The Protection of Personal Information Act 4 of 2013 (“the Act”) lists all information deemed “personal information” and states that “personal information” refers to a wide array of data belonging to a natural or juristic person, including but not limited to:
- Identity and/or passport number;
- Date of birth and age;
- Phone number/s (including cellular phone number);
- Email address/es;
- Physical address;
- Postal address;
- Age, Gender, Race and Ethnicity;
- Photos, voice recordings, video footage (also CCTV), biometric data;
- Marital/Relationship status and Family relations;
- Criminal record;
- Private correspondence;
- Religious or philosophical beliefs including personal and political opinions;
- Employment history and salary information;
- Financial information;
- Education information;
- Medical history including, blood type, and
- Membership to organisations/unions.
The scope of the Act seems narrowed by the definition of personal information, this is however not the case. One must remember that the types of personal information listed in the Act as set out above is not a closed list of personal information to which the Act will apply. Information not listed in section 1 may still be deemed personal information.
The Act goes on to define the processing of personal information. The definition as provided for in the Act is very wide and refers to all instances where personal information is handled.
Processing of information broadly refers to any handling of personal information, including collection, usage, storage, spreading, alteration or destruction. The processing of information also includes the processing of electronic information or as in estates and body corporates’ case the processing of personal data of the driving-in visitors, residents, owners, tenants and visitors alike.
It is common cause that security guards as well as driver’s licence scanners collect a significant amount of personal information. It is said that the scanners retrieve information such as the photograph, full names, identity number, driving restrictions, gender as well as citizenship status of the individual driving into the estate.
The contentious issue here is whether the estates are guilty of collecting more information than is necessary;
Whether the information is stored securely and retained foe longer than is necessary and finally; and
Whether the information is destroyed in a manner that can no longer identify the owner thereof.
Estates and complexes alike have until 30 June 2021 to get their compliance into order.
In order to become compliant, the following steps must be taken:
- Appointment of an Information Officer;
- A POPI Policy in line with how personal information is collected in the specific estate or complex must be developed to detail how and what personal information will be processed;
- Awareness to the employees tasked with processing personal information in the form of a training on how to process personal information in line with the requirements of POPI.
It is advisable that the estate and complex managers look into the security safeguards of the personal information processed by operators and conclude the necessary data privacy agreements with the relevant security companies. Failure to safeguard personal information collected on the premises, home associations and body corporates may find themselves liable for any security breaches which may occur.