When running or living on a lifestyle / residential estate, have you considered the amount of personal information required to enable the estate to operate effectively? There are residents, guests, employees, and contractors and living, working, coming and going. Have you considered the amount of personal information collected in this process? What happens to this information? Who has access to it? Is it stored securely? How long is it retained? Has it been backed-up and secured?
The Protection of Personal Information Act (‘POPIA’) will soon become effective, and with that, will require compliance with its rules and regulations by any person or business that processes personal information. Unlike prior legislation which has been industry specific, POPIA will (in one way or another) affect every business, regardless of type or industry.
Specifically in relation to an estate, the types of personal information held is typically related to three main areas: residents, employees (and contractors) and security activities.
As a responsible party in terms of POPIA, the estate must understand and disclose through adequate notice to its residents, employees, contractors and visitors, the exact ambit of the information that is being collected and the specific purpose for the collection of the information. As a responsible party, the estate must guard against collecting information which is not necessary or not for any of the purposes which have been disclosed to the data subject. In addition, an estate must ensure that the information held by it is accurate and up to date, and that the data subjects are able to access the information held about them.
In reality few responsible parties have policies or procedures in place to adequately protect and process that information in a manner that will be in line with POPIA. The best way to attain compliance is to have a clear understanding of where the personal information resides within the estate, how it is managed and who is responsible for the information. Once that understanding has been reached, a policy relating to personal information should be prepared and all further decisions relating to personal information must be made with reference to that policy. This policy must enable both the estate and the data subjects to understand their rights to their data and privacy in a simplified and clear manner which is in line with the requirements of POPIA.
In summary, POPIA will have a great effect on all estates, even if the estate only handles a small amount of personal information. What every estate has at its core is a database of sensitive personal information, which it processes in order to run effectively. Every estate must thus fulfil its role as a responsible party in terms of POPIA, and every estate must at the very least ensure that it is compliant with the requirements of POPIA.