Your privacy vs your security
What happens to all the personal data security companies collect?19th Mar 2021
They know everything about you. They know who you are, where you live, who your friends are, what their names and ID numbers are, what car they drive … and they have hours of video footage of you entering and leaving your home. ‘They’ are not some shady government agency. They’re the security company that guards your estate’s front gate, and the information they’re collecting about you – and about your visitors – is increasingly coming under the microscope.
POPI Act changes the data game
You know why they collect that information: it’s in the interests of your safety as a resident, and (let’s be honest here) it’s also because if a security breach were to happen, the security company – and the homeowners association that hired it – could be held responsible for failing to put adequate protection in place.
What you don’t know is what the HOA or security company do with the data. And that’s where the lines around your security and your privacy become very blurred indeed.
Following the implementation of the European Union’s General Data Protection Regulation (GDPR) in 2018, South Africa’s Protection of Personal Information (POPI) Act has highlighted the issue of data privacy. Sure, it’s comforting to know that your estate’s security team is doing a thorough job; but it’s also massively creepy to think that a security company has all your information – right down to the driver’s licence or ID of the people who come to visit you in the privacy of your own home.
Although POPI’s effective date was 1 July 2020, the 12-month grace period means that businesses and organisations need to make sure their processes are entirely POPI compliant by 30 June 2021. Non-compliance brings the risk of prosecution and/or significant fines, along with the potential for serious reputational damage.
Proper data management
As Andrew Schaefer, MD of property management company Trafalgar, pointed out recently: ‘The new legislation does not stipulate that personal information cannot be collected – only that when it is collected, it must be properly managed and protected.’
When it comes to residential estate security, that ‘proper’ management and protection of personal information would cover any CCTV footage, names, ID numbers, scanning records of car licences, and so on. The security company may only process that personal information with the authorisation of the HOA, and has to treat that information as confidential.
The HOA and security company may not retain the information for longer than necessary to fulfil the intended purpose of collecting it. In this case, that purpose is estate security and verification of individual visitors. Under POPI, once that purpose has been served, the information has to be destroyed or deleted.
Things get especially tricky if the HOA or security company gathers private data and tries to share it with a third party. As Schaefer explained, they would need to inform the individual concerned that their information is being shared. They would need to get the person’s permission (in writing) to gather and keep any information that they intend to use for any purpose other than security. They’d also need to state what that purpose is.
Schaefer expands on this by saying: ‘They may not, for example, let owners believe that their personal information will only be used for correspondence and communications like levy statements and meeting notices and then use it – or allow it to be used – by a different company for some other purpose, such as direct marketing, without permission.’
Spotlight on data storage
When it comes to data security, one of the biggest challenges residential estates have is – there’s no better way to put this – the security of that data. Whether it’s stored digitally or on paper, on-site or off-site, personal information has be stored in such a way that it is protected from unauthorised access.
For example, the forms that visitors fill in at the gate will include everything from names to phone numbers and car registration numbers. What happens to those pieces of paper? And the ID card and drivers licence scans? What about them?
‘The person or company that gathers personal information is obliged to take practical steps to protect it,’ Schaefer warns, ‘such as ensuring that computer records are encrypted, or that paper records are locked away and only able to be accessed by certain people in the company.’
The good news is that the POPI Act doesn’t force HOAs or security companies to install expensive, high-tech systems; they just need to have procedures in place to protect the information they have.
What this means for residents
What does all of this mean for residents? It doesn’t mean that your guests won’t have to provide their details when they pass through the security gates. It also doesn’t mean that the security you rely on to keep you safe will now be hamstrung by onerous legislation.
But it does mean that the hours of CCTV footage of you taking an evening stroll around the estate won’t be stored forever in a creepy vault somewhere; and it means that your (or your friends’ and relatives’) names and numbers can’t be sold off to a telemarketing company without your permission.
And, ultimately, it means that the information your security team gathers to keep you safe has to be used only for that purpose: to keep you safe.