The Information Regulator said the proposed code followed complaints from members of the public about intrusive security and visitor management practices at gated access points.
Image: ChatGPT
The Information Regulator has gazetted its proposed Code of Conduct on the processing of personal information at gated accesses. At 65 pages long, the code signals a significant shift in how housing estates, office parks, and other secure access buildings will be expected to manage personal information collected at entry points.
The Code follows growing public complaints about the excessive collection and retention of personal information in gated environments. According to the draft, the Regulator received concerns that information being collected at access points was often “excessive, not relevant and not limited to what is necessary” for security purposes. These concerns included the use of facial recognition technology, biometric systems, CCTV surveillance and extensive visitor registers without clear communication about how information would be stored, shared or retained.
Importantly, the proposed Code applies broadly across both the public and private sectors. This includes residential estates and sectional title schemes, social housing and RDP developments, commercial buildings and office parks, healthcare establishments, schools, universities and government facilities.
At the heart of the Code are two key requirements: proportionality and accountability. The first means organisations will need to justify why each category of personal information is collected and demonstrate that it is relevant and not excessive for the stated security purpose. The Code specifically flags as potentially excessive the collection of multiple forms of information such as full names, ID numbers, vehicle registration details, photographs and fingerprints, for a single access-control purpose where less intrusive alternatives exist.
The second major requirement is governance and record keeping. Responsible parties will need to appoint Information Officers, conduct privacy and proportionality assessments, maintain retention schedules and implement formal POPIA compliance frameworks. The Code also makes it clear that personal information cannot be kept indefinitely. Records must only be retained for as long as necessary for the purpose for which they were collected, after which they must be securely deleted, destroyed or de-identified.
For businesses and property managers, this marks a move away from informal security practices toward far more structured and defensible data governance. The days of open visitor books, permanent ID scans and unclear retention practices are rapidly coming to an end.
In practice, this means organisations will need to justify why each data point is collected, limit retention periods, and ensure that access controls and storage practices meet reasonable security safeguards. Importantly, “because it’s always been done this way” will not suffice as a lawful basis. Businesses operating gated environments should begin auditing their practices now, as over-collection at entry points is both highly visible and increasingly difficult to defend.
Ahmore Burger-Smidt is the director and regulatory head at Werksmans Attorneys.
Image: Supplied
* Ahmore Burger-Smidt is the director and regulatory head at Werksmans Attorneys.
** The views expressed do not necessarily reflect the views of IOL or Independent Media.
BUSINESS REPORT