requires us to secure the personal information we process for you and to only process with your authorisation. We comply with both of these obligations and apply the principles of POPIA to all of our operations.
Is it lawful for you to scan visitors’ IDs to verify their identity using IdentiScan?
Yes. There are conditions that you must comply with to do it lawfully. But it is in your legitimate interests to control access and secure the property. You must take reasonable and practicable steps to:
- disclose to the visitors why you process their personal information
- ensure that their personal information is not used for other purposes
- ensure that visitor information is accurate and of good quality
- be open and transparent about your processing
- secure the integrity and confidentiality of it
- allow visitors to access their information, correct it, and delete it.
Identiscan helps you in various ways to meet these conditions. This includes ensuring accountability and transparency by requiring the guard managing the IdentiScan scanner to first correctly identify themselves using their personal PIN before they can collect data, ensuring accountability for the management of the scanner as well as the allocation of the access record to the specific guard. No longer can a staff member say “It wasn’t me who let the visitor in”.
Can IdentiScan help you to comply with POPIA?
Yes. Using IdentiScan is a reasonable and practicable measure that you should take to protect visitor information. Other options, such as a written visitor book, do not provide the same level of security or accuracy as IdentiScan. Thieves can copy or take photos of visitors’ books. IdentiScan will help to ensure that their personal information is not used for other purposes (for example, a guard selling it to an identity thief). IdentiScan will ensure that visitor information is accurate and of good quality.
Do you need to get consent from the person entering the property, or the visitor?
Yes, POPIA is consent driven. In other words, you have to have someone’s consent in order to lawfully process their personal information, unless they are required to provide you with such information in terms of another existing law.
What to do in a situation where a visitor refuses to give their consent to process their personal information upon entering the property
In circumstances where a visitor refuses to give your employees their personal information, as required, in order to enter the property. Your employee is within their rights to refuse entrance into the property on the basis that such information is required in the interests of safety and security of the residents.
Should you put up a notice making visitors (and other people) aware of what you will do with their information?
Yes, you must take reasonable and practical steps to ensure that they are aware of what you are doing with their personal information, as well as their right to access, correct, and delete such information. We can provide you with a written notice. The notice should be clearly visible from the place where the personal information will be collected. Both the position and
size of the font of the notice is important.
Must we notify you or the Information Regulator if one of our products is lost or stolen or there is a data breach?
While such an event is very unlikely to occur, in the event that we have reasonable grounds to believe that one of our devices is lost or stolen or there is a data breach, we would endeavour to inform you as a matter of urgency in order to mitigate the consequences of a potential breach. Importantly, though, the risk for a data breach is not very high because no personal information would be accessible from the lost device since we do not store personal information on our devices. Where a data breach did actually occur, we would inform you as soon as we became aware of it. You would then have the opportunity to formulate the right notification that you want to send to the Information Regulator. This would allow you an opportunity to comply with your obligation to inform the Information Regulator of a potential data breach.
Does IdentiScan infringe anyone’s rights?
No, POPIA allows the lawful processing of personal information. Our products help body corporates achieve something that is in a body corporate’s legitimate interest: securing a property. As long as you use our products for those legitimate interests and within the limits of the law, any limitations that our products may place on people’s rights will be legally justifiable.
Can the cloud help you to comply with POPIA?
Yes, it can. If many copies of personal information exist in many different places it is exposed to a greater number of risks. If you can consolidate your personal information into one central location in the cloud, and then control the security and access to that cloud you will be protecting the personal information. We are cloud based and will always be so.
Does the law now require information security?
Yes, it does. POPIA places a legal obligation on you to secure the information we process. Our products have built-in security so we can help you fulfil those obligations. We make it a point to secure any information that we process because it makes business sense to do so. We can help you secure both the integrity and confidentiality of personal information by taking appropriate, reasonable technical (like using encryption) and organisational (like policies) measures to prevent loss and unlawful access (a hack).
What is appropriate and reasonable information security?
It depends. The question is what is appropriate and reasonable for us to do considering the type of personal information that we would process on your behalf. What is appropriate and reasonable for some may not be appropriate and reasonable for others. But there are certain things that will be considered appropriate and reasonable measures for most people to take. One of those is to use encryption to secure personal information or to store personal information in the cloud as much as possible. The products we supply, therefore, do not keep the information on them and we use
encryption as much as possible.
Does Online Network Systems secure the personal information it processes?
Yes. Online Network Systems’ directors and employees:
ï take appropriate and reasonable measures to secure the personal information;
ï have a proven track record of protecting information; and
ï are trusted by hundreds of users.
Does POPIA require certain clauses to be in the contract between you and us?
Yes, it does. Our contract ensures that you comply with your relevant obligations in POPIA.
Does Online Network Systems use personal information for anything else?
No.
How long does Online Network Systems keep personal information for?
We keep records (on your behalf) for as long as you reasonably require them to guard your property. We also keep records for as long as the law may require us to keep them.
What are useful links for more information?
ï https://www.michalsons.com/
ï www.informationregulator.co.za
About this guide
Copyright Copyright © 2002 – 2020. Michalsons. All rights reserved. Copyright subsists in this work under the
Copyright Act 98 of 1978. Any unauthorised act infringes copyright. We trust you to respect our
copyright.
Disclaimers
- The content is provided for the jurisdiction of South Africa and is not suitable for other jurisdictions.
- We give no warranty about it, and none may be implied. We are not responsible for any mistake in the information or any direct or indirect loss that may follow from it.
- The guidance has been prepared by Michalsons and is based on their interpretation of the principles of South African law at the time of publication. The law may change due to future legislative enactments and court decisions.
- It is a summary or opinion on general principles of law and is published for general
guidance purposes only. The content does not constitute specific legal, tax, investment, accountancy or other professional advice. - Seek individual advice from a suitably qualified professional adviser before dealing with any specific situation.