PoPI and estate security

March 2016 Residential Estate (Industry), Security Services & Risk Management, Editor's Choice

Identity theft, fraud, cybercrime, spamming and information related crime have become a headache for many individuals and government alike. Key to this is the lack of accountability taken up by processors of personal information.

Francis Cronjé
Francis Cronjé

News headlines worldwide are riddled with stories of organisations losing customers’ personal information and people subjected thereto will testify that the subsequent consequences of falling victim to these crimes come at a cost, financially and emotionally.

A right to privacy?

Enshrined in our constitution, every person has a right to privacy. This right includes having your personal information protected against any unauthorised disclosure.

Over the last 10 years or so, South African legislators have followed their EU counterparts in coming up with equivalent and equally robust data protection legislation enabling the enforcement of this basic human right, and in 2013 the Protection of Personal Information Act (PoPI) was enacted legislating the manner in which persons or entities process (collect, use, share, store, archive, destroy and delete) personal information.

PoPI also makes provision for a regulator (“Information Regulator”) to whom aggrieved persons in the future can lodge complaints and through which mechanism enforcement notices, regulatory fines and criminal penalties, including imprisonment, can be imposed.

Residential estates and PoPI

PoPI seeks to protect estate residents’ and visitors’ personal information and therefore also seeks to regulate the way in which the estate and entities providing services to the estate, go about processing personal information.

Pivotal to any residential estate is the associated security services whereby physical access to the premises are controlled and monitored, usually as an outsourced service. This process mostly consists of security guards scanning visitors’ licences (car licence disc and drivers’ licences) or IDs, or in other instances writing down the number plate, ID number and name of the visitor on a register or logbook.

Residents on the other hand are usually provided with some tag system linked to a database, allowing them unfettered access. Further to this, most estates will also have CCTV cameras whereby footage is recorded and managed by the security company.

But what does PoPI say?

Some key points:

• The estate is regarded as the party responsible for the personal information processed – in PoPI referred to as the “Responsible Party”.

For example: If the security company, for instance, loses information collected at the entrance to the estate, it is the estate that would be held accountable should recourse be sought by the resident or visitor, or should the Information Regulator deem action is necessary.

• Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.

For example: One should not collect personal information regarding the visitor’s age, race, home address, email address or other irrelevant information.

• Personal information may only be processed if the visitor or the resident consents thereto or if the estate can justify that the processing of the personal information is necessary for pursuing its own legitimate interest.

For example: The safety and security of the residents might be considered as a legitimate interest of the estate.

• The estate must have a written agreement with the security company it employs whereby the security company must ensure the integrity and confidentiality of the personal information in its possession or under its control.

For example: Any CCTV footage, ID numbers, names, scanning records of licences etc. will fall into this category and it is the responsibility of the security company to safeguard this information by complying with generally accepted information security practises and procedures required in terms of specific industry or professional rules and regulations.

• The security company must only process such personal information with the knowledge or authorisation of the estate and ensure that it treats the information as confidential.

• The estate and security company must also not retain this information for a period longer than deemed necessary in fulfilling the intended purpose (security and verification of the individual) of collecting personal information. Thereafter, it has to be destroyed or deleted in a manner preventing its reconstruction in an intelligible form.

It is therefore important for both the estate and security company to maintain the confidentiality and integrity of, and accessibility to personal information under their control. Although the estate would be ultimately responsible for any data breaches, the security company can contractually be held liable and also be subjected to regulatory backlash.


Information thieves are targeting almost any type of organisation and estates and security companies alike should guard against these crimes.

PoPI aims to hold entities responsible for the personal information they process and strict adherence to the act by estates should be prioritised to prevent these crimes, thereby avoiding regulatory fines, civil remedies and subsequent reputational harm.

Estates must therefore conduct a proper information security and privacy due diligence of any company that they intend on contracting for any kind of service which involves the processing of personal information on their behalf, and further ensure that subsequent agreements entered into are adequately drafted to hold such entities liable for the personal information they process.

Once PoPI commences, entities will have one year to comply with the conditions. At the time of writing, the Act has not yet commenced.

For more information contact Francis Cronjé, francis@franciscronje.com, www.franciscronje.com

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Directory of Suppliers
August 2019 , Residential Estate (Industry)

24-hour emergency response for staff
August 2019 , News, Security Services & Risk Management
The FirstRand Group has partnered with PanicGuard to create a 24-hour emergency response programme for staff.

Keeping our changing environment secure
August 2019 , Editor's Choice, Security Services & Risk Management
For a crime to take place there needs to be a victim and a criminal who sees an opportunity. For a cybercrime to take place we need the same set of circumstances.

The importance of real security risk assessments
August 2019, Sentinel Risk Management , Editor's Choice, Security Services & Risk Management, Residential Estate (Industry)
Andy Lawler, MD, Sentinel Risk Management, says a security risk assessment is an onerous task, but is not something estates can consider optional or a luxury item anymore.

Risk assessment or product placement?
August 2019, Technews Publishing, Alwinco, SMC - Security Management Consultants , Editor's Choice, Security Services & Risk Management, Residential Estate (Industry)
Hi-tech security solutions asked a couple of experts to provide estate managers and security managers with some insights into what a ‘real’ risk assessment includes.

How far are we really at with artificial intelligence?
August 2019, Axis Communications SA , Editor's Choice, CCTV, Surveillance & Remote Monitoring, IT infrastructure, Residential Estate (Industry)
Justin Ludik unpacks exactly how far AI has come and what it potentially can do for society and more importantly, surveillance.

More than simply a camera
August 2019, Forbatt SA, Secutel Technologies , CCTV, Surveillance & Remote Monitoring, Residential Estate (Industry)
With the human element being the weakest link in all security solutions, Hi-Tech Security Solutions looks at the pros and cons of using body-worn cameras in estates.

Residential security – caveat emptor
August 2019, Stafix , Integrated Solutions, Security Services & Risk Management
When it comes to improving your property’s security, make sure you take all the options into account as you build a layered approach to keeping people safe and assets secured.

The importance of effective perimeter security
August 2019, Elf Rentals - Electronic Security Solutions, Stafix , Editor's Choice, CCTV, Surveillance & Remote Monitoring, Residential Estate (Industry)
Protecting the perimeter is critical for any residential estate; how does one go about making sure your perimeter is as secure as possible?

Security playing speedcop
August 2019, Axis Communications SA, Hikvision South Africa , CCTV, Surveillance & Remote Monitoring, Residential Estate (Industry)
Estates now have a legal precedent to manage their traffic and fine people in the estate for violations of the rules; all they need do is find solutions that will support them.