1. Introduction
1.1. According to the Preamble to the Protection of Personal Information Act, 4 of 2013 (“POPIA”), it intends to achieve the following:
To promote the protection of personal information processed by public and private bodies; to introduce certain conditions so as to establish minimum requirements for the processing of personal information; to provide for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of this Act and the Promotion of Access to Information Act, 2000; to provide for the issuing of codes of conduct; to provide for the rights of persons regarding unsolicited electronic communications and automated decision making; to regulate the fl ow of personal information across the borders of the Republic; and to provide for matters connected therewith.
1.2. POPIA therefore focuses on the management of the interests of us as individuals and those of society.
1.3. In this manual we set out the framework according to which we comply with the requirements of POPIA.
1.4. For purposes of clarity, the term “processing”, in the context of personal information, includes any activity in which the information is worked with, from the time that the information is collected, up to the time that the information is destroyed, regardless of whether the information is worked with manually, or by automated systems.
2. Information officer
2.1. Our Information Officer is Fiona Eleanor Williamson who is our Chief Executive Officer/Managing Director or someone in a senior management position nominated and authorised by our Chief Executive Officer/Managing Director in writing. Such authorisation will be made on the required form. Our Information Officer’s responsibilities include:
2.1.1. Ensuring compliance with POPIA.
2.1.2. Dealing with requests which we receive in terms of POPIA.
2.1.3. Working with the Information Regulator in relation to investigations.
2.2. Our Information Officer must designate in writing as many Deputy Information Officers as are necessary to perform the tasks mentioned in clause 2.1 above. Such designation will be done by the completion of the prescribed form.
2.3. Our Information Officer and our Deputy Information Officers must register themselves with the Information Regulator prior to taking up their duties.
2.4. In carrying out their duties, our Information Officer must ensure that:
2.4.1. this Compliance Manual is implemented;
2.4.2. a Personal Information Impact Assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
2.4.3. this Compliance Manual is developed, monitored, maintained and made available;
2.4.4. internal measures are developed together with adequate systems to process requests for information or access to information;
2.4.5. internal awareness sessions are conducted regarding the provisions of POPIA, the Regulations, codes of conduct or information obtained from the Information Regulator; and
2.4.6. copies of this manual are provided to persons at their request, hard copies to be provided upon payment of a fee (to be determined by the Information Regulator).
2.5. Guidance notes on Information Officers have been published by the Information Regulator (on 1 April 2021) and our Information Officer and deputy Information Officers are required to familiarize themselves with the content of these notes.
Processing of personal information
We are obliged to attend to the following aspects:
3.1. Comply with POPIA and, more specifically, to process personal information in a reasonable and lawful manner, which considers the privacy of our clients and to guard against infringing their privacy.
3.2. Process information only for the purpose for which it is intended, to enable us to do our work, as agreed with our clients.
3.3. Obtain consent to process personal information.
3.4. Confirming to our clients the purpose of requesting the relevant personal information.
3.5. In circumstances where we process the personal information of our clients where consent has not been requested, we confirm we will only proceed by reason of:
3.5.1. Protecting a legitimate interest which needs protection; or
3.5.2. A legal obligation placed upon us.
Terminating the processing of personal information
In the following circumstances we will terminate the process of personal information:
4.1. Upon the withdrawal of the necessary consent; or
4.2. When a legitimate objection is raised against processing.
5. Collecting personal information websites
The personal information will be collected directly from our client except where:
5.1. the information is of public record;
5.2. our client has consented to the collection of their personal information from another source;
5.3. obtaining consent for the collection of the information will lead to prejudice the objective for collecting the information;
5.4. obtaining consent for the collection of the information is not reasonably practical within the facts and circumstances of the matter concerned;
5.5. the collection of the information from another source does not prejudice the client;
5.6. the collection of the information is necessary in accordance with South African law, legal obligations, order, or a matter concerning national security;
5.7. the collection of information is necessary for purposes of court or tribunal procedures, already commenced or reasonably foreseen to commence; or
5.8. the collection of the information is necessary to maintain our legitimate interests.
