PoPI and the role of biometrics

June 2018 Access Control & Identity Management

The European Union has beaten South Africa to the punch when it comes to implementing regulations pertaining to the protection of personal data.

After a two-year grace period following its adoption, the EU’s GDPR (General Data Protection Regulation) became fully enforceable on the 25th of May 2018. The local equivalent, PoPI (Protection of Personal Information) is still in limbo since, despite the PoPI Act having been signed into law in 2013, the regulations are still in draft form and are therefore not being enforced. The most optimistic estimates are that the regulations will be finalised later this year, but in the meantime it is a case of ‘hurry up and wait’ for organisations that will be affected.

The security and access control industry is not sitting on its hands in the meantime, though, and many vendors and service providers are already consulting with clients to help them understand and implement PoPI-compliant visitor management solutions.

Act versus regulations

John Cato
John Cato

IACT-Africa’s John Cato is intimately familiar with PoPI through his role as a senior consultant specialising in data protection. Without

delving too much into the legalese, he explains that while there is nothing specific regarding estates or visitor management in the draft regulations, the key rules are based around the principles of consent and purpose. “In other words, an estate or security company may only collect personal information from a visitor (data subject) with his or her consent and for the specific purpose of visiting the estate,” he explains. “In addition to this, the manner in which information is stored needs to be done in line with the Security Safeguards condition (Condition 7) in the PoPI Act. This states that appropriate and reasonable organisational and technical measures should be implemented. The Act is not prescriptive about these.”

A key component of PoPI is the protection of people’s rights: a data subject has the right to request access to their personal information that the estate/security company holds, and to request the information is deleted or corrected ‘if appropriate’. The estate/security company is legally obliged to provide the requested personal information and to take appropriate action if requested to do so.

The PoPI Act is not prescriptive about the length of time personal information can be kept, but states that personal information should not be kept longer than necessary. “The principle that should be applied is that when the validity of the purpose for which personal data is being stored is no longer applicable – for example when a visitor has left the estate – it should not be kept any longer. It is permissible to keep it longer for reasonable business purposes but this must be defined in an approved retention policy. Estates may want to keep information for investigating crimes, so a reasonable period for this business purpose would be acceptable,” Cato states.

Best practices, in an estate context specifically, boil down to ensuring that consent and purpose processes are followed when collecting personal information, according to Cato. “It is important to implement measures such as a PoPI/privacy policy and that you have a summary of this at information collection points such as estate gates and websites if the visitors are allowed to request access codes online,” he says.

It is also essential that estates apply appropriate and reasonable organisational and technical security safeguards when storing personal information, but Cato warns these should not be mistaken for estate security. Rather, they are measures that protect information based on information security standards, which include cybersecurity protection practices such as the use of encryption on computers, tablets and smartphones.

“The security safeguards must include contractual commitments between the estate and an external security company where visitor information is collected, processed and stored by the security company. This also applies to other service providers such as those that offer hosted or managed visitor management systems,” Cato continues. “A further point to be aware of is personal information collected via biometric devices, as this is regarded as special personal information in the Act. Visitors should be made aware of this and their consent should be obtained for this as well.”

Above all, Cato cautions that the subject of PoPI Act compliance should not be seen as a tick-box exercise, but “should be seen as building a privacy and data protection culture. This is beneficial for the estate as visitors, residents and potential buyers will be given confidence that their personal information is being protected in a responsible manner.

“The PoPI Act is not something dreamed up by SA lawmakers, it is based on European practices to bring SA into line with international practices. Estate management should become familiar with overseas legislation such as the EU GDPR as it has global applicability and may apply to an estate,” he adds.

Biometrics fit the bill

Marius Coetzee
Marius Coetzee

As specialists in providing biometrics solutions for access control as well as other applications, Ideco’s Marius Coetzee and ERS Biometrics’ Eddie Pienaar are well versed in the ins and outs of PoPI compliance.

“We obtained legal opinion five or six years ago which we present to our customers and which we used to form the basis for a framework that we roll out to partners,“ says Coetzee. “It is vital for us to be able to provide the assurance that we understand how to handle personal information and what systems should be put in place so that our solutions are not seen as being a risk, but rather adding value.”

Coetzee points out that the importance of having robust visitor management protocols in place serves to protect the site manager as well as the visitor, and the old-fashioned visitor book is a risk to both parties. He advises that digital solutions are far more secure, but they come in different flavours. These range from simple devices that capture information which is downloaded to a server at a later time, to mobile devices that communicate to an on-site server. All these solutions are vulnerable to theft or other forms of unauthorised access and copying of data, however.

“In my opinion the most secure solution is a digital terminal that scans information, encrypts it, securely communicates it to an off-site, cloud-based server, where data is protected from any potential access and only the authorised site manager is able to view that information. This is the only model that really complies with all PoPI requirements in terms of responsible data processing,” Coetzee states.

A fingerprint reader is important, he asserts, as it serves as a digital signature proving that a person has entered a site. Secondly, in the unfortunate event of a disaster, a roll call function built into Ideco’s hardware allows people to be identified by matching them to their captured fingerprint data.

