When it comes to the protection of personal information, there are two acts that govern businesses and those working with such information. The Protection of Privacy Information Act (POPIA), which came into effect on the 1st day of July 2021, and the Promotion of Access to Information Act (PAIA), which came into effect on the 9th day of March 2001.
With these two Acts in mind, the question is, does a third party have access to the personal information held by registered credit bureaus.
POPIA refers to the legislation that governs the lawful processing of one’s personal information and is applicable to any person or organisation that collects, stores, and uses the personal information of any person. Personal information is defined as information that may be used to identify a person. Further, the information should not stand alone; for example, information containing a name and an identity number is more significant than a name on its own.
PAIA refers to the legislation that gives effect to the constitutional right of access to any information held by the State, and any information that is held by another person that is required for the exercise or protection of their rights.
Credit Bureaus are private bodies registered in terms of Section 43 of the National Credit Act, and as such, they retain, maintain and remove credit information held on a consumer’s credit record. This information is obtained from various sources, such as financial institutions, non-bank lenders, courts, and insurance companies, and is permitted in terms of Section 70(2)(a) and (b), section 70(3)(b) and Regulation 18 (7) of the National Credit Act, 34 of 2005 (NCA).
When you complete a credit application form, there are legislated clauses that you agree to when you sign the application, consenting that the creditor may submit the information provided to the credit bureaus for verification. You further consent that the credit bureau involved may store the information on their database and share it with other creditor providers. Credit information includes both negative and positive information about a consumer, and includes, but is not limited to: information relating to identity and contact details, account information, payments and repayments, microloans, previous enquiries conducted on a consumer, information available publicly (such as court judgments), accounts that are in default, other adverse financial behaviour, collection efforts, debt restructuring or rescheduling information, disputes, fraudulent behaviour, property or deeds data, and/or other assets held. The report containing all or part of this information is then sold to lenders and other companies for assessment of risk in the provision of credit and for other purposes.
Third parties are only allowed to access this information if they have a lawful or prescribed purpose as set out in Regulation 18 (4) of the NCA, or where the explicit consent of the consumer has been provided.
The prescribed purposes, other than for purposes contemplated in the NCA, for which a report may be issued in terms of Section 70(2)(g) of the NCA, are:
(a) An investigation into fraud, corruption, or theft, provided that the South African Police Service or another statutory enforcement agency conducts such an investigation;
(b) Fraud detection and fraud prevention services;
(c) Considering a candidate for employment in a position that requires trust and honesty in regard to the handling of cash or finances;
(d) An assessment of the debtors book of a business for the purposes of:
(e) Setting a limit of service provision in respect of any continuous service;
(f) Assessing an application for insurance;
(g) Verifying qualifications and employment;
(h) Obtaining consumer information to distribute unclaimed funds, including pension funds and insurance claims;
(i) Tracing of a consumer by a credit provider in respect of a credit agreement entered into between the consumer and the credit provider; or
(j) Developing of a credit scoring system by a credit provider or credit bureau.
Regulation 18 (5) sets out that should a report be required for a purpose set out in sub-regulation (4)(c) or (e) to (g), the consent of the consumer must be obtained prior to the report being requested.
Section 57(1) of POPIA refers to the fact that the responsible party must obtain prior authorisation from the Regulator, in terms of Section 58, prior to processing information of data subjects, if the responsible party plans to:
While POPIA came into effect on 1 July 2020, with compliance being mandatory as of 1 July 2021 after the grace period of one year being given by the Information Regulator, the commencement of Section 58(2) of POPIA was amended to only come into effect on 1 February 2022, and is applicable to the processing referred to Section 57 mentioned above.
In answer to our question above then, should your organisation require prior authorisation from the Information Regulator for the processing of information as per Section 57(1)(a)-(d), an application must be submitted to the Information Regulator prior to the 1 February 2022, failing which you may face penalties.
This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your legal adviser for specific and detailed advice. Errors and omissions excepted (E&OE)