6. Retaining and destroying personal information
6.1. We are required to retain records of the personal information we have collected for the minimum period as required by law unless the client has furnished their consent or instructed us to retain the records for a longer period.
6.2. We will destroy the records of personal information, with due regards as to protect the identity of the client, as soon as reasonably possible after the time period for which we were entitled to hold the records has expired.
7. Restriction of the processing of personal information
7.1. We will restrict the processing of personal information where:
7.1.1. the accuracy of the information is contested, for a period sufficient to enable us to verify the accuracy of the information;
7.1.2. the objective for which the personal information was collected has been achieved and where the personal information is being retained only for the purposes of proof;
7.1.3. our client requests that the personal information is not destroyed or deleted, but rather retained; or
7.1.4. our client requests that the personal information be transmitted to another automated data processing system.
7.2. Further processing of personal information will only take place where:
7.2.1. the requirements of clauses 2.3, 4.1, 4.6, or 4.7 have been met;
7.2.2. the further processing is necessary because of a threat to public health or public safety or to the life or health of the client, or a third person;
7.2.3. the information is used for historical, statistical or research purposes and the identity of our client will not be disclosed; or
7.2.4. it is required by the Information Regulator appointed in terms of POPIA.
8. Further obligations
8.1. We are required to ensure that the personal information which we collect and process is complete, accurate, not misleading and up to date.
8.2. We are furthermore required to retain the physical file and the electronic data related to the processing of the personal information.
8.3. We are furthermore required to take special care with our client’s bank account details, and we are not entitled to obtain or disclose or procure the disclosure of such banking details unless we have our client’s specific written consent.
8.4. Upon acceptance of a mandate by our clients, we are obliged to send an initial letter to our client in which we advise the client of obligation towards them in accordance with POPIA.
9. Your right as our client
9.1. In cases where your consent is required to process their personal information, you may withdraw your consent.
9.2. In cases where we process personal information without consent to protect a legitimate interest, to comply with the law or to pursue or protect our legitimate interests, you have the right to object to such processing.
9.3. You are entitled to lodge a complaint regarding our application of POPIA with the Information Regulator.
9.4. Upon our acceptance of a mandate, you are required to complete a consent to process your personal information while we do our work for you, unless this consent has been obtained within another document signed by yourself.
10. Security safeguards
10.1. In order to secure the integrity and confidentiality of the personal information in our possession, and to protect it against loss or damage or unauthorized access, we must continue to implement the following security safeguards:
10.1.1. Our business premises where records are kept must remain protected by access control, burglar alarms and armed response.
10.1.2. Archived files must be stored behind locked doors and access control to these storage facilities must be implemented.
10.1.3. All the user terminals on our internal computer network and our servers must be protected by passwords which must be changed on a regular basis.
10.1.4. Our email infrastructure must comply with industry standard security safeguards, and meet the General Data Protection Regulation (GDPR), which is standard in the European Union.
10.1.5. Vulnerability assessments must be carried out on our digital infrastructure at least on an annual basis to identify weaknesses in our systems and to ensure we have adequate security in place.
10.1.6. We must use an internationally recognized Firewall to protect the data on our local servers, and we must run antivirus protection at least every hour to ensure our systems are kept updated with the latest patches. The security of this system must comply with the GDPR of the European Union.
10.1.7. Our staff must be trained to carry out their duties in compliance with POPIA, and this training must be ongoing.
10.1.8. It must be a term of the contract with every staff member that they must maintain full confidentiality in respect of all of our clients’ affairs, including our clients’ personal information.
