classic | mobile
Follow us on:
Follow us on Facebook  Share via Twitter  Share via LinkedIn
 

Search...
Hi-Tech Security Solutions Business Directory
Residential Estate Security Handbook 2017


PoPI and the role of biometrics
June 2018, Access Control & Identity Management

The European Union has beaten South Africa to the punch when it comes to implementing regulations pertaining to the protection of personal data.

After a two-year grace period following its adoption, the EU’s GDPR (General Data Protection Regulation) became fully enforceable on the 25th of May 2018. The local equivalent, PoPI (Protection of Personal Information) is still in limbo since, despite the PoPI Act having been signed into law in 2013, the regulations are still in draft form and are therefore not being enforced. The most optimistic estimates are that the regulations will be finalised later this year, but in the meantime it is a case of ‘hurry up and wait’ for organisations that will be affected.

The security and access control industry is not sitting on its hands in the meantime, though, and many vendors and service providers are already consulting with clients to help them understand and implement PoPI-compliant visitor management solutions.

Act versus regulations

John Cato
John Cato

IACT-Africa’s John Cato is intimately familiar with PoPI through his role as a senior consultant specialising in data protection. Without

delving too much into the legalese, he explains that while there is nothing specific regarding estates or visitor management in the draft regulations, the key rules are based around the principles of consent and purpose. “In other words, an estate or security company may only collect personal information from a visitor (data subject) with his or her consent and for the specific purpose of visiting the estate,” he explains. “In addition to this, the manner in which information is stored needs to be done in line with the Security Safeguards condition (Condition 7) in the PoPI Act. This states that appropriate and reasonable organisational and technical measures should be implemented. The Act is not prescriptive about these.”

A key component of PoPI is the protection of people’s rights: a data subject has the right to request access to their personal information that the estate/security company holds, and to request the information is deleted or corrected ‘if appropriate’. The estate/security company is legally obliged to provide the requested personal information and to take appropriate action if requested to do so.

The PoPI Act is not prescriptive about the length of time personal information can be kept, but states that personal information should not be kept longer than necessary. “The principle that should be applied is that when the validity of the purpose for which personal data is being stored is no longer applicable – for example when a visitor has left the estate – it should not be kept any longer. It is permissible to keep it longer for reasonable business purposes but this must be defined in an approved retention policy. Estates may want to keep information for investigating crimes, so a reasonable period for this business purpose would be acceptable,” Cato states.

Best practices, in an estate context specifically, boil down to ensuring that consent and purpose processes are followed when collecting personal information, according to Cato. “It is important to implement measures such as a PoPI/privacy policy and that you have a summary of this at information collection points such as estate gates and websites if the visitors are allowed to request access codes online,” he says.

It is also essential that estates apply appropriate and reasonable organisational and technical security safeguards when storing personal information, but Cato warns these should not be mistaken for estate security. Rather, they are measures that protect information based on information security standards, which include cybersecurity protection practices such as the use of encryption on computers, tablets and smartphones.

“The security safeguards must include contractual commitments between the estate and an external security company where visitor information is collected, processed and stored by the security company. This also applies to other service providers such as those that offer hosted or managed visitor management systems,” Cato continues. “A further point to be aware of is personal information collected via biometric devices, as this is regarded as special personal information in the Act. Visitors should be made aware of this and their consent should be obtained for this as well.”

Above all, Cato cautions that the subject of PoPI Act compliance should not be seen as a tick-box exercise, but “should be seen as building a privacy and data protection culture. This is beneficial for the estate as visitors, residents and potential buyers will be given confidence that their personal information is being protected in a responsible manner.

“The PoPI Act is not something dreamed up by SA lawmakers, it is based on European practices to bring SA into line with international practices. Estate management should become familiar with overseas legislation such as the EU GDPR as it has global applicability and may apply to an estate,” he adds.

Biometrics fit the bill

Marius Coetzee
Marius Coetzee

As specialists in providing biometrics solutions for access control as well as other applications, Ideco’s Marius Coetzee and ERS Biometrics’ Eddie Pienaar are well versed in the ins and outs of PoPI compliance.

“We obtained legal opinion five or six years ago which we present to our customers and which we used to form the basis for a framework that we roll out to partners,“ says Coetzee. “It is vital for us to be able to provide the assurance that we understand how to handle personal information and what systems should be put in place so that our solutions are not seen as being a risk, but rather adding value.”

Coetzee points out that the importance of having robust visitor management protocols in place serves to protect the site manager as well as the visitor, and the old-fashioned visitor book is a risk to both parties. He advises that digital solutions are far more secure, but they come in different flavours. These range from simple devices that capture information which is downloaded to a server at a later time, to mobile devices that communicate to an on-site server. All these solutions are vulnerable to theft or other forms of unauthorised access and copying of data, however.

“In my opinion the most secure solution is a digital terminal that scans information, encrypts it, securely communicates it to an off-site, cloud-based server, where data is protected from any potential access and only the authorised site manager is able to view that information. This is the only model that really complies with all PoPI requirements in terms of responsible data processing,” Coetzee states.

A fingerprint reader is important, he asserts, as it serves as a digital signature proving that a person has entered a site. Secondly, in the unfortunate event of a disaster, a roll call function built into Ideco’s hardware allows people to be identified by matching them to their captured fingerprint data.

“By having each visitor transaction signed off digitally with a fingerprint template, organisations can ensure that they will satisfy a PoPI audit. Ideco was the first to market with our solution, and we have processed more than 12 million transactions to date. We are currently in the process of moving from our private cloud server to one of the leading third-party cloud providers that complies with all our requirements in terms of PoPI,” Coetzee concludes.

