Home / Legal  / Here’s how your agent needs to use and protect your personal data

Here’s how your agent needs to use and protect your personal data

personal data resize

A data breach seems to be reported at least once a month, most recently at financial services company and life fund, Liberty, as well as at the end of last year from well-known and reputable estate agency, AIDA.

When selling your home, you are required to share a vast amount of personal information and data with your agent, your bank and the conveyancer handling the transaction. And with personal information being such a hot commodity for criminals to commit fraud and identity theft – which can have devastating consequences for the victim – it’s important to ask your agent how they plan on storing, safeguarding, using and, ultimately, destroying your personal information.

Consent and safeguardlocks-on-door-resize

According to Craig Guthrie, specialist attorney at Guthrie Colananni, estate agents should take all reasonable steps to safeguard the information and receive the express consent from the client with regards to processing (receiving, use, disseminating, storage, destroying) personal information.

“The steps, however, are not defined,” he says, noting that it would be wise from the moment the estate agent first receives any protected information to also obtain the client’s express consent with regards to keeping the client’s personal information on record for other transactions, sending marketing information, the manner in which the information will be stored, how long the information will be stored before it is destroyed, and how it will be destroyed.

“In addition, an express acknowledgment from the client that the use, storage, and disposal of the private information referred to in the agreement/mandate is reasonable and that the agent has taken all reasonable steps to secure the personal information. Systems will need to be put in place to protect the information and to destroy the information after the agreed period. The detail of the client’s written consent is key.”

Read the fine printWoman checking contract details.resize

The data breach which affected AIDA is a case in point. What do clients have to be aware of when sharing their data to conclude a property sale?

Guthrie says that, in general, the client should look out for terms and conditions that refer to acceptance of marketing material, the storage, and disposal of their information as well as the length of time that the agent may store their information.

Local estate agencies are not complying with EU data laws

“If you do not want to be contacted after the transaction is complete, then ensure that the agent understands your wishes that the authority to use the information is only in relation to this particular transaction, and that all information should be destroyed except for the information which must be stored in accordance with other laws.”

The “other laws” relate to the Financial Intelligence Centre Act, 38 of 2001 (FICA). “Section 22 requires that you must keep a record of identifying information of clients in relation to any business relationship or transaction for 5 years”.

“Records may be kept in an electronic format,” he says. “An estate agency has a duty to ensure that internal measures are implemented to facilitate the gathering and storage of the required information. FICA information can be stored separately: A different cabinet or in a different folder on a computer database – easily retrieved.”

The following information must be stored for 5 years:

#1 The manner in which the identity was established

#2 The name of the person who gathered the information

#3 The nature of the business relationship or transaction

#4 The parties to the transaction

#5 Details of accounts involved in the conclusion of the single transaction or used in the course of the business relationship

#6 Copies of all documents used to verify the identity of a client in compliance with S21. Section 24 allows third parties to keep the records on behalf of the estate agency. Non-compliance may result in criminal liability of the principal estate agent

South Africa’s main data protection law, Protection of Personal Information Act (POPI), which was enacted in 2013 and will soon take effect once a date has been determined, requires information to be held for a specific, explicitly defined and lawful purpose related to a function of the firm. The client should be aware that steps must be taken by the estate agent to ensure they are aware of the purpose of collection.

“Clients must be immediately notified of any breach or compromise of their personal information,” says Guthrie, noting that security measures must be put in place, including a firm’s server where personal information is stored. “Clients have a right to request any estate agent to confirm whether or not they hold any personal information relating to them. And this should be done free of charge.”


David A Steynberg, managing editor and director of HomeTimes, has more than 10 years of experience as both a journalist and editor, having headed up Business Day’s HomeFront supplement, SAPOA’s range of four printed titles, digimags Asset in Africa and the South African Planning Institute’s official title, Planning Africa, as well as B2B titles, Building Africa and Water, Sewage & Effluent magazines. He began his career at Farmer’s Weekly magazine before moving on to People Magazine where he was awarded two Excellence Awards for Best Real Life feature as well as Writer of the Year runner-up. He is also a past fellow of the International Women’s Media Foundation.

Review overview