10.1.9. Employment contracts for staff whose duty it is to process a client’s personal information, must include an obligation on the staff member to
10.1.9.1. maintain the Company’s security measures, and
10.1.9.2. notify their manager/supervisor immediately if there are reasonable grounds to believe that the personal information of a client has been accessed or acquired by any unauthorized person. 6
10.1.10. The processing of the personal information of our staff members must take place in accordance with the rules contained in the relevant labour legislation.
10.1.11. The digital work profiles and privileges of staff who have left our employment must be properly terminated.
10.1.12. The personal information of our clients and staff must be destroyed timeously in a manner so as to not identify the relevant person.
10.2. The security safeguards referred to in clause 9.1 of this manual must be verified on a regular basis to ensure effective implementation, and these safeguards must be continually updated in response to new risks or deficiencies.
11. Security breaches
11.1. Should it appear that the personal information of a client has been accessed or acquired by an unauthorized person, we must notify the Information Regulator and the relevant client/s, unless we are no longer able to identify the client(s). This notification must take place as soon as reasonably possible.
11.2. Such notification must be given to the Information Regulator first as it is possible that they, or another public body, might require the notification to the client(s) be delayed.
11.3. We are obliged to communicate with our client in such a way as to ensure that our client receives a notification in terms of this clause as follows:
11.3.1. by mail to the client’s last known physical or postal address;
11.3.2. by email to the client’s last known email address;
11.3.3. by publication on our website or in the news media; or
11.3.4. as directed by the Information Regulator.
11.4. The notification to our client must give sufficient information to enable the client to protect themselves against the potential consequences of the security breach, and must include:
11.4.1. a description of the possible consequences of the breach;
11.4.2. details of the measures that we intend to take or have taken to address the breach;
11.4.3. the recommendation of what the client could do to mitigate the adverse effects of the breach; and
11.4.4. if known, the identity of the person who may have accessed, or acquired the personal information.
12. Request for records by our clients
12.1. On production of proof of identity, any person is entitled to request that we confirm, free of charge, whether or not we hold any personal information about that person in our records.
12.2. If we hold such personal information, on request, on the relevant forms available on our website, and upon payment of a fee as stipulated in the Government Gazette Notice No. 45057 (27 August 2021):
12.2.1. provide the person with the record, or a description of the personal information, including information about the identity of all third parties or categories of third parties who have or have had access to the information.
12.2.2. will attend to the aspects referred to in clause 12.2.1 within a reasonable period of time, in a reasonable manner and in an understandable form.
12.3. A client requesting such personal information must be advised of their right to request to have any errors in the personal information corrected, which request will be made on the prescribed application form.
12.4. In certain circumstances, we will be obliged to refuse to disclose the record containing the personal information to the client. In other circumstances, we will have discretion as to whether or not to do so.
12.5. In all cases where the disclosure of a record will entail the disclosure of information that is additional to the personal information of the person requesting the record, the written consent of the Information Officer (or his delegate) will be required, and that person will make their decision having regard to the provisions of Chapter 4 of Part 3 of the Promotion of Access to Information Act.
12.6. If a request for personal information is made and part of the requested information may, or must be refused, every other part must still be disclosed.
13. Correcting personal information
13.1. A client is entitled to require us to correct or delete personal information that we have, which is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or which has been obtained unlawfully.
13.2. A client is also entitled to require us to destroy or delete records of personal information about the client that we are no longer authorized to retain.
13.3. Any such request must be made on the prescribed form. 8
13.4. Upon receipt of such a lawful request, we must comply as soon as reasonably practicable.
13.5. In the event that a dispute arises regarding the client’s rights to have information corrected, and in the event that the client so requires, we must attach to the information, in a way that it will always be read with the information, an indication that the correction of the information has been requested but has not been made.
13.6. We must notify the client who has made a request for their personal information to be corrected or deleted what action we have taken as a result of such a request.
14. Special personal information
14.1. Special rules apply to the collection and use of information relating to a person’s religious or philosophical beliefs, their race or ethnic origin, their trade union membership, their political persuasion, their health or sex life, their biometric information, or their criminal behaviour.
