GOVERNANCE - POPI & ARABELLA
ARABELLA COUNTRY
ESTATE HOA PROTECTION OF PERSONAL INFORMATION ACT ( POPIA ) PROJECT
ARABELLA COUNTRY ESTATE ’ S HOMEOWNERS ’ ASSOCIATION ( HOA ) MANAGEMENT HAVE ALWAYS VIEWED THE PROTECTION OF THE PERSONAL INFORMATION OF RESIDENTS , VISITORS AND OTHER STAKEHOLDERS ON THE ESTATE AS AN IMPORTANT ISSUE .
In early 2016 , the estate management initiated a project to implement measures to address their concerns and reinforce their strong commitment to good leadership , governance and compliance practices .
Overseen by Dirk Uys , estate manager , the Protection of Personal Information ( POPI ) Act compliance preparation project ran for close to 11 months and was managed by Michelle Wood , environmental officer at the estate . Valuable assistance was provided by John Cato and José Cardoso , consultants from IACT Africa , a specialist provider of POPI Act ( POPIA ) compliance tools and implementation support services .
The project was carried out on a part-time basis alongside the usual priorities of the estate , including the ISO14001 project for environmental management , which again demonstrated the estate ’ s commitment to good governance and compliance .
The success of the POPIA project was largely due to the strong sponsorship and commitment displayed by Dirk and Michelle , and the result is that Arabella HOA ’ s residents , visitors and other stakeholders can now feel confident that their personal information is protected and processed in a confidential and responsible manner . Even though IACT Africa have successfully completed similar projects with multiple clients across three other provinces in South Africa , across multiple industries , Arabella is the only estate to have completed a POPI Act compliance project and is thus the only estate that has been issued with a POPIA compliance certificate .
Why was the project initiated ?
The HOA at Arabella foresaw that it was necessary to prepare for compliance with the POPI Act sooner rather than later . From a compliance perspective , the costs that come with non-compliance of a statute are usually far higher than the costs of preparing for compliance with legislation .
The protecting and processing of personal information of homeowners , residents , staff , visitors , business associates and suppliers in line with the POPI Act and international practices was equally important to the estate and its management . It gave stakeholders confidence that their personal information was being protected in a lawful and responsible manner , and it would further cement Arabella ’ s reputation and image in the residential estate sector
as one that was compliant and ahead of the curve .
Processes and touch points
A number of processes and touch points were followed and began with the identification of what personal information is stored and where it is processed in the estate as well as within the business partner and supplier ecosystem . Those who have access to this information and their access rights were also identified . In general , the main groups of personal information were those related to residents , access control / security , external community portals , cameras / CCTV , visitors , homeowners , staff and finance . All the information was a mixture of both digital and hard copy media .
Company information falls under personal information as the company , while a legal entity , is regarded as a juristic person under South African law outside POPIA , and for this reason , financial information was also included .
The key areas of concern were identifying how homeowner and resident information was collected , amended and destroyed as well as the process of recording visitors , staff recruitment and publication of personal information to external organisations such as the media . The location of personal information including digital devices was also identified and recorded .
As various aspects of personal information are processed and stored by external service providers , it was necessary to have agreements between Arabella and these parties that included the responsibilities of the external party and the rights of the estate with regard to the lawful processing of personal information . This is a prerequisite contained in Condition 7 of the Act and provides legal recourse
PAGE 28