SA’s Private Security Workforce Unprepared for Drastic New Surveillance Laws

The 580,000‑Strong Blindspot

Advertisement

4 min read

South Africa is about to regulate one of its largest workforces following the publication of the draft Code of Conduct on the Processing of Personal Information at Gated Accesses.

According to the Private Security Industry Regulatory Authority (PSiRA), the country has more than 580,000 registered private security officers and 11,000 security businesses, making it one of the largest private security sectors in the world. Yet, points out Cor van Deventer, Director at Van Deventer Dowlath & Marx, it has never been formally integrated into POPIA compliance, despite managing personal information at thousands of access points every day.

The draft has exposed a national blind spot, he says. “Guards, receptionists, boom operators, parking attendants, and contractor access teams will now be treated as data processors under POPIA (Protection of Personal Information Act. But PSiRA’s training standards don’t currently require POPIA modules. So hundreds of thousands of access control workers who’ve never had proportionality, retention rules, deletion protocols, and privacy notice training are processing visitor registers, ID verification, licence‑plate recognition, biometric scanners, and CCTV systems on a daily basis.”

The sheer magnitude:

Industry mapping by Estate Living puts the number of residential estates in South Africa at between 7,000 and 8,500.
The Community Schemes Ombud Service (CSOS) says the country has approximately 70,000 sectional title schemes.
The South African Council of Shopping Centres (SACSC) lists around 2,000 shopping centres nationally.
According to the Department of Basic Education, South Africa has about 26,000 public and independent schools.
Health Systems Trust and Department of Health data place the number of hospitals and major medical facilities at between 400 and 450.
SAPOA and commercial real estate mapping confirm thousands of office parks, industrial precincts and government facilities across the country.

South Africa’s surveillance footprint is just as significant, he continues. “Industry estimates suggest the country has over 1.2 million CCTV cameras in commercial and residential environments, many positioned at access points. Biometric adoption, too, is widespread with approximately 60% of large estates using fingerprint or facial recognition, 40% of office parks relying on biometric or licence plate recognition, and around 70% of new access control installations including some form of biometric component.”

POPIA hasn’t changed but accountability has

POPIA itself hasn’t changed, van Deventer emphasises. “The law has always required proportionality, necessity, security safeguards and responsible governance. What is changing is the level of accountability that the Regulator will now demand at access points. The Code isn’t a new law; it is a new enforcement framework for environments that have long overlooked their data handling duties.”

The draft Code is a response to years of public complaints, he says. “According to the Information Regulator, intrusive gate practices – excessive data collection, unclear retention periods, unregulated CCTV capture and the use of biometrics without proper justification – are among the most common POPIA complaints it receives.”

Advertisement

Accordingly, the Code demands that only information necessary for access control may be collected, and any use of biometrics or high‑risk technologies has to be justified through a Personal Information Impact Assessment.

“Now for the first time, access control is going to be a regulated compliance function, which means that trustees, directors, homeowner associations, landlords, property managers, and heads of public bodies will all need to appoint information officers, implement compliance frameworks, maintain retention and deletion schedules, provide privacy notices, document all processing operations, and train staff who handle personal information.”

“And this is very important to note: governance structures will carry the legal risk for non‑compliant data handling at the gate, not the guard.”

Contractual overhauls

Van Deventer says the Code is also going to influence the way security companies contract with estates, malls, office parks and public bodies, with service level agreements now needing to include:

  • POPIA‑aligned data‑handling duties
  • training obligations for frontline staff
  • retention and deletion rules
  • breach‑reporting procedures
  • liability clauses
  • documented processing instructions

“Security companies can no longer rely on generic SLAs,” he warns. “If their staff collect personal information, their contracts will need to prove that those staff were properly trained and are legally governed.”

Compliance is now a line item

While compliance costs will vary widely depending on existing systems, van Deventer’s budget starting point is:

  • POPIA training for frontline staff: R350 – R1,200 per person
  • Compliance framework development: R20,000 – R150,000
  • Access‑control system upgrades: R50,000 – R500,000-plus
  • Biometric replacements: R80,000 – R1.2 million
  • CCTV compliance upgrades: R15,000 – R200,000

Transitional period

Once approved, van Deventer says the Code will probably allow a transitional period to implement training, update systems, revise contracts, and align procedures, although the Regulator hasn’t confirmed the duration. “It’s not going to happen overnight, but it is going to happen, so organisations need to use the transitional period wisely.”

What to do now

Van Deventer recommends that trustees, landlords and operators begin preparing immediately by:

  • Establishing a budget
  • auditing current access control practices
  • identifying excessive data collection
  • reviewing CCTV and biometric systems
  • preparing training plans for frontline staff
  • updating privacy notices at access points
  • revising contracts with security providers
  • establishing retention and deletion schedules
  • documenting all processing operations

Summary of the Draft Code

The draft Code of Conduct on the Processing of Personal Information at Gated Accesses will regulate how personal information is collected, stored, and used at entry points across South Africa. It applies to any environment that controls access – from residential estates, sectional title schemes, office parks, shopping centres, to hospitals, schools, industrial precincts, government facilities, and National Key Points (NKP).

Its central focus is proportionality: parties may only collect the information that’s strictly necessary for access control. Excessive collection, such as taking multiple identifiers for a single entry, will be prohibited. Any use of biometrics or high‑risk technologies must be justified through a Personal Information Impact Assessment.

“Access control is no longer an operational issue – it’s now a serious governance risk,” van Deventer warns. “Organisations that wait for final enforcement before acting could find themselves exposed, underprepared and unable to prove compliance when the time comes.”

Share this

Leave a Reply

Your email address will not be published. Required fields are marked *

Are you human? Please solve:Captcha


 

Scroll to Top
Processing...
Thank you! Your subscription has been confirmed. You'll hear from us soon.
Subscribe to our mailing list and receive updates, news and offers
ErrorHere