By Marcus Moloko
The Information Regulator has signalled a tougher approach to how South Africa’s Protection of Personal Information Act (POPIA) is enforced at gated estates, office parks and other controlled-access premises, with a new focus on limiting how long visitor data may be retained.
Advocate Tshepo Boikanyo, the executive responsible for POPIA at the regulator, said establishments that collect personal details, including by scanning identity documents, licence discs or fingerprints, should delete or de-identify that information once it is no longer required for the purpose for which it was collected.
ALSO READ: UPDATE| SAPS confirm arrest of three suspects, including ‘prominent businessman’
“When you enter these gated establishments, there are alternative methods of verifying identification,” Boikanyo said.
“Security officers don’t have to photocopy your ID or scan your vehicle registration number. Access codes, for example, can be used instead.”
The regulator has published a proposed code of conduct for comment to guide how personal information is processed at gated access points.
Boikanyo said that many establishments rely on devices that store sensitive data, such as licence-disc scans, which may contain extensive personal information. The regulator is concerned that visitors often have little knowledge of what happens to their data after they leave, raising the risk of misuse, excessive retention or unauthorised access.
The proposed code is intended to strengthen compliance with POPIA, including Section 14, which bars responsible parties from keeping personal information for longer than necessary unless there is a lawful basis to do so.
“In this instance, once you exit the establishment, that personal information has to be deleted,” Boikanyo said.
ALSO READ: Swarts launches 1 Billion Trees campaign to combat climate change
The move highlights a growing push to curb excessive data collection practices and enforce accountability among bodies that operate gated access points.
The Information Regulator argues that while access control is necessary, establishments must adopt privacy-conscious alternatives that protect individuals from unnecessary exposure of their personal details.
