PoPIA: Community housing schemes must appoint information officers
“This is the first step in a chain of PoPIA compliance that the trustees and directors of community housing schemes must follow now,” says Andrew Schaefer, MD of Trafalgar.
“It is also important for trustees and directors to note that it is currently not possible for schemes to simply appoint a managing agent as their information officer.”
Trafalgar and other managing agents are lobbying for the Information Regulator to reconsider this restriction, he says, given the need for continuity in data protection and the rotational, part-time, unpaid and volunteer nature of the trustee and director roles in community housing schemes.
Who can be an information officer?
At the moment, however, Section 55 of PoPIA stipulates that the information officer of any organisation must be a person who serves in an executive capacity. And when it comes to community housing schemes, says Sicelo Kula, an attorney at Michalsons who specialises in data protection, that means that in most cases the information officer will be one of the following, who can also have a deputy if necessary:
- A sectional title trustee;
- A homeowners’ association director;
- A general manager or estate manager who is the most senior person in charge of the scheme’s operations;
- An executive managing agent who the owners in a sectional title scheme have appointed to take over the role of the trustees.
If a community housing scheme fails to appoint an information officer before the 1 July deadline, he notes, the chairman of the trustees or board of directors will carry the responsibilities of the position by default.
What are the responsibilities of an information officer?
The key responsibility of the information officer is to assist the community housing scheme to comply with PoPIA and give effect to the rights of individuals as outlined in this legislation.
The information officer is the person who will be held accountable for ensuring that the scheme puts all the necessary information protection policies, procedures and agreements in place; for assessing and processing any requests for access to the personal data that the scheme holds, and for informing the Information Regulator if there is any data breach.
And these responsibilities cannot be delegated. However, as Kula explains in the latest Trafalgar webinar on PoPIA, community housing schemes are allowed to delegate the execution of the specific tasks that come with the information officer role - to their managing agents or other service providers such as auditors, insurers and security companies.
This must, however, be done formally, by means of a formal written agreement with each service provider that clearly sets out what personal information they may collect, where and how that data must be stored and secured, and when it must either be destroyed or returned to the community housing scheme.
The PoPIA compliance “toolkit” that has been prepared by Trafalgar and Michalsons contains a template for this type of agreement that information officers can customise for their own schemes.
What qualifications does an information officer need?
The information officer does not need to be a legal or technology expert, Schaefer says. “However, he or she will need an understanding of the principles of data protection and the reasons that it is becoming increasingly important to secure private personal information.
“Information officers will also need good communication skills and, going forward, a willingness to learn about the development of new data gathering and protection methods.”
How to appoint and register an information officer
The appointment of an information officer for a community housing scheme can be done by means of a simple resolution taken by the trustees or directors, but it must then be put into writing in an appointment letter that sets out all the responsibilities of the position.
A template appointment letter is another of the documents to be found in the “toolkit” prepared by Trafalgar and Michalsons to help schemes achieve rapid basic compliance with PoPIA.
Once this appointment has been made, the information officer must then be registered with the Information Regulator, and this can be done digitally on the website of the Information Regulator where there is also an official guideline for information officers.