How does the POPI Act affect credit bureaus?
When it comes to the protection of personal information, there are two acts that govern businesses and those working with such information. The Protection of Privacy Information Act (POPIA), which came into effect on the 1st day of July 2021, and the Promotion of Access to Information Act (PAIA), which came into effect on the 9th day of March 2001. With these two Acts in mind, the question is, does a third party have access to the personal information held by registered credit bureaus. POPIA refers to the legislation that governs the lawful processing of one’s personal information and is applicable to any person or organisation that collects, stores, and uses the personal information of any person. Personal information is defined as information that may be used to identify a person. Further, the information should not stand alone; for example, information containing a name and an identity number is more significant than a name on its own. PAIA refers to the legislation that gives effect to the constitutional right of access to any information held by the State, and any information that is held by another person that is required for the exercise or protection of their rights. Credit Bureaus are private bodies registered in terms of Section 43 of the National Credit Act, and as such, they retain, maintain and remove credit information held on a consumer’s credit record. This information is obtained from various sources, such as financial institutions, non-bank lenders, courts, and insurance companies, and is permitted in terms of Section 70(2)(a) and (b), section 70(3)(b) and Regulation 18 (7) of the National Credit Act, 34 of 2005 (NCA). When you complete a credit application form, there are legislated clauses that you agree to when you sign the application, consenting that the creditor may submit the information provided to the credit bureaus for verification. You further consent that the credit bureau involved may store the information on their database and share it with other creditor providers. Credit information includes both negative and positive information about a consumer, and includes, but is not limited to: information relating to identity and contact details, account information, payments and repayments, microloans, previous enquiries conducted on a consumer, information available publicly (such as court judgments), accounts that are in default, other adverse financial behaviour, collection efforts, debt restructuring or rescheduling information, disputes, fraudulent behaviour, property or deeds data, and/or other assets held. The report containing all or part of this information is then sold to lenders and other companies for assessment of risk in the provision of credit and for other purposes. Third parties are only allowed to access this information if they have a lawful or prescribed purpose as set out in Regulation 18 (4) of the NCA, or where the explicit consent of the consumer has been provided. The prescribed purposes, other than for purposes contemplated in the NCA, for which a report may be issued in terms of Section 70(2)(g) of the NCA, are: (a) An investigation into fraud, corruption, or theft, provided that the South African Police Service or another statutory enforcement agency conducts such an investigation; (b) Fraud detection and fraud prevention services; (c) Considering a candidate for employment in a position that requires trust and honesty in regard to the handling of cash or finances; (d) An assessment of the debtors book of a business for the purposes of: The sale of the business or debtors book of that business; or Any other transaction that is dependent upon determining the value of the business or the debtors book of that business. (e) Setting a limit of service provision in respect of any continuous service; (f) Assessing an application for insurance; (g) Verifying qualifications and employment; (h) Obtaining consumer information to distribute unclaimed funds, including pension funds and insurance claims; (i) Tracing of a consumer by a credit provider in respect of a credit agreement entered into between the consumer and the credit provider; or (j) Developing of a credit scoring system by a credit provider or credit bureau. Regulation 18 (5) sets out that should a report be required for a purpose set out in sub-regulation (4)(c) or (e) to (g), the consent of the consumer must be obtained prior to the report being requested. Section 57(1) of POPIA refers to the fact that the responsible party must obtain prior authorisation from the Regulator, in terms of Section 58, prior to processing information of data subjects, if the responsible party plans to: Process any unique identifiers of data subjects Process information on criminal behaviour Process information for the purpose of credit reporting Transfer special personal information While POPIA came into effect on 1 July 2020, with compliance being mandatory as of 1 July 2021 after the grace period of one year being given by the Information Regulator, the commencement of Section 58(2) of POPIA was amended to only come into effect on 1 February 2022, and is applicable to the processing referred to Section 57 mentioned above. In answer to our question above then, should your organisation require prior authorisation from the Information Regulator for the processing of information as per Section 57(1)(a)-(d), an application must be submitted to the Information Regulator prior to the 1 February 2022, failing which you may face penalties. Reference List: PROTECTION OF PERSONAL INFORMATION ACT NO 4 OF 2013 PROMOTION OF ACCESS TO INFORMATION ACT NO 2 OF 2000 NATIONAL CREDIT ACT NO 34 OF 2005 NATIONAL CREDIT REGULATIONS Section 58: https://popia.co.za/section-58-responsible-party-to-notify-regulator-if-processing-is-subject-to-prior-authorisation/ This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your legal adviser for specific and detailed advice. Errors and omissions excepted (E&OE)
Why the POPI Act matters
The right to privacy is enshrined in Section 14 of South Africa’s Constitution and we understand it to be a vital human right. It states: “Everyone has the right to privacy, which includes the right not to have – (a) their person or home searched; (b) their property searched; (c) their possessions seized; (d) the privacy of their communications infringed.” It’s the last part of the abovementioned list that is becoming a growing concern. All around the world more and more focus is being placed on protecting private information as countries and governments are setting new laws to ensure the safety of their citizen’s information online. In an age where information is growing at an exponential rate, no digital exchange of information can be left unprotected. For this reason, the Protection of Personal Information (POPI) Act comes into full effect from the 1st of July 2021. Non-compliance could carry hefty fines, but as with most regulatory pieces of legislation, compliance is more than just a box to tick. Let’s consider why personal information should be protected: It builds confidentiality Protection of data is very much a protection of the information that people hold as important. By capturing, storing, and processing personal information, you are essentially guaranteeing the confidentiality of your transactions with the other party. Confidentiality is built upon when you can guarantee that none other than you yourself are able to access and process the information you store. Having a secure database stored with good encryption on your servers is a good way to keep to the promise of security you give to your customers/clients. It ensures the integrity of information In a similar vein, data protection ensures that data remains accurate and integrous. Your customers/clients need to be sure that all their data is current and accurate, and that no manipulation of the data can take place. Furthermore, to ensure the integrity of information, the data needs to be frequently backed up while remaining synchronous (i.e. whenever a change is made that change must reflect in the backup in as little time as possible). Safeguards can also be put in place to ensure that no data is duplicated or stolen. It leads to trust With regard to information storage and access, trust is built when your data subjects know that their data will always be available when and where they need it. Readily available data and the ability to request changes to the data with little to no delay are ways to build trust and assure data subjects that you are handling their data ethically. At the end of the day, how you handle information is a question of ethics. What the POPI Act brings is a sense of relief in a modern age that there will be repercussions for the mismanagement of data and that there is greater regulation of data management. Soon the everyday consumer will have a lot more protection against unwanted marketing and unethical data practices — practices that have been allowed to go on for too long. For those who are still lagging behind, the time is ticking and failure to become fully POPI Act compliant could hold serious consequences. Make sure to get your matters in order before 1 July 2021. This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your legal adviser for specific and detailed advice. Errors and omissions excepted (E&OE)