Estates, gated communities and office parks face sweeping changes to security procedures as the Information Regulator calls for access-controlled areas to collect minimal visitor information and protect privacy.
The regulator has now published the “Own-Initiative Code of Conduct for Gated Access Areas” that will govern how gated-access environments handle personal information to conform to the prescripts of the Protection of Personal Information Act (Popia).
The code applies to residential and commercial premises with access control. It is not a guidance note but a code of conduct, which carries much heftier weight than the former.
The regulator in the code of conduct says members of the public have raised concerns that the collection of personal information at gated access entry points is excessive.
“The regulator undertook research into the utilisation of closed-circuit camera (CCTV) surveillance and, in addition, considered complaints received in this regard. These collectively revealed certain access control practices of an intrusive nature, including the processing of biometric information such as the use of facial recognition systems for the purpose of positive identification of data subjects,” the draft code of conduct reads.
“Furthermore, the deployment of CCTV surveillance at access control points results in the capture of facial images without the consent of data subjects and, at times, without their knowledge or awareness.
“Such processing may constitute excessive collection and processing of personal information in so far as it is not relevant and limited to what is necessary for the legitimate purpose for which it is collected and accordingly warrants the imposition of appropriate regulatory measures to ensure compliance with provisions of Popia.”
Under the proposed code of conduct, visitor books must not be visible to others in a queue, and digital visitor management systems must encrypt data.
The code also prohibits indiscriminate copying of IDs and driver’s licences and keeping CCTV footage indefinitely.
Some of the examples of processing of personal information that will be deemed excessive include the collection of multiple types of personal information of visitors or contractors. These include full names, contact numbers, vehicle registrations, identity numbers or driving licence details, pictures, images and biometrics (fingerprints) for the single purpose of access control “where alternative means are available”.
Less excessive collection of information according to the code includes that people entering the gated access would need to provide only their names for comparison with their ID, passport or driver’s licence.
Other less excessive measures include issuing visitors’ vehicles entering gated access points with special permits or detachable stickers to be checked on arrival and departure.
Members of the public have until the end of this week to comment on the proposed code of conduct.
Ahmore Burger-Smidt, head of regulatory at Werksmans Attorneys, said the Information Regulator’s 2025/26 annual performance plan signals a firmer enforcement posture under Popia and a drive to modernise the Promotion of Access to Information Act (Paia), with immediate implications for governance.
“Property, retail, education, healthcare and corporate campus operators should monitor the code of conduct process and undertake pre‑emptive reviews of entry‑point collection practices, minimising collection to what is strictly necessary, securing storage, shortening retention and eliminating bulk ID scans and open visitor logs,” Burger-Smidt said.
“Early movement here will reduce retrofit cost when the code is finalised and signal good faith in public consultations.”
Pansy Tlakula, the regulator’s chairperson in the annual performance plan, said security breaches are rising.
“In the 2024/25 financial year, we received 1,727 reports of security compromise incidents. By the time the financial year 2025/26 draws to a close, we estimate that we would have received close to 2,500 reports for that financial year alone,” she wrote.
“It is evident that responsible parties remain vulnerable to lapses in the protection of personal information.
“In the 2025/26 financial year, the regulator will strengthen its capacity for handling security compromise matters by reconfiguring internal units so that there is more convergence between highly skilled staff from the Popia and information technology divisions.”
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.