PoPI and estate security

Residential Estate Security Handbook 2016 - Vol 1 Residential Estate (Industry), Security Services & Risk Management, Editor's Choice

Identity theft, fraud, cybercrime, spamming and information related crime have become a headache for many individuals and government alike. Key to this is the lack of accountability taken up by processors of personal information.

Francis Cronjé
Francis Cronjé

News headlines worldwide are riddled with stories of organisations losing customers’ personal information and people subjected thereto will testify that the subsequent consequences of falling victim to these crimes come at a cost, financially and emotionally.

A right to privacy?

Enshrined in our constitution, every person has a right to privacy. This right includes having your personal information protected against any unauthorised disclosure.

Over the last 10 years or so, South African legislators have followed their EU counterparts in coming up with equivalent and equally robust data protection legislation enabling the enforcement of this basic human right, and in 2013 the Protection of Personal Information Act (PoPI) was enacted legislating the manner in which persons or entities process (collect, use, share, store, archive, destroy and delete) personal information.

PoPI also makes provision for a regulator (“Information Regulator”) to whom aggrieved persons in the future can lodge complaints and through which mechanism enforcement notices, regulatory fines and criminal penalties, including imprisonment, can be imposed.

Residential estates and PoPI

PoPI seeks to protect estate residents’ and visitors’ personal information and therefore also seeks to regulate the way in which the estate and entities providing services to the estate, go about processing personal information.

Pivotal to any residential estate is the associated security services whereby physical access to the premises are controlled and monitored, usually as an outsourced service. This process mostly consists of security guards scanning visitors’ licences (car licence disc and drivers’ licences) or IDs, or in other instances writing down the number plate, ID number and name of the visitor on a register or logbook.

Residents on the other hand are usually provided with some tag system linked to a database, allowing them unfettered access. Further to this, most estates will also have CCTV cameras whereby footage is recorded and managed by the security company.

But what does PoPI say?

Some key points:

• The estate is regarded as the party responsible for the personal information processed – in PoPI referred to as the “Responsible Party”.

For example: If the security company, for instance, loses information collected at the entrance to the estate, it is the estate that would be held accountable should recourse be sought by the resident or visitor, or should the Information Regulator deem action is necessary.

• Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.

For example: One should not collect personal information regarding the visitor’s age, race, home address, email address or other irrelevant information.

• Personal information may only be processed if the visitor or the resident consents thereto or if the estate can justify that the processing of the personal information is necessary for pursuing its own legitimate interest.

For example: The safety and security of the residents might be considered as a legitimate interest of the estate.

• The estate must have a written agreement with the security company it employs whereby the security company must ensure the integrity and confidentiality of the personal information in its possession or under its control.

For example: Any CCTV footage, ID numbers, names, scanning records of licences etc. will fall into this category and it is the responsibility of the security company to safeguard this information by complying with generally accepted information security practises and procedures required in terms of specific industry or professional rules and regulations.

• The security company must only process such personal information with the knowledge or authorisation of the estate and ensure that it treats the information as confidential.

• The estate and security company must also not retain this information for a period longer than deemed necessary in fulfilling the intended purpose (security and verification of the individual) of collecting personal information. Thereafter, it has to be destroyed or deleted in a manner preventing its reconstruction in an intelligible form.

It is therefore important for both the estate and security company to maintain the confidentiality and integrity of, and accessibility to personal information under their control. Although the estate would be ultimately responsible for any data breaches, the security company can contractually be held liable and also be subjected to regulatory backlash.


Information thieves are targeting almost any type of organisation and estates and security companies alike should guard against these crimes.

PoPI aims to hold entities responsible for the personal information they process and strict adherence to the act by estates should be prioritised to prevent these crimes, thereby avoiding regulatory fines, civil remedies and subsequent reputational harm.

Estates must therefore conduct a proper information security and privacy due diligence of any company that they intend on contracting for any kind of service which involves the processing of personal information on their behalf, and further ensure that subsequent agreements entered into are adequately drafted to hold such entities liable for the personal information they process.

Once PoPI commences, entities will have one year to comply with the conditions. At the time of writing, the Act has not yet commenced.

For more information contact Francis Cronjé, francis@franciscronje.com, www.franciscronje.com

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

The evolution of security in residential estates
Residential Estate Security Handbook 2020 , Editor's Choice, Integrated Solutions, Security Services & Risk Management
Two large estates discuss their security processes and the ever-expanding scope of responsibilities they need to fulfil.

Bang for your security buck(s)
Residential Estate Security Handbook 2020, Alwinco , Editor's Choice, Security Services & Risk Management
Hi-Tech Security Solutions asks how estates can maintain a good security posture in the time of the ever-shrinking budget.

Range of grid-independent power systems
Residential Estate Security Handbook 2020, Specialised Battery Systems , Products, Security Services & Risk Management
SBS Solar has a range of solutions to provide power, save on costs and above all provide peace of mind.

Efficient security monitoring and control
Residential Estate Security Handbook 2020 , Residential Estate (Industry)
PowerManage is a cloud-based virtual control room tool for residential estates to self-monitor their security solutions.

Directory listings
Residential Estate Security Handbook 2020 , Residential Estate (Industry)

From physical security to cybersecurity
Access & Identity Management Handbook 2020, Genetec , Cyber Security, Security Services & Risk Management
Genetec discusses the security-of-security concept as a means to protect cameras, door controllers and other physical security devices and systems against cybercriminal activity.

Visitor management for estates
Access & Identity Management Handbook 2020, Powell Tronics , Residential Estate (Industry), Access Control & Identity Management
Residential estates and business parks around South Africa have installed access control systems that aim to streamline access for both pedestrians and vehicular traffic.

Biometrics in identity
Access & Identity Management Handbook 2020 , Access Control & Identity Management, Security Services & Risk Management
With multiple identity providers offering to manage digital identities for the general public, the root identity – the single sovereign trusted identity upon which all others are based – must start with government.

Residential Estate Security Conference 2019
October 2019, Technews Publishing , Editor's Choice, Residential Estate (Industry), Conferences & Events
Hi-Tech Security Solutions hosted the Residential Estate Security Conference in August, focusing on the people, technology and processes involved in an effective security solution for estates.

Keeping your things to yourself
October 2019, Technews Publishing , Editor's Choice, Cyber Security, Integrated Solutions, IT infrastructure
Three experts spoke to Hi-Tech Security Solutions to offer advice on keeping your IoT working for you and not for cyber criminals.