Question NW836 to the Minister of Human Settlements

Reply:

1. The purpose of the Protection of Personal Information Act (POPI) Act, is to protect data subjects (internal and external stakeholders of the Community Schemes Ombud Service) from security breaches such as unauthorised dissemination of personal information belonging to or relating to data subjects, amongst others. The POPI Act achieves this goal by outlining 8 principles which data processors, such as the Community Schemes Ombud Service and scheme executives, must adhere to when collecting, processing, storing and deleting personal information belonging to internal and external stakeholders. Like most entities, the POPI Act has changed the manner in which the Community Schemes Ombud Service and scheme executives engage with personal information. Some of the legal and material impacts introduced by the POPI Act and experienced by the Community Schemes Ombud Service include:

(a) At an operational level, amending the agreements concluded with third party service providers and ensuring that they are bound by the responsibilities and principles of the POPI Act when processing information given for purposes of delivering or providing services to the Community Schemes Ombud Service. All entities regulated by the POPI Act are required to have similar provisions which give effect to the POPI principle in their contracts with third parties such as managing agents.

(b) The development and implementation of the entity’s POPI Compliance Framework which consists of the POPI Policy, Manual, Breach Incident Policy, Flow Charts and Risk Register. In addition, the Community Schemes Ombud Service procured the services of an expert service provider to facilitate training sessions for all business units and staff of the Community Schemes Ombud Service on the compliance requirements.

(c) Adoption of data protection standards aimed at ensuring that personal information is collected, processed, and stored lawfully.

(d) In relation to all community schemes, the 8 principles governing the collection, storing, and processing of personal information belonging to members of a community scheme are also applicable. Community Schemes should only collect personal information necessary for the purpose for collection and further put in place measures which protect such personal information belonging to members and their visitors from unauthorised disclosure or theft. Failure to do so will result in the imposition of fines or other enforcement steps taken by the Information Regulator. Accordingly, all entities need to invest in the resources they have identified to ensure that the principles of the POPI Act are upheld.

(2) Since the implementation of the Community Schemes Ombud Service POPI Act Compliance Framework the entity has not experienced any queries or challenges relating to the POPI Act necessitating the sourcing of external legal advice in the form of formal legal opinions from external attorneys. All queries have been from internal business units and legal guidance and support has been provided by the Community Schemes Ombud Service Legal Section.

(3) During 2021, the Community Schemes Ombud Service provided training to all business units, including its adjudicators, on the 8 principles of the POPI Act and its impact on the relevant business unit. Continuous refresher training is also being offered by the Community Schemes Ombud Service Legal Team together with the POPI Act expert service provider as and when requested by the business unit.

(a) & (b) The POPI Act has not changed the type or nature of information which scheme executives, managing agents or body corporates can obtain from their members. The POPI Act has changed the manner, in other words how scheme executives go about in collecting, storing and processing their personal information and as already mentioned above, all community schemes need to do so in accordance with the principles set out in POPI Act.