Advertisement
South Africa’s access control practices are entering an important new phase following the publication of the draft Code of Conduct on the Processing of Personal Information at Gated Accesses by the Information Regulator.
While the Protection of Personal Information Act (POPIA) has been in force since 2021, the proposed Code provides practical guidance on how the legislation should be applied at controlled access points where personal information is collected every day. Residential estates, sectional title schemes, office parks, shopping centres, schools, hospitals, government facilities, and industrial precincts are among the environments expected to be affected.
Rather than introducing new legislation, the draft Code establishes a clearer compliance framework for organisations responsible for managing access control. For many community schemes and property owners that have already implemented POPIA policies and appointed Information Officers, the Code represents the next step in strengthening governance and operational practices.
Building on Existing POPIA Compliance
Over the past few years, many homeowners’ associations, body corporates, property managers and commercial property owners have invested considerable time and resources in implementing POPIA. Information Officers have been appointed, privacy policies developed, consent processes introduced and internal governance structures established.
The draft Code does not replace these measures. Instead, it focuses specifically on one area that has often received less attention — the collection and processing of personal information at entrances and exits.
Security personnel, reception staff, access control operators and contractors routinely process visitor information, identity documents, vehicle registrations, CCTV footage and, in many cases, biometric data. The draft Code provides more detailed guidance on how these activities should be managed in accordance with POPIA’s existing principles of lawfulness, necessity, proportionality and accountability.
Advertisement
A Significant Operational Sector
South Africa’s private security industry is one of the largest globally. According to the Private Security Industry Regulatory Authority (PSiRA), there are more than 580,000 registered security officers and approximately 11,000 registered security businesses.
These professionals provide access control services across thousands of locations, including:
- Between 7,000 and 8,500 residential estates (Estate Living industry mapping)
- Approximately 70,000 sectional title schemes (Community Schemes Ombud Service)
- Around 2,000 shopping centres (South African Council of Shopping Centres)
- More than 26,000 public and independent schools
- Hundreds of hospitals and healthcare facilities
- Thousands of office parks, industrial facilities and government buildings.
Many of these sites also rely on sophisticated access technologies including CCTV, licence plate recognition and biometric systems.
What the Draft Code Changes
The draft Code reinforces that organisations should only collect information that is necessary for granting access.
Where higher-risk technologies such as facial recognition or fingerprint systems are used, organisations may be required to demonstrate why these systems are necessary through a Personal Information Impact Assessment (PIIA).
The Code also places greater emphasis on documenting how personal information is collected, stored, retained and deleted, while ensuring visitors receive appropriate privacy notices explaining how their information will be used.
Importantly, the responsibility for compliance rests with the organisation responsible for the access point—not with individual security officers.
Trustees, homeowners’ associations, body corporates, landlords, property owners, managing agents and public bodies will remain responsible for ensuring that appropriate governance structures, policies and oversight are in place.
The Role of Security Service Providers
The draft Code is also expected to influence contractual relationships between property owners and security companies.
Many existing service level agreements may need updating to clearly define responsibilities relating to:
- POPIA-compliant handling of personal information
- Staff training requirements
- Data retention and deletion procedures
- Incident and breach reporting
- Processing instructions
- Allocation of legal responsibilities between client and service provider.
This does not necessarily shift liability entirely to security companies, but it does require clearer contractual accountability between all parties involved.
Training Will Become Increasingly Important
One of the practical gaps highlighted by the draft Code is the need for more consistent POPIA awareness among frontline personnel who process visitor information every day.
While many organisations have already provided POPIA awareness training to management teams, additional operational training for security officers, reception staff and access control personnel is likely to become an important part of future compliance programmes.
Training will need to cover topics such as:
- Collecting only necessary information
- Appropriate use of CCTV and biometric systems
- Visitor privacy notices
- Record retention and deletion
- Responding to information requests
- Reporting potential data breaches.
Who Will Bear the Cost?
As with any regulatory change, implementation will carry financial implications.
The responsibility for funding compliance is likely to rest primarily with the responsible party under POPIA—typically the homeowners’ association, body corporate, landlord, property owner, managing agent or organisation operating the access point.
However, security companies may also incur costs where contracts require additional staff training, updated operating procedures or revised technology platforms.
Depending on the existing level of compliance, organisations may need to budget for:
- Additional POPIA training
- Policy and governance updates
- Legal review of contracts
- Privacy signage and notices
- System configuration changes
- Biometric or CCTV assessments where required.
Organisations that have already invested in POPIA governance may find that many of these foundations are already in place, reducing the extent of future changes.
A Transitional Opportunity
The Information Regulator is expected to provide a transitional implementation period once the Code is finalised, allowing organisations time to review procedures, update documentation and implement any necessary operational changes.
While the final implementation timeline has not yet been confirmed, the current draft provides an opportunity for organisations to assess their existing access control practices before the Code comes into force.
Practical Steps to Consider
Community schemes, property owners and organisations responsible for controlled access should consider:
- reviewing current access control procedures
- auditing the personal information collected at entrances
- assessing the use of CCTV and biometric systems
- reviewing contracts with security service providers
- ensuring Information Officers are involved in access control governance
- planning additional staff training where required
- reviewing data retention and deletion procedures
- updating privacy notices displayed at access points.
Looking Ahead
The draft Code represents an evolution of POPIA rather than a new legal obligation. It provides greater clarity on an area where large volumes of personal information are processed daily and where governance expectations are becoming more defined.
For organisations that have already embraced POPIA compliance, the focus now shifts from policy development to operational implementation at the gate. For others, the draft Code serves as a timely reminder that effective privacy governance extends beyond the boardroom and into every point where personal information is collected.
As the consultation process continues, estates, community schemes, commercial property owners, and security providers have an opportunity to prepare, review existing practices, and ensure they are well-positioned when the final Code is published.