Here’s how your agent needs to use and protect your personal data
A data breach seems to be reported at least once a month, most recently at financial services company and life fund, Liberty, as well as at the end of last year from well-known and reputable estate agency, AIDA.
When selling your home, you are required to share a vast amount of personal information and data with your agent, your bank and the conveyancer handling the transaction. And with personal information being such a hot commodity for criminals to commit fraud and identity theft – which can have devastating consequences for the victim – it’s important to ask your agent how they plan on storing, safeguarding, using and, ultimately, destroying your personal information.
According to Craig Guthrie, specialist attorney at Guthrie Colananni, estate agents should take all reasonable steps to safeguard the information and receive the express consent from the client with regards to processing (receiving, use, disseminating, storage, destroying) personal information.
“The steps, however, are not defined,” he says, noting that it would be wise from the moment the estate agent first receives any protected information to also obtain the client’s express consent with regards to keeping the client’s personal information on record for other transactions, sending marketing information, the manner in which the information will be stored, how long the information will be stored before it is destroyed, and how it will be destroyed.
“In addition, an express acknowledgment from the client that the use, storage, and disposal of the private information referred to in the agreement/mandate is reasonable and that the agent has taken all reasonable steps to secure the personal information. Systems will need to be put in place to protect the information and to destroy the information after the agreed period. The detail of the client’s written consent is key.”
The data breach which affected AIDA is a case in point. What do clients have to be aware of when sharing their data to conclude a property sale?
Guthrie says that, in general, the client should look out for terms and conditions that refer to acceptance of marketing material, the storage, and disposal of their information as well as the length of time that the agent may store their information.
“If you do not want to be contacted after the transaction is complete, then ensure that the agent understands your wishes that the authority to use the information is only in relation to this particular transaction, and that all information should be destroyed except for the information which must be stored in accordance with other laws.”
The “other laws” relate to the Financial Intelligence Centre Act, 38 of 2001 (FICA). “Section 22 requires that you must keep a record of identifying information of clients in relation to any business relationship or transaction for 5 years”.
“Records may be kept in an electronic format,” he says. “An estate agency has a duty to ensure that internal measures are implemented to facilitate the gathering and storage of the required information. FICA information can be stored separately: A different cabinet or in a different folder on a computer database – easily retrieved.”
The following information must be stored for 5 years:
#1 The manner in which the identity was established
#2 The name of the person who gathered the information
#3 The nature of the business relationship or transaction
#4 The parties to the transaction
#5 Details of accounts involved in the conclusion of the single transaction or used in the course of the business relationship
#6 Copies of all documents used to verify the identity of a client in compliance with S21. Section 24 allows third parties to keep the records on behalf of the estate agency. Non-compliance may result in criminal liability of the principal estate agent
South Africa’s main data protection law, Protection of Personal Information Act (POPI), which was enacted in 2013 and will soon take effect once a date has been determined, requires information to be held for a specific, explicitly defined and lawful purpose related to a function of the firm. The client should be aware that steps must be taken by the estate agent to ensure they are aware of the purpose of collection.
“Clients must be immediately notified of any breach or compromise of their personal information,” says Guthrie, noting that security measures must be put in place, including a firm’s server where personal information is stored. “Clients have a right to request any estate agent to confirm whether or not they hold any personal information relating to them. And this should be done free of charge.”