POPI AND ACCESS-CONTROLLED COMMUNITIES

Posted in

On 20 March 2026, the Information Regulator (the “Regulator”) has published a Draft Code of Conduct for Gated Accesses (the “Code”) for public comment regarding the collection, processing and retention of personal information by access-controlled communities, such as sectional title schemes, homeowner associations, property managers, landlords, businesses and public bodies. In particular, the Code is proposed in response to concerns raised regarding the information captured and retained by the parties enforcing access-controlled areas.

If adopted in its current form, the Code is likely to have profound implications for the way access control is managed and how the information obtained using such access control is managed.

Why the Code Matters

Many access-controlled communities routinely collect personal information from the people accessing such communities. This personal information often includes names, surnames, ID numbers, contact details, vehicle registration details, scans of driver licenses and biometric information.

With the vast amount of information collected by access-controlled communities, the broader public and the Regulator have express concerned that such information collection and retention may exceed that which is reasonably necessary for security purposes and might not comply with the requirements in the Protection of Personal Information Act (“POPI Act”) relating to lawful processing, minimality and transparency.

The Code seeks to set standards and provide guidance regarding the processing of personal information and how roleplayers balance security requirements with privacy rights.

Information Minimisation

The Code places great emphasis on the minimisation of the information collected by the relevant responsible parties of access-controlled communities. The Code provides that personal information may only be processed where it is adequate, relevant and not excessive in relation to the purpose for which it is collected.

In fact, the Code give the following as examples of compliant and non-compliant information collection:

CategoryCompliantNon-compliant
EmployeesNameEmployee ID / Access card NumberTime of entry/exitFull ID NumberHome addressPersonal phone numberNext of kin detailsBiometric data (if not justified)
VistorsNamePurpose of visitVehicle registrationTime of entry/exitID copy of photoHome addressEmail addressPersonal phone numberEmployer details
ContractorsNameCompany nameWork order referenceTime of entry/exitFull ID NumberBank detailsResidential addressEmergency contact info
Retention PeriodLogs kept for security audit period (Eg 30 days)Indefinite retention of logsStoring data beyond legal or operational need

Accordingly, responsible parties would need to conduct a proportionality assessment to determine the extent of the information collected and processed, which should consider the following factors: whether the proposed system is necessary; whether the proposed system is likely to be effective in its purpose; whether there are less intrusive alternatives available; and; whether the security benefit outweighs the loss of privacy.

Biometric Information Collection

A large number of access-controlled communities often require people to provide some form of biometric information to access the community, such as fingerprint scans or facial scans. The Code contemplates that the responsible parties that require such biometric information may be required to demonstrate that it is lawful, necessary and proportionate in the circumstances. The Code goes further to suggest that such access-controlled communities may want to use less intrusive means such as: access cards; visitor permits; host verification; or; visiual inspect of identity documents.

Consent Is Not a Complete Solution

There is a common misunderstanding that obtaining consent makes the collection and processing of personal information lawful. While obtaining consent is important, the consent must be informed, voluntary and explicit. There are also other grounds that make the collection and processing of personal information lawful.

The Regulator has noted that consent might not be voluntary where access to the premises requires the provision of personal information, as the person concerned might not have a real choice as to whether or not the person wants to provide their personal information.

In light of the above, responsible parties need to carefully assess the legal basis upon which they collect and process personal information rather than relying solely on consent.

Retention and Deletion Obligations

The Code also requires responsible parties to implement retention schedules in respect of the information collected and processed from people accessing access-controlled communities. The reason being that personal information may not be retained indefinitely unless the law requires such retention. Records such as visitor logs, access records and biometric information should be retained only for as long as is reasonably necessary to fulfil the purpose for which they were collected or where retention is otherwise authorised, or required, by law.

Practical Implications for Estates and Businesses

If the Code is implemented substantially in its current form, many access-controlled communities may need to review their access control practices. HOAs, body corporates, property management companies, landlords and businesses should consider conducting a review of their current access-control processes and consider: the types of personal information collected; the basis relied upon for the collection; the use of biometric systems; the relevant retention periods for personal information; privacy notices and consent procedures; and; agreements with security providers.

Disclaimer: This article is intended for general informational purposes only and does not constitute legal advice. Specific legal advice should be obtained in relation to particular circumstances.

Prepared by Bruce Barkhuizen from Bruno Simão Attorneys