Answers to Estate Agent questions related to specific aspects of POPIA - Narrative
Hello again to our Estate Agent clients. I’m Linda Reid, head of Data at Lightstone. The date that POPIA becomes fully enforceable is just around the corner. So it’s no surprise that we’ve been getting lots of questions from you asking for input and some guidance.
And so, for today’s podcast we thought we’d try to answer your most pressing questions. But before we get started, I just want to remind you that much of what we’ll cover today has been dealt with in greater detail in our past podcasts. If you haven’t already listened to them, please do, as these will definitely help to clarify some things for you.
We have two broad themes of questions – those related to specific aspects of POPIA, and those related to the services that Lightstone provides that contain Personal Information. This podcast relates to the first set.
Let’s get started. And to help me, once again, is Esteani Marx, Head of Real Estate Agents at Lightstone.
Hello everyone.
The most common question we get asked is, "If we purchase information from POPIA-compliant providers, are we completely safe?" The short answer is no. No company can ‘sanitise’ personal information and make it so that everyone else can use it however they want.
I agree. It’s really important to note that every party that processes personal information needs to adhere to POPIA in their own right. If you purchased information from a supplier who is POPIA-compliant, that’s a great start. However, in receiving that data you become the Responsible Party, and need to adhere to the 8 Conditions for Lawful processing. We’ve covered these in detail in Podcasts 3 and 4, but one of the important things to highlight here is that you need to have lawful grounds to receive that information. This means you need to have consent, or a contract, or satisfy the legitimate interest requirements, or one of the other 3 conditions, if you want to purchase that information.
If we obtained someone’s consent to contact them before POPIA’s effective date, does it apply after POPIA is in effect?
This depends on whether that person is or was a customer of yours already. If that person is or was a customer of yours, then you can continue to contact them to offer services that are similar in nature to whatever made them a customer of yours initially.
So you don’t even need specific opt-in consent, is that right?
Yes, but you do need to allow for them to opt out when you communicate with them. It’s not clear from POPIA what the definition of a customer is, so each agency will need to decide for themselves.
And what happens if that person was NOT a customer but gave you consent to direct market to them?
Then that permission does apply after POPIA is in effect, as long as the consent follows the requirements outlined in POPIA. So it must contain the information broadly included in Form 4 in POPIA, (there’s a copy on our website), and it must be voluntary, informed and specific.
And what happens if I only got verbal consent?
If you only got verbal consent, it’s best to get the consent again, in the way described above. This is because you bear the responsibility for proving you have consent if it is disputed, and if you don’t have a record then you don’t have a leg to stand on.
And what if we have an existing database of contact details for people? If we contact them after the POPIA kicks in, are we doing anything illegal?
I’m assuming this means a database of non-customers? In this case, whatever personal information you have, if you want to process it after 1 July – and the definition of Processing covers basically every type of handling – then you must do it within POPIA’s requirements.
But POPIA does say that you’re allowed to contact each person by electronic means ONCE without consent for the purposes of seeking consent, right?
Yes, that is true. This means that you are allowed to email, sms, etc each of those people on your database ONCE but if they don’t respond or don’t consent, you may not contact them electronically again. It’s a once and once only opportunity.
And when you say electronically, does this include making human to human phone calls?
That is a bit uncertain. Electronic communication is the specific form of direct marketing that is covered in POPIA. And this definition doesn’t seem to cover making human to human phone calls.
So does that mean I can continue to phone people after POPIA is in effect?
Well that’s something you’ll need to draw your own interpretation of, with the help of your legal counsel.
Next question. What should we do about the people who get very upset when you contact them because they say POPIA makes contacting them illegal – especially people who were on our database from before POPIA came into effect?
Unfortunately, there’s quite a poor level of understanding generally about the new Act, and in fact also the CPA which governs some aspects of Direct Marketing. If you want to Direct Market, it’s best if you have all the facts on hand for when people complain, because now they have the right to report you to the regulator.
So if someone says to me: "You’re not allowed to contact me now!" I should answer that – ‘under POPIA I’m allowed to communicate electronically with you once to establish whether you would like to opt in?’
That’s correct. So if they say: "I told another agent to stop calling me!" You kindly respond that each party is permitted to electronically communicate with you once. Or if they accuse you of buying their contact details illegally, you simply tell them that you purchased these details legally before the POPIA grace period was over and have one permitted chance to make contact electronically. Always respond with facts and hopefully people will be reasonable in return.
Do we have to build a whole new process to make sure we’re capturing and storing consent correctly?
