Overview
The information regulator has released draft rules that aim to tighten how gated communities, office parks, shopping centres and other controlled‑access sites handle visitors’ personal data. The move follows complaints about overly intrusive sign‑in practices and concerns that many places are collecting more information than they really need under the Personal Information Protection Act (POPIA).
Why the regulator is acting
- Numerous complaints highlighted that security guards often ask for ID numbers, driver’s licences, fingerprints, photos, vehicle plates and contact details before letting someone in.
- Investigations into CCTV use and access‑control procedures showed that biometric data (like fingerprints and facial recognition) is being gathered without clear justification.
- The regulator believes that, under POPIA, much of this data collection is excessive for simple security purposes.
What the draft rules say
Data collection limits
- Sites would no longer be able to assume consent just because a visitor signed a register.
- They must clearly explain why data is being collected, how long it will be kept, who can see it, and when it will be deleted.
- Only the information that is strictly necessary for security may be requested.
Biometric data concerns
- Fingerprints and facial recognition scans are classified as “special personal data” under POPIA, which requires stronger protection.
- The draft code discourages routine use of these systems for everyday access control and encourages less intrusive alternatives.
How visitors might be affected
Typical info asked today
- Identity number or passport number
- Driver’s licence
- Fingerprint or facial scan
- Photograph
- Vehicle registration number
- Phone number or email address
What could change
- Visitors may only need to show a temporary pass or give a simple access code.
- Security staff might verify an ID without recording all the details.
- Long‑term storage of photos, biometrics or extensive contact lists could be prohibited unless a clear, limited purpose exists.
Suggested alternatives
Temporary permits and codes
- Issuing a short‑lived visitor badge or QR code that expires after the visit.
- Using a pin or access code that is provided only for the duration of the stay.
Minimal ID checks
- Guard checks the ID against a resident list but does not copy or store the number.
- Taking a photo only if needed for immediate verification and deleting it right after the visit.
What this means for you
Your rights under POPIA
- You have the right to know what personal data is being collected and why.
- You can ask for your data to be deleted once it is no longer needed for the stated purpose.
- Organizations must protect your data and cannot keep it indefinitely without a valid reason.
Staying informed
- Keep an eye on updates from the regulator and from the management of the places you visit.
- If you feel a site is asking for too much information, you can politely ask for clarification or request that they follow the new guidelines once they are finalised.
Conclusion
The proposed regulations aim to strike a balance between security and privacy. By limiting the amount of personal data collected, demanding clear communication about its use, and encouraging less invasive alternatives, the regulator hopes to protect visitors’ rights while still keeping controlled‑access sites safe. Once the draft is finalised and adopted, you should notice shorter sign‑in processes, fewer requests for sensitive details, and greater transparency about how your information is handled. Stay aware, ask questions, and enjoy both safety and privacy in the spaces you enter.
