How does the POPI Act affect credit bureaus?
When it comes to the protection of personal information, there are two acts that govern businesses and those working with such information. The Protection of Privacy Information Act (POPIA), which came into effect on the 1st day of July 2021, and the Promotion of Access to Information Act (PAIA), which came into effect on the 9th day of March 2001. With these two Acts in mind, the question is, does a third party have access to the personal information held by registered credit bureaus. POPIA refers to the legislation that governs the lawful processing of one’s personal information and is applicable to any person or organisation that collects, stores, and uses the personal information of any person. Personal information is defined as information that may be used to identify a person. Further, the information should not stand alone; for example, information containing a name and an identity number is more significant than a name on its own. PAIA refers to the legislation that gives effect to the constitutional right of access to any information held by the State, and any information that is held by another person that is required for the exercise or protection of their rights. Credit Bureaus are private bodies registered in terms of Section 43 of the National Credit Act, and as such, they retain, maintain and remove credit information held on a consumer’s credit record. This information is obtained from various sources, such as financial institutions, non-bank lenders, courts, and insurance companies, and is permitted in terms of Section 70(2)(a) and (b), section 70(3)(b) and Regulation 18 (7) of the National Credit Act, 34 of 2005 (NCA). When you complete a credit application form, there are legislated clauses that you agree to when you sign the application, consenting that the creditor may submit the information provided to the credit bureaus for verification. You further consent that the credit bureau involved may store the information on their database and share it with other creditor providers. Credit information includes both negative and positive information about a consumer, and includes, but is not limited to: information relating to identity and contact details, account information, payments and repayments, microloans, previous enquiries conducted on a consumer, information available publicly (such as court judgments), accounts that are in default, other adverse financial behaviour, collection efforts, debt restructuring or rescheduling information, disputes, fraudulent behaviour, property or deeds data, and/or other assets held. The report containing all or part of this information is then sold to lenders and other companies for assessment of risk in the provision of credit and for other purposes. Third parties are only allowed to access this information if they have a lawful or prescribed purpose as set out in Regulation 18 (4) of the NCA, or where the explicit consent of the consumer has been provided. The prescribed purposes, other than for purposes contemplated in the NCA, for which a report may be issued in terms of Section 70(2)(g) of the NCA, are: (a) An investigation into fraud, corruption, or theft, provided that the South African Police Service or another statutory enforcement agency conducts such an investigation; (b) Fraud detection and fraud prevention services; (c) Considering a candidate for employment in a position that requires trust and honesty in regard to the handling of cash or finances; (d) An assessment of the debtors book of a business for the purposes of: The sale of the business or debtors book of that business; or Any other transaction that is dependent upon determining the value of the business or the debtors book of that business. (e) Setting a limit of service provision in respect of any continuous service; (f) Assessing an application for insurance; (g) Verifying qualifications and employment; (h) Obtaining consumer information to distribute unclaimed funds, including pension funds and insurance claims; (i) Tracing of a consumer by a credit provider in respect of a credit agreement entered into between the consumer and the credit provider; or (j) Developing of a credit scoring system by a credit provider or credit bureau. Regulation 18 (5) sets out that should a report be required for a purpose set out in sub-regulation (4)(c) or (e) to (g), the consent of the consumer must be obtained prior to the report being requested. Section 57(1) of POPIA refers to the fact that the responsible party must obtain prior authorisation from the Regulator, in terms of Section 58, prior to processing information of data subjects, if the responsible party plans to: Process any unique identifiers of data subjects Process information on criminal behaviour Process information for the purpose of credit reporting Transfer special personal information While POPIA came into effect on 1 July 2020, with compliance being mandatory as of 1 July 2021 after the grace period of one year being given by the Information Regulator, the commencement of Section 58(2) of POPIA was amended to only come into effect on 1 February 2022, and is applicable to the processing referred to Section 57 mentioned above. In answer to our question above then, should your organisation require prior authorisation from the Information Regulator for the processing of information as per Section 57(1)(a)-(d), an application must be submitted to the Information Regulator prior to the 1 February 2022, failing which you may face penalties. Reference List: PROTECTION OF PERSONAL INFORMATION ACT NO 4 OF 2013 PROMOTION OF ACCESS TO INFORMATION ACT NO 2 OF 2000 NATIONAL CREDIT ACT NO 34 OF 2005 NATIONAL CREDIT REGULATIONS Section 58: https://popia.co.za/section-58-responsible-party-to-notify-regulator-if-processing-is-subject-to-prior-authorisation/ This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your legal adviser for specific and detailed advice. Errors and omissions excepted (E&OE)
