A Paddocks Sectional Title Lifestyle Blog
By Auren Freitas dos Santos
By now it is understood by most stakeholders in the community schemes industry that the Protection of Personal Information Act (more commonly known as the “POPI Act”) came into full operation a year ago on 1 July 2021 and that all bodies corporate are obliged to comply with the 8 conditions for lawful processing of personal information set out in this Act.
What is far less understood is how to correctly apply this important piece of legislation in practice. We have seen a growing trend among managing agents and trustees alike to interpret the POPI Act as being a stone wall behind which they can hide from legitimate requests for access to information by members of their body corporate.
Here is a typical example of such a scenario:
The reality is that this is not a fictional scenario but one that happens almost everyday in practice. The aim of this article is to provide some practical steps to trustees, managing agents and members on how to correctly interpret and apply the provisions of the POPI Act.
The first step is to understand that the POPI Act cannot be read in isolation. The POPI Act is but one piece of a much larger puzzle. The most important pieces of this puzzle, in the context of a sectional title scheme, are the POPI Act, the Promotion of Access to Information Act (or “the PAIA”), the Sectional Titles Schemes Management Act (or “the STSM Act”) and management rules prescribed thereunder (“the PMR”).
The PAIA was enacted on 9 March 2001 and amongst other things, aims to give effect to the constitutional right of access to any information held by private bodies that is required for the exercise or protection of any rights. In terms of the PAIA, a requester must be given access to any record held by a private body if that record is required for the exercise or protection of any rights, unless such request would involve the unreasonable disclosure of personal information about a third party.
The PMRs enacted on 7 October 2016 require a body corporate to prepare and maintain a long list of financial and administrative records, such as individual accounts for each member, written contracts to which the body corporate is a party, legal opinions obtained by the body corporate and detailed lists of trustees, members and tenants with their full names and contact details. In terms of the PMRs, upon receiving a written request from a member, the body corporate must make copies of such records and documents available within 10 days.
It is clear that reading the POPI Act (which only took full effect on 1 July 2021) without having due regard to the PAIA and the PMRs which came before it, would unreasonably undermine the principles underpinned by these pieces of legislation and would unduly prejudice the constitutional rights of members protected in terms of thereof.
The second step is for trustees and managing agents to understand how to correctly deal with a request for access to information made by a member. Instead of simply refusing to grant the member access to information based on the POPI Act, the trustees and managing agent are required to assess the legitimacy of the request in order to determine what rights the member seeks to exercise or protect. This is based on section 11(1)(f) of the POPI Act, which states that personal information may be processed if it is deemed necessary for pursuing the legitimate interest of a third party to whom the information is supplied.
As part of this process, the trustees or managing agent should ask the requestor clearly to identify the right the requester is seeking to exercise or protect and provide an explanation of why the requested record is required for the exercise or protection of that right.
In the scenario provided above, it is clear what rights Mr Good seeks to exercise and there are no reasonable grounds for the body corporate to deny him access to the information requested. To do so would unreasonably infringe on his constitutional right of access to information.
However, if Mr Good were to request the contact details of all of the members of the body corporate for purposes of marketing his estate agency business it is clear that this would not constitute a legitimate request and the body corporate would have legal grounds to deny such a request on the basis that this would constitute unreasonable disclosure of personal information.
Should the body corporate determine that the request is legitimate, the final step is to ensure that the records are disclosed in a manner to protect the integrity and confidentiality of any personal information. For example, the body corporate could require Mr Good to indemnify the body corporate in writing against any unauthorised use of the information and they could require him to delete the information once he has used it for its intended purpose and to provide proof of such to the body corporate.
It is clear that trustees and managing agents need to read the POPI Act in conjunction with the PAIA and the PMRs in order to strike a reasonable balance between the body corporate’s obligation to protect personal information under its control and the rights of members to access such information. An outright refusal to grant a member access to the records held by the body corporate based on a legitimate request would be unreasonable and unlawful and a member adversely affected by such a refusal is entitled to approach the Community Schemes Ombud for relief.
Specialist Community Scheme Attorney (LLB, LLM), Auren Freitas dos Santos, is the Director of The Advisory, a boutique consultancy specialising exclusively in community schemes law.