“By having each visitor transaction signed off digitally with a fingerprint template, organisations can ensure that they will satisfy a PoPI audit. Ideco was the first to market with our solution, and we have processed more than 12 million transactions to date. We are currently in the process of moving from our private cloud server to one of the leading third-party cloud providers that complies with all our requirements in terms of PoPI,” Coetzee concludes.

Pienaar describes the reason for collecting a visitor’s personal information as a way of verifying that someone entering your premises is there on legitimate business, and distinguishes between access to a premises and access to a specific building or business. In the case of the latter, the visitor data that should be captured includes their name and surname, person visited, visitor’s company name, cellphone number, and date and time of arrival. Access to a business park/premises would further require an ID book/card or driver’s licence, and a vehicle registration number and description.

“This information is required to properly announce the visitor, to know who to contact as well as to keep a physical record in the event of either an incidence of theft or a fire breakout where an evacuation is required, Pienaar explains. “This is dependent on the requirement of the organisation with strict rules surrounding the protection and disclosure of the information.

“An organisation may keep records indefinitely depending on the security and audit requirements in the organisation, but this information is protected under the PoPI Act and may not be disclosed to any other party without prior consent from the visitor. The use of any stored information must be monitored to ensure there is no unauthorised access or disclosure of any information other than what is required to perform validation if required.

All information must be properly destroyed after a set term and this should be done in accordance with the Act.”

Pienaar shares Coetzee’s aversion to any form of written data capture. “The data must be captured electronically at the point of entry or preloaded via a client portal, minimising the chance of the data being shared with a third party,” he says. “At ERS, we store as little personal information as possible and our system is customisable to store anything from issuing a visitor a unique PIN code to storing all personal, medical and any other information required by the organisation to gain access to the premises, and/or for time management purposes.

“Our servers have all the security measures in place to prevent unauthorised parties from gaining access to other companys’ information which includes controlled system level access that can be set per user and is completely audited to ensure all activities are monitored.”

For more information contact:

• ERS Biometrics, +27 (0)10 593 0459, [email protected], www.ersbio.co.za

• Ideco Biometrics, +27 (0)12 749 2300, [email protected], www.ideco.co.za

• IACT-Africa, +27 (0)10 500 1038, [email protected], www.iact-africa.com


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Integrated, mobile access control
SA Technologies Entry Pro Technews Publishing Access Control & Identity Management
SMART Security Solutions spoke to SA Technologies to learn more about what is happening in the estate access world and what the company offers the residential estate market.

New ransomware using BitLocker to encrypt data
Technews Publishing Information Security Residential Estate (Industry)
Kaspersky has identified ransomware attacks using Microsoft’s BitLocker to attempt encryption of corporate files. It can detect specific Windows versions and enable BitLocker according to those versions.

Bespoke access for prime office space
Paxton Access Control & Identity Management Residential Estate (Industry)
Nicol Corner is home to a six-star fitness club, prime office space, and an award-winning rooftop restaurant. It is also the first building in South Africa to have its glass façade fully incorporate fritted glazing, saving 35% on energy consumption.

SMART Estate Security returns to KZN
Nemtek Electric Fencing Products Technews Publishing Axis Communications SA OneSpace Editor's Choice News & Events Integrated Solutions IoT & Automation
The second SMART Estate Security Conference of 2024 was held in May in KwaZulu-Natal at the Mount Edgecombe Estate Conference Centre, which is located on the Estate’s pristine golf course.

Next-generation facial recognition access control system
Enkulu Technologies Products & Solutions Access Control & Identity Management Residential Estate (Industry)
With a modern and innovative design, iDFace is the ideal device for monitoring and controlling people entering and exiting a building using facial recognition technology, including liveness detection, for enhanced security.

Long-distance vehicle identification
Products & Solutions Access Control & Identity Management Residential Estate (Industry)
The STid SPECTRE reader can identify vehicles up to 14 metres away, across four traffic lanes, ensuring secure access to an estate without disrupting the traffic flow.

Multi-modal access control solutions
Suprema neaMetrics Products & Solutions Access Control & Identity Management Residential Estate (Industry)
Suprema’s latest multi-modal access terminals are top-of-the-range, highly secure, easy to install, and easy to use. They feature biometrics, mobile access, and RFID and are both PoPIA and GDPR compliant.

Battery-powered video doorbells
Ring Products & Solutions Access Control & Identity Management Residential Estate (Industry)
Ring has announced the latest addition to its line of video doorbells. The Battery Video Doorbell Pro builds on the capabilities of its predecessor, providing greater value and convenience for homeowners.

Tackling estate entrance challenges
Turnstar Systems Products & Solutions Access Control & Identity Management Residential Estate (Industry)
The Velocity Raptor’s retractable spikes deter criminals from entering estate premises; equipped with LED lights, it provides visibility during the day and night, and in adverse conditions.

HELLO visitor access management
Products & Solutions Access Control & Identity Management Integrated Solutions Residential Estate (Industry)
HELLO is an on-premises visitor and contractor access management solution designed to be fully integrated and complementary with smart, on-trend technologies, securing estates and businesses alike.