The A-Z of POPI compliance
The Protection of Personal Information (POPI) Act came into full effect on the 1st of July 2021. If you still haven’t implemented your POPI compliance strategy, it is strongly advisable that you take quick and decisive steps to do so as non-compliance could carry hefty penalties. To ensure that you get your (POPI) act together, we’ve put together a handy list of A-Z* terms that you should consider in your quest for information protection. A – Accountability: One of the 8 conditions for processing personal information, which governs that both the means and the purpose thereof must be determined before processing can take place. B – Big data: With modern data-practices where large quantities of information are constantly being processed in a short time, you will need to ensure that you have infrastructure in place to deal with these kinds of large-scale processes lawfully. C – Consent: You need to provide your data subjects with enough information for them to make an informed decision on whether you may process their personal information. They may only be approached for consent once. D – Data Subject: The legal persons/entities whose information you collect and process are called data subjects. E – Eradication: When information is no longer used for the purpose it was collected, you will need to dispose of that information without a way to recover it. F – Freedom: While POPI does restrict the liberty with which businesses have been processing data in the past, it is in fact aimed at rectifying the lack of freedom and privacy data subjects have been forced to deal with for much too long. G – GDPR: The GDPR (General Data Protection Regulation) is the EU’s data protection law and is similar to POPI in many ways. Be sure to understand by which jurisdiction your data is regulated. H – How: According to the POPI Act, the manner in which you process personal information must be pre-determined and communicated clearly to your data subjects. I – Information officer: Every business should appoint someone to handle their data processes and take responsibility for ensuring compliance with the POPI Act. J – July 2021: The POPI Act is lawfully enforceable from the 1st of July 2021. L – Limitations on Processing: A variety of limits exist on the processing of personal information, including obtaining it from the data subject, gaining of consent, scope (you cannot collect excessive data), and more. M – Marketing: POPI has a significant effect on marketing practices. And as such, traditional ‘grey areas’ in the processing and use of personal information are now much more ‘black and white’. N – Notice: You must provide your data subjects with a notice of how their information is collected, processed, used and disposed of, as well as what the purpose of that information is. O – Openness: The data subjects must always be able to access their data, be able to see what data you possess, and be able to make changes to their data. P – Penalties and fines: Non-compliance is prosecutable, with fines of up to R 10 000 000 and imprisonment of up to 10 years. Q – Quality of information: Personal information must always be kept accurate, complete, and up to date. R – Regulator: South Africa has an Information Regulator who is empowered to monitor and enforce compliance to the POPI Act. It is an independent regulatory authority. S – Security: As a condition for processing personal information, you are required to take all reasonable measures to ensure that the information of your data subjects is protected, secured, and encrypted. T – Third-party processing: Your data subjects have to consent to the use of their information by third-parties and the details thereof must be clearly outlined before you collect their personal data. U – Unsubscribe: Where you previously might have gotten away with sending unsolicited communication with the option to unsubscribe, now you will need to ensure that your data subjects opt in for communication. V – Veracity: All the data you process must be accurate, and it is your responsibility to ensure that you update your databases regularly. W – Why: The purpose for which you collect and process personal information must be clearly defined and communicated to data subjects. Y – Yearly review: You will need to regularly review your POPI plan and ensure that your processing standards remain up to date. Therefore, it is advisable to review your data systems and POPI protocols at least once a year. Z – Zero Trust (ZT) Architecture: As a security measure some companies have implemented ZT Architecture, which ensures that the authority and access to data is checked at every point of access and not just trusted because of the network through which it moves. This is not a requirement of POPI. *Please note there are no entries for K or X. To ensure that you have everything in place to protect yourself (as an information processor) and your data subjects (whose sensitive data you collect) with regard to the POPI Act, please get in touch with your trusted advisor. This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your legal adviser for specific and detailed advice. Errors and omissions excepted (E&OE)