WeconnectU and POPIA compliance
The Protection of Personal Information Act, or POPIA as it is more commonly referred to, has been well documented and discussed for quite some time now. The reality is that as of 1 July 2021, any business or legal entity that is not compliant with the POPI Act is risking prosecution and a high fine. The pressure is now on Sectional Title trustees; Homeowners’ Association directors; landlords and service providers like Managing and Rental Agents; other industry related third parties like security companies; and operators like WeconnectU to ensure that they fully comply with the regulations as set out by the POPIA.
What are the main responsibilities of these parties? They need to ensure that the gathering, processing, storing and use of personal information is done correctly, as well as upgrade their procedures and systems to ensure that personal information is appropriately protected. In a nutshell, businesses and legal entities need to position themselves to be able to say: “We did everything that could have been reasonably expected of us to comply with our legislated obligations.”
WeconnectU is not directly involved in (or responsible for) our clients’ POPIA compliance due to our services and particular role. However, the software and technology we offer can greatly benefit our clients in their efforts to ensure POPIA compliance. In this article, we will focus on WeconnectU’s role under POPIA and how it relates to our clients – Managing and Rental Agents.
Managing Agents’ and Rental Agents’ responsibilities under POPIA
Managing and Rental Agents are responsible for POPIA compliance within their own businesses, but they also have a responsibility to help trustees, directors and landlords become POPIA compliant.
Whilst the WeconnectU systems may be a central component of an agent’s POPIA compliance strategy, they are merely tools in the processing of personal information. Use thereof does not negate the agent’s own responsibility to get all the required POPIA policies in place.
To do that, agents have four key responsibilities:
- Appoint an Information Officer to oversee compliance within their business and assist their clients to do the same.
- Assess and evaluate all relationships with third-parties entered into by their business and/or clients to ensure that each contract contains a clause confirming all participants’ undertaking to comply with the provisions of POPIA. If these contracts do not have this provision, they need to be reviewed, updated and documented.
- Develop their own POPIA compliance policy or framework, which must include procedures for implementing the requirements of POPIA. This must be made available to all clients, unit owners and residents. Clients should receive assistance in doing the same.
- Implement the POPIA policies and ensure staff are trained to maintain compliance at all times, minimizing risk.
For more information on POPIA compliance, we recommend that Managing Agents watch Part 1 and 2 of the “Get your (Act) together” webinars featured at the REIMAG Property Management Masterclass hosted in February, and view some of the other resources made available by our strategic partners:
WeconnectU’s role in POPIA compliance
What is WeconnectU’s role in your data protection process? Obviously, WeconnectU will be responsible for ensuring our own POPIA compliance as listed in the 4 points above, but let’s define some roles set out by POPIA relating to WeconnectU’s software services.
Commercially, WeconnectU is a provider of property management software to property management agents or rental agents. Under the definition of POPIA, the Managing or Rental Agent will be the Responsible Party, as they determine the purpose for, and means by which, personal information will be collected from the data subject (a trustee, director, owner/landlord or tenant). WeconnectU is responsible for processing personal information received as part of its property management software service in compliance with the POPIA. As such, we act as an Operator for the Responsible Party.
WeconnectU is a primary Responsible Party when we are processing the personal information of our own staff, contractors and other stakeholders, and we will meet all processing requirements in respect of such information.
For a better understanding of the roles described, see the image below.
For the Responsible Party, as indicated above, POPIA requires that policies are in place to address the following processes:
- Collecting of personal information
- Utilisation of personal information
- Storing/retention of personal information
- Sharing of personal information
POPIA does not prescribe the minimum technical requirements, only that businesses have policies and procedures in place to protect the information they hold and that they implement a system of accountability.
5 Key take-aways regarding WeconnectU’s POPIA compliance
1. WeconnectU’s POPIA Policy
WeconnectU has already done an enormous amount of work to ensure that our own internal policies and procedures relating to POPIA are in place. WeconnecU has appointed an Information Officer and our POPIA Policy is already available.
a) Information Officer
The Information Officer appointed to WeconnectU is Johann van der Merwe. He may be contacted at firstname.lastname@example.org.
b) WeconnectU POPIA Policy
You can access the WeconnectU POPIA Policy here.
In the coming weeks WeconnectU will also:
- Add an addendum to the Subscriber Service Level Agreement relating to POPIA
- Conduct intense staff training relating to POPIA procedures and implementation thereof
- Implement our Processing of Personal Information Policy
2. Collection of Personal Information
When WeconnectU receives personal information through any of our service systems, we act as the Operator of the information on behalf of the responsible Managing or Rental Agent. We receive the majority of information via direct electronic submission into our data management system, but in some, isolated cases, a Managing or Rental Agent may email a document to WeconnectU.
All personal information WeconnectU receives is directly uploaded into our online service platforms, which are access-controlled and username/password protected.
WeconnectU receives ID numbers of owners and tenants from representatives of Managing and Rental Agents as part of the profile information loaded onto our service platform.
3. Utilisation of Personal information
In practical terms, it is the responsibility of the trustees, directors and landlords to inform owners and tenants that their personal information is being shared with a third party (the Managing/Rental Agent). They require permission, preferably in writing, and must make it clear that this information is needed for effective management of, and communication within, a scheme or rental business.
The only reason personal information is shared is to assist with the effective management of a scheme, HOA or rental business i.e. for correspondence and communications like levy statements, rent rolls, meeting notices, arrears notices and monthly reports. With the WeconnectU software, all communication is taking place from within the system – a secure and encrypted environment, with the personal information used to communicate relevant information for a specific purpose.
4. Storing and retention of information
A big concern for data subjects (owners and tenants), is the secure storage of their personal information. POPIA requires a Responsible Party to do everything possible to ensure that data is kept secure, whether that’s locked up in physical files, stored on PCs or online.
Managing and Rental Agents storing their clients’ data in the WeconnectU software system can rest assured that it is hosted in the most secure and reliable hosting environment available. All electronic data, including personal information for which WeconnectU acts as Responsible Party or Operator, is stored in its original form in a secure, cloud-based environment.
Access to the system is only available through encrypted and password-protected logins. Our servers are hosted with the AWS Data Centre in Dublin Ireland, requiring WeconnectU to comply with the European GDPR (General Data Protection Regulations) as well as POPIA.
5. WeconnectU’s strategic partnerships relating to POPIA
WeconnectU offers clients the most advanced end-to-end property management software solutions, and we make it a priority to surround ourselves with strategic partners that can enhance our service and value offering to our clients. With POPIA compliance as a key concern, we have taken this exact same approach. We’ve partnered with some industry leading service providers to help us become compliant with the POPIA regulations, implementing a comprehensive Risk Management Compliance Plan. Our strategic partners are:
- Etude Risk Management
- Amazon Web Services