printer friendly version

PoPI and estate security

Identity theft, fraud, cybercrime, spamming and information related crime have become a headache for many individuals and government alike. Key to this is the lack of accountability taken up by processors of personal information.

Francis Cronjé

News headlines worldwide are riddled with stories of organisations losing customers’ personal information and people subjected thereto will testify that the subsequent consequences of falling victim to these crimes come at a cost, financially and emotionally.

A right to privacy?

Enshrined in our constitution, every person has a right to privacy. This right includes having your personal information protected against any unauthorised disclosure.

Over the last 10 years or so, South African legislators have followed their EU counterparts in coming up with equivalent and equally robust data protection legislation enabling the enforcement of this basic human right, and in 2013 the Protection of Personal Information Act (PoPI) was enacted legislating the manner in which persons or entities process (collect, use, share, store, archive, destroy and delete) personal information.

PoPI also makes provision for a regulator (“Information Regulator”) to whom aggrieved persons in the future can lodge complaints and through which mechanism enforcement notices, regulatory fines and criminal penalties, including imprisonment, can be imposed.

Residential estates and PoPI

PoPI seeks to protect estate residents’ and visitors’ personal information and therefore also seeks to regulate the way in which the estate and entities providing services to the estate, go about processing personal information.

Pivotal to any residential estate is the associated security services whereby physical access to the premises are controlled and monitored, usually as an outsourced service. This process mostly consists of security guards scanning visitors’ licences (car licence disc and drivers’ licences) or IDs, or in other instances writing down the number plate, ID number and name of the visitor on a register or logbook.

Residents on the other hand are usually provided with some tag system linked to a database, allowing them unfettered access. Further to this, most estates will also have CCTV cameras whereby footage is recorded and managed by the security company.

But what does PoPI say?

Some key points:

• The estate is regarded as the party responsible for the personal information processed – in PoPI referred to as the “Responsible Party”.

For example: If the security company, for instance, loses information collected at the entrance to the estate, it is the estate that would be held accountable should recourse be sought by the resident or visitor, or should the Information Regulator deem action is necessary.

• Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.

For example: One should not collect personal information regarding the visitor’s age, race, home address, email address or other irrelevant information.

• Personal information may only be processed if the visitor or the resident consents thereto or if the estate can justify that the processing of the personal information is necessary for pursuing its own legitimate interest.

For example: The safety and security of the residents might be considered as a legitimate interest of the estate.

• The estate must have a written agreement with the security company it employs whereby the security company must ensure the integrity and confidentiality of the personal information in its possession or under its control.

For example: Any CCTV footage, ID numbers, names, scanning records of licences etc. will fall into this category and it is the responsibility of the security company to safeguard this information by complying with generally accepted information security practises and procedures required in terms of specific industry or professional rules and regulations.

• The security company must only process such personal information with the knowledge or authorisation of the estate and ensure that it treats the information as confidential.

• The estate and security company must also not retain this information for a period longer than deemed necessary in fulfilling the intended purpose (security and verification of the individual) of collecting personal information. Thereafter, it has to be destroyed or deleted in a manner preventing its reconstruction in an intelligible form.

It is therefore important for both the estate and security company to maintain the confidentiality and integrity of, and accessibility to personal information under their control. Although the estate would be ultimately responsible for any data breaches, the security company can contractually be held liable and also be subjected to regulatory backlash.

Conclusion

Information thieves are targeting almost any type of organisation and estates and security companies alike should guard against these crimes.

PoPI aims to hold entities responsible for the personal information they process and strict adherence to the act by estates should be prioritised to prevent these crimes, thereby avoiding regulatory fines, civil remedies and subsequent reputational harm.

Estates must therefore conduct a proper information security and privacy due diligence of any company that they intend on contracting for any kind of service which involves the processing of personal information on their behalf, and further ensure that subsequent agreements entered into are adequately drafted to hold such entities liable for the personal information they process.

Once PoPI commences, entities will have one year to comply with the conditions. At the time of writing, the Act has not yet commenced.

Share this article:

Further reading: