PoPI and estate security

Residential Estate Security Handbook 2016 - Vol 1 Residential Estate (Industry), Security Services & Risk Management, Editor's Choice

Identity theft, fraud, cybercrime, spamming and information related crime have become a headache for many individuals and government alike. Key to this is the lack of accountability taken up by processors of personal information.

Francis Cronjé
Francis Cronjé

News headlines worldwide are riddled with stories of organisations losing customers’ personal information and people subjected thereto will testify that the subsequent consequences of falling victim to these crimes come at a cost, financially and emotionally.

A right to privacy?

Enshrined in our constitution, every person has a right to privacy. This right includes having your personal information protected against any unauthorised disclosure.

Over the last 10 years or so, South African legislators have followed their EU counterparts in coming up with equivalent and equally robust data protection legislation enabling the enforcement of this basic human right, and in 2013 the Protection of Personal Information Act (PoPI) was enacted legislating the manner in which persons or entities process (collect, use, share, store, archive, destroy and delete) personal information.

PoPI also makes provision for a regulator (“Information Regulator”) to whom aggrieved persons in the future can lodge complaints and through which mechanism enforcement notices, regulatory fines and criminal penalties, including imprisonment, can be imposed.

Residential estates and PoPI

PoPI seeks to protect estate residents’ and visitors’ personal information and therefore also seeks to regulate the way in which the estate and entities providing services to the estate, go about processing personal information.

Pivotal to any residential estate is the associated security services whereby physical access to the premises are controlled and monitored, usually as an outsourced service. This process mostly consists of security guards scanning visitors’ licences (car licence disc and drivers’ licences) or IDs, or in other instances writing down the number plate, ID number and name of the visitor on a register or logbook.

Residents on the other hand are usually provided with some tag system linked to a database, allowing them unfettered access. Further to this, most estates will also have CCTV cameras whereby footage is recorded and managed by the security company.

But what does PoPI say?

Some key points:

• The estate is regarded as the party responsible for the personal information processed – in PoPI referred to as the “Responsible Party”.

For example: If the security company, for instance, loses information collected at the entrance to the estate, it is the estate that would be held accountable should recourse be sought by the resident or visitor, or should the Information Regulator deem action is necessary.

• Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.

For example: One should not collect personal information regarding the visitor’s age, race, home address, email address or other irrelevant information.

• Personal information may only be processed if the visitor or the resident consents thereto or if the estate can justify that the processing of the personal information is necessary for pursuing its own legitimate interest.

For example: The safety and security of the residents might be considered as a legitimate interest of the estate.

• The estate must have a written agreement with the security company it employs whereby the security company must ensure the integrity and confidentiality of the personal information in its possession or under its control.

For example: Any CCTV footage, ID numbers, names, scanning records of licences etc. will fall into this category and it is the responsibility of the security company to safeguard this information by complying with generally accepted information security practises and procedures required in terms of specific industry or professional rules and regulations.

• The security company must only process such personal information with the knowledge or authorisation of the estate and ensure that it treats the information as confidential.

• The estate and security company must also not retain this information for a period longer than deemed necessary in fulfilling the intended purpose (security and verification of the individual) of collecting personal information. Thereafter, it has to be destroyed or deleted in a manner preventing its reconstruction in an intelligible form.

It is therefore important for both the estate and security company to maintain the confidentiality and integrity of, and accessibility to personal information under their control. Although the estate would be ultimately responsible for any data breaches, the security company can contractually be held liable and also be subjected to regulatory backlash.

Conclusion

Information thieves are targeting almost any type of organisation and estates and security companies alike should guard against these crimes.

PoPI aims to hold entities responsible for the personal information they process and strict adherence to the act by estates should be prioritised to prevent these crimes, thereby avoiding regulatory fines, civil remedies and subsequent reputational harm.

Estates must therefore conduct a proper information security and privacy due diligence of any company that they intend on contracting for any kind of service which involves the processing of personal information on their behalf, and further ensure that subsequent agreements entered into are adequately drafted to hold such entities liable for the personal information they process.

Once PoPI commences, entities will have one year to comply with the conditions. At the time of writing, the Act has not yet commenced.

For more information contact Francis Cronjé, francis@franciscronje.com, www.franciscronje.com





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

SMARTpod talks to The Risk Management Forum
SMART Security Solutions Editor's Choice News & Events Security Services & Risk Management Videos Training & Education
SMART Security Solutions recently released its first SMARTpod podcast, discussing the upcoming Risk Management Forum Conference 2024, which will be held on 26 September 2024 at the Indaba Conference Centre in Fourways, Johannesburg.

Read more...
There is a SaaS for everything, but at what cost, especially to SMEs?
Editor's Choice Information Security Security Services & Risk Management
Relying on SaaS platforms presents significant cybersecurity risks as the number of providers in your landscape increases, expanding your attack surface. It is important to assess the strength of the SaaS providers in your chain.

Read more...
Innovation and security go hand in hand
Technews Publishing Facilities & Building Management Security Services & Risk Management
In a world where the demand for tech innovation is matched only by the acceleration of cybersecurity threats, businesses face the challenge of balancing new product development and robust security measures.

Read more...
Bomb threat landscape in South Africa
Editor's Choice Security Services & Risk Management
Over the past 25 years, South Africa has faced thousands of bomb threats and explosive incidents annually, imposing a significant economic burden on the nation, costing billions of rand.

Read more...
Integrations to protect what matters most
Residential Estate (Industry)
From Command Centre’s single platform, you can see everything happening across your network, physical and virtual servers, endpoints, and applications. With powerful analytics and reporting, you can quickly identify threats and trends before they become serious problems.

Read more...
Intrusion detection for wide areas
OPTEX Perimeter Security, Alarms & Intruder Detection Residential Estate (Industry)
Securing wide outdoor areas presents several challenges that differ significantly from those faced in smaller, more confined environments. The key to safeguarding these spaces is dependent on choosing the right intrusion detection technology.

Read more...
Natural catastrophes and fire risks top concerns
Security Services & Risk Management Asset Management Residential Estate (Industry)
Natural disasters are the highest risk in the real estate industry, followed by fire and explosions, and then business interruption. Estates must prioritise risk management and take proactive measures to safeguard their assets, employees, and reputation.

Read more...
Navigating the evolving tech landscape in 2024 and beyond
Residential Estate (Industry) Infrastructure
Progress in the fields of AI, VR and social media is to be expected, but what is not, is our fundamental relationship with how we deploy solutions in our business and how it integrates with greater organisational strategies and goals.

Read more...
New ransomware using BitLocker to encrypt data
Technews Publishing Information Security Residential Estate (Industry)
Kaspersky has identified ransomware attacks using Microsoft’s BitLocker to attempt encryption of corporate files. It can detect specific Windows versions and enable BitLocker according to those versions.

Read more...
Bespoke access for prime office space
Paxton Access Control & Identity Management Residential Estate (Industry)
Nicol Corner is home to a six-star fitness club, prime office space, and an award-winning rooftop restaurant. It is also the first building in South Africa to have its glass façade fully incorporate fritted glazing, saving 35% on energy consumption.

Read more...