14.2. We will not process any of this Special Personal Information without our client’s consent, or where this is necessary for the establishment, exercise or defense of a right or an obligation in law.
14.3. Having regard to the nature of our work, it is unlikely that we will ever have to process special personal information, but should it be necessary the guidance of the Information Officer, or their deputy/delegate, must be sought.
15. Processing personal information of children
We may only process the personal information of a child if we have the consent of the child’s parent or legal guardian.
16. Circumstances requiring prior authorization
16.1. In the following circumstances, we will require prior authorization from the Information Regulator before processing any personal information:
16.1.1. In the event that we intend to utilize any unique identifiers of clients (account numbers, file numbers or other numbers or codes allocated to clients for the purposes of identifying them in our business) for any purpose other than the original intention, or to link the information with information held by others;
16.1.2. if we are processing information on criminal behaviour or unlawful or objectionable conduct;
16.1.3. if we are processing information for the purposes of credit reporting (this will be important if we are making reports to assist with tenant profiling, for example, to TPN or ITC).
16.1.4. if we are transferring special personal information or the personal information of children to a third party in a foreign country, that does not provide adequate protection of that personal information.
16.2. The Information Regulator must be notified of our intention to process any personal information as set out in clause 16.1 above prior to any processing taking place and we may not commence with such processing until the Information Regulator has decided in our favour. The Information Regulator has 4 (Four) weeks to make a decision but may decide that a more detailed investigation is required. In this event the decision must be made in a period as indicated by the Information Regulator, which must not exceed 13 (Thirteen) weeks. If the Information Regulator does not make a decision within the stipulated time periods, we can assume that the decision is in our favour and commence processing the information.
17. Direct marketing
17.1. We may only carry out direct marketing (using any form of electronic communication) to our clients under the following circumstances:
17.1.1. they were given an opportunity to object to receiving direct marketing material by electronic communication at the time that their personal information was collected; and
17.1.2. they did not object then or at any time after receiving any such direct marketing communications from us.
17.2. We may only approach clients using their personal information, if we have obtained their personal information in the context of providing services associated with our estate agency business to them, and we may then only market estate agency services to them.
17.3. We may only carry out direct marketing (using any form of electronic communication) to other people if we have received their consent to do so.
17.4. We may approach a person to ask for their consent to receive direct marketing material only once, and we may not do so if they have previously refused their consent.
17.5. A request for consent to receive direct marketing must be made in the prescribed manner and form. 10
17.6. All direct marketing communications must disclose our identity and contain an address or other contact details to which the client may send a request that the communications cease.
18. Transborder information flows
18.1. We may not transfer a client’s personal information to a third party in a foreign country, unless:
18.1.1. our client consents to this, or requests it;
18.1.2. such third party is subject to a law, binding corporate rules or a binding agreement which protects the personal information in a manner similar to POPIA, and such third party is governed by similar rules which prohibit the onward transfer of the personal information to a third party in another country;
18.1.3. the transfer of the personal information is required for the performance of the contract between ourselves and the client;
18.1.4. the transfer is necessary for the conclusion or performance of a contract for the benefit of the client entered into between ourselves and the third party; or
18.1.5. the transfer of the personal information is for the benefit of the client and it is not reasonably possible to obtain their consent and that if it were possible the client would be likely to give such consent.
19. Offences and penalties
19.1. POPIA provides for serious penalties for the contravention of its terms.
19.2. For minor offences a guilty party can receive a fine or be imprisoned for up to 12 (Twelve) months.
19.3. For serious offences the period of imprisonment rises to a maximum of 10 (Ten) years. Administrative fines for the company can reach a maximum of R10 million (Ten million Rand).
19.4. Breaches of this Compliance Manual will also be viewed as a serious disciplinary offence.
19.5. It is therefore imperative that we comply strictly with the terms of this Compliance Manual and protect our client’s personal information in the same way as if it was our own.