The Protection of Privacy Information Act (POPIA) has come into effect as at 1st day of July 2021.The Promotion of Access to Information Act (PAIA), which came into effect on the 9th day of March 2001. With these two Acts in mind, the question is, does a third party have access to one’s information held by registered credit bureaus.
POPIA refers to the legislation that governs the lawful processing of one’s personal information and is applicable to any person or organisation that collects, stores and uses personal information of any person. Personal information is defined as information that may be used to identify someone and further the information must not be stand alone, that is, if you have a name and an identity number, the information is much more significant than just the name on its own.
PAIA refers to the legislation that gives effect to the constitutional right of access to any information held by the State and any information that is held by another person and that is required for the exercise or protection of any rights.
The Credit Bureaus are private bodies, which must be registered in terms of Section 43 of the National Credit Act and they retain, maintain and remove credit information held on a consumer’s credit record. The information is obtained from various sources such as financial institutions, non-bank lenders, courts,insurance companies which is permitted in terms of Section 70(2)(a) and (b), section 70(3)(b) and Regulation 18 (7) of the National Credit Act, 34 of 2005 (“NCA”).
When you complete a credit application form, there are legislated clauses that you agree to when you sign the application, consenting to the creditor to submit the information provided to the credit bureaus for verification of the information. You further consent for the credit bureaus to store the information on their database and share it with other creditor providers. Credit information includes both negative and positive information about a consumer, and includes, but is not limited to: information relating to identity and contact details, account information, payments and repayments, microloans, previous enquiries conducted on a consumer, information available publicly (such as court judgments), accounts which are in default, other adverse behaviour, collection efforts, debt restructuring or rescheduling information, disputes, fraudulent behaviour, property or deeds data and/or other assets held. The report containing all or part of this information are then sold to lenders and other companies for assessment of risk in the provision of credit and for other purposes.
Third parties are only allowed to access this information held if they have a lawful or prescribed purposes as set out in the Regulation 18 (4) of the National Credit Regulations, or where the explicit consent of the consumer has been provided.
The prescribed purposes, other than for purposes contemplated in the NCA, for which a report may be issued in terms of Section 70(2)(g) of the NCA , are:
(a) an investigation into fraud, corruption or theft, provided that the South African Police Service or any other statutory enforcement agency conducts such an investigation;
(b) fraud detection and fraud prevention services;
(c) considering a candidate for employment in a position that requires trust and honesty entails the handling of cash or finances
(d) an assessment of the debtors book of a business for the purposes of:
(i) the sale of the business or debtors book of that business; or
(ii) any other transaction that is dependent upon determining the value of the business or the debtors book of that business;
(e) setting a limit of service provision in respect of any continuous service;
(f) assessing an application for insurance;
(g) verifying qualifications and employment;
(h) obtaining consumer information to distribute unclaimed funds, including pension funds and insurance claims;
(i) tracing of a consumer by a credit provider in respect of a credit agreement entered into between the consumer and the credit provider
(j) developing of a credit scoring system by a credit provider or credit bureau.
Regulation 18 (5) sets out that should a report be required for a purpose set out in sub-regulation (4)(c) or (e) to (g), the consent of the consumer must be obtained prior to the report being requested.
Section 57(1) of POPIA refers to the fact that the responsible party must obtain prior authorisation from the Regulator, in terms of Section 58, prior to processing information of the data subjects, if that responsible party plans to;
a)
Process any unique identifiers of data subjects
b)
Process information on criminal behaviour
c)
Process information for the purpose of credit reporting
d)
Transfer special personal information
Notwithstanding POPIA came into effect on the 1st JULY 2020, with a grace period of one year, being given by the Information Regulator, the commencement of Section 58(2) was amended to be effective 1st February 2022, and is applicable to the processing referred to in Section 57 above.
Thus and in answer to our question above, should your organization require prior authorisation from the information Regulator for the processing of information as per Section 57(1)(a)-(d), an application must be submitted to the Information Regulator prior to the 1st February 2022, failing which you may face penalties.