Data protection for community schemes is a real issue. Body corporates and Home Owners’ Associations (often collectively referred to as community schemes) need to comply with POPIA and other data protection laws, because they process a lot of personal information.

Imagine the following scenarios involving personal information:

  • What if the security company that provides security to your premises takes away the database containing all your members, tenants, and owners’ personal information and refuses to give you access when you terminate your relationship with that security company? What legal risks does this pose to your community scheme?
  • What if the employees of your community scheme refuse to have you take their biometric information to control their access to your premises? In fact, what if it’s not just your employees who are asserting their right to privacy and not wanting you to process their information? Imagine if it’s an owner or trustee. What if they tell you that you can’t process their personal information because they can’t trust that you can secure it? Is that enough of a reason to stop you from processing personal information?

There aren’t many simple answers. Data protection law is more complex than that. And you need to work your way through the complexity to figure our where your community scheme stands.

You need to work out what the position is in a South African context, for example, by understanding what the Protection of Personal Information Act (POPIA) requires. Where the General Data Protection Regulation applies or another law does, you’ll need to work out what actions you must take to comply in that context.

Processing biometric information

Your community scheme likely wants to process biometric information (like scanning fingerprints) for one reason or another. The interesting question is, what does that legally mean for you? What if some of your members or owners refuse to let you process? Do you need special permission? Or can you process it like you process any other personal information?

These are global questions that many organisations across the globe are tackling. In Australia, for example, the Fair Work Commission found that an employee can refuse to submit their biometric information to an employer that wants to use it to control access the employer’s premises.

But what would a court in SA decide? In fact, what would the Information Regulator decide?

The answer depends on the conditions for lawful processing as set out in POPIA. The conditions make it possible to process personal information without necessarily having the consent of the data subjects.

Data protection for community schemes can be challenging

Imagine a scenario where a body corporate, for example, is trying to get a security upgrade for the body corporate’s premises and the trustees are trying to determine how much each owner should contribute. The trustees then determine the amounts (based on whatever factor such as the size of each owner’s unit) and distribute it in a list to all the owners. Is this a good data protection practice if there’s personal information on the list? Should the trustees limit who has access to the list? Does it depend on how sensitive the information is? Is it a data protection issue or a broader information security issue (it’s not a data protection issue if the information on the list is confidential information, not personal information).

Actions you can take