As the Responsible Party, if you’re relying on Consent as a legal grounds for processing someone’s Personal Information or PI, or contacting them for Direct Marketing, you need to be able to evidence that consent if you’re challenged on it.
Does POPIA prescribe how this needs to be done?
No, so you can take the light route and store all the signed consent documents somewhere safe, or you can build or buy something that makes it easier to manage this.
Surely the government can’t expect us to make all these changes to our businesses so suddenly?
Well, POPIA was activated last year on the first of July, and the Act built in a one year grace period to enable companies to make those changes. So in effect, companies have had a year to get on the right side of the law. As we know that grace period is coming to an end now on the 30th of June, and so the expectation is that companies have used this grace period appropriately and are ready to comply with the Act.
What actually happens if we do something wrong under POPIA? I’m sure we will make mistakes along the way. Are the consequences that bad?
There are two types of things that could potentially go wrong. Either you haven’t secured your Personal Information well enough and there’s a data breach of some sort – remember, one of the 8 Conditions of Lawful Processing is that you must keep the data secure. In this instance, you need to notify the Regulator and all affected Data Subjects that their data has been or could have been subjected to a breech. The Regulator may choose to investigate.
And what’s the other thing that could go wrong?
If you do something that contravenes any element of POPIA, in other words something that is non-compliant. The most likely way this would go is that the Data Subjects complain to the Regulator, and they choose to undergo an investigation.
What are the possible consequences of an investigation?
For both types of issues, the investigation could result in what’s called an Enforcement Notice. This is basically an instruction to stop doing something or to fix the way you’re doing it. If you disobey an Enforcement Notice, the penalty could be up to R10m in fines, or imprisonment of the Information Officer which is typically the head of the business, and the deputies. But more importantly, there will likely be a reputational impact too – you don’t want to be known as the agency that is breaking the law.
When you get consent from a person, does that mean you’re safe and can proceed to use that information?
Consent needs to be specific, informed and voluntary. The ‘specific’ part means that the consent is for a specific identified purpose – so ‘consent’ isn’t a catch-all, it’s particular to the purpose. If you want to contact them for direct marketing, you need consent for that. If you want to contact them to tell them about houses you think they might be interested in seeing – you need consent for that too. It is purpose specific.
What information is governed by POPIA? Does Personal Information just cover their name, ID number and contact details?
No, it’s much broader than that. POPIA provides a list of what can be considered personal. I recommend you read the relevant definition in the Act to see all that is outlined, but effectively it states that PI is ‘information relating to an identifiable, living, natural person and where it is applicable, an identifiable, existing juristic person (effectively a business), including but not limited to:" and then it lists 8 categories of things that you should read in detail.
What happens if I buy a Property Report that doesn’t have any ‘person’ identifiers on it, like the name and ID number. Is this address still considered PI?
One of the important things is that the PI needs to ‘relate to’ an individual. So in this instance, our (Lightstone’s) interpretation is that the Address is not PI because in that context it relates to the property and not the person. But if the Property Report has the name or ID number of the homeowner on it, then having the Address on it is also Personal Information because the Address relates to the homeowner.
Here’s an interesting question from one of our Estate Agents : I’ve been telling people who I’ve called for canvassing, that POPI doesn’t apply to data that comes from the Deeds office because it’s public information, but my colleague says that isn’t true. Can you please clarify?
The Act applies to all private and public bodies. Although there are a few exclusions and differences in its application to public bodies and public data in some ways, anyone who is handling the data as a Responsible Party – in other words, has chosen what data to collect and what to do with it – needs to adhere to the 8 Conditions of Lawful Processing.
Lightstone has handled all the public and private source data that we process, according to POPIA’s requirements, and we’re happy to answer further questions regarding this. When Estate Agents choose to purchase Reports containing PI from us, those estate agents also need to adhere to the 8 Conditions for Lawful processing when handling that data, despite the fact that it came from a public source originally.
Whenever a POPIA question seems tricky, just flip it around to consider yourself as the data subject. For example, we are all compelled to have our personal information lodged at Home Affairs. Would you like that information to be used for any purpose that anybody decides they’d like to use it for? And without any privacy controls? I don’t think many people would. The data is available for legitimate reasons, but POPIA regulates how it may be handled and used (or processed).
Well, that’s all we have time for today. Thanks for the insightful questions, and to all our listeners – thank you for your questions. In the next podcast we’ll address the questions you have about Lightstone’s products in particular.
And please feel free to continue sending us your questions to the email address on our POPIA website page. Until next time, good bye from us.