Pienaar describes the reason for collecting a visitor’s personal information as a way of verifying that someone entering your premises is there on legitimate business, and distinguishes between access to a premises and access to a specific building or business. In the case of the latter, the visitor data that should be captured includes their name and surname, person visited, visitor’s company name, cellphone number, and date and time of arrival. Access to a business park/premises would further require an ID book/card or driver’s licence, and a vehicle registration number and description.

“This information is required to properly announce the visitor, to know who to contact as well as to keep a physical record in the event of either an incidence of theft or a fire breakout where an evacuation is required, Pienaar explains. “This is dependent on the requirement of the organisation with strict rules surrounding the protection and disclosure of the information.

“An organisation may keep records indefinitely depending on the security and audit requirements in the organisation, but this information is protected under the PoPI Act and may not be disclosed to any other party without prior consent from the visitor. The use of any stored information must be monitored to ensure there is no unauthorised access or disclosure of any information other than what is required to perform validation if required.

All information must be properly destroyed after a set term and this should be done in accordance with the Act.”

Pienaar shares Coetzee’s aversion to any form of written data capture. “The data must be captured electronically at the point of entry or preloaded via a client portal, minimising the chance of the data being shared with a third party,” he says. “At ERS, we store as little personal information as possible and our system is customisable to store anything from issuing a visitor a unique PIN code to storing all personal, medical and any other information required by the organisation to gain access to the premises, and/or for time management purposes.

“Our servers have all the security measures in place to prevent unauthorised parties from gaining access to other companys’ information which includes controlled system level access that can be set per user and is completely audited to ensure all activities are monitored.”

For more information contact:

• ERS Biometrics, +27 (0)10 593 0459, sales@ersbio.co.za, www.ersbio.co.za

• Ideco Biometrics, +27 (0)12 749 2300, contact@ideco.co.za, www.ideco.co.za

• IACT-Africa, +27 (0)10 500 1038, johnc@iact-africa.com, www.iact-africa.com


Credit(s)
Supplied By: Technews Publishing
Tel: +27 11 543 5800
Fax: +27 11 787 8052
Email: vivienne@technews.co.za
www: www.technews.co.za
  Share via Twitter   Share via LinkedIn      

Further reading:

  • Habitual awareness
    August 2018, Technews Publishing, News
    Habits are very good things that allow us to carry out the many repetitive tasks we do every day. Our brains automatically form habits to make these repetitive tasks easier and allow us to do them ‘without ...
  • Using data to stay secure
    August 2018, Technews Publishing, This Week's Editor's Pick, Security Services & Risk Management, Residential Estate (Industry)
    Situational awareness beyond the boundary walls can have a significant impact on the security of an estate and the wellbeing of its residents.
  • Nice price, but consider the cost
    August 2018, Technews Publishing, CCTV, Surveillance & Remote Monitoring, Residential Estate (Industry)
    The influx of cheap surveillance products in recent years has put the squeeze on everyone in the supply chain, from the more established equipment manufacturers who have to compete with them, to the installers and system integrators who are forced to slash their margins.
  • Efficient and proactive control rooms
    August 2018, Technews Publishing, This Week's Editor's Pick, Integrated Solutions, Security Services & Risk Management, Residential Estate (Industry)
    A question many estate managers face is whether they should keep the control room onsite and manage it and the relevant staff internally, or whether they should opt for a remote monitoring service.
  • Securing Serengeti
    August 2018, Technews Publishing, This Week's Editor's Pick, CCTV, Surveillance & Remote Monitoring, Access Control & Identity Management, Perimeter Security, Alarms & Intruder Detection, Integrated Solutions, Security Services & Risk Management, Residential Estate (Industry)
    Serengeti Estate offers luxury, golf, conferencing and security, and the estate is on a new growth phase to incorporate more people and services within its 17.5 km boundary.
  • Local estate, local security
    August 2018, Technews Publishing, Residential Estate (Industry), CCTV, Surveillance & Remote Monitoring, Access Control & Identity Management, Perimeter Security, Alarms & Intruder Detection
    Garlington Estate recently made the decision to improve some of its security systems and turned to Excellerate Services to assist in the upgrades.
  • Estate expansion requires access convergence
    August 2018, Powell Tronics, Access Control & Identity Management, Integrated Solutions, Residential Estate (Industry)
    Val de Vie sets the benchmark in secure estate living through the merger of two estates and the associated access and visitor management systems.
  • Major security upgrade for Kindlewood Estate
    August 2018, Technews Publishing, Access Control & Identity Management, CCTV, Surveillance & Remote Monitoring, Perimeter Security, Alarms & Intruder Detection
    Kindlewood upgrades to IP cameras for its gates and perimeter security, and biometrics for access control.
  • Radar comes home
    August 2018, Technews Publishing, This Week's Editor's Pick, Perimeter Security, Alarms & Intruder Detection, Integrated Solutions, Residential Estate (Industry)
    Covering up to 15 km in real time, radar-based perimeter and intrusion detection is set to change the way security operations on estates are managed and planned.
  • First line of defence
    August 2018, Technews Publishing, This Week's Editor's Pick, Perimeter Security, Alarms & Intruder Detection, Residential Estate (Industry)
    Hi-Tech Security Solutions asks what the best practices to take note of for installing and maintaining your electric fence.
  • Secure in their retirement years
    August 2018, Technews Publishing, This Week's Editor's Pick, CCTV, Surveillance & Remote Monitoring, Access Control & Identity Management, Residential Estate (Industry)
    A retirement village with a limited budget upgrades its security to protect residents from increasing criminal activities.
  • Protection via thermal detection
    August 2018, Technews Publishing, This Week's Editor's Pick, CCTV, Surveillance & Remote Monitoring, Residential Estate (Industry)
    Thermal cameras offer almost unbeatable surveillance security for estates and are the envy of any security manager.

 
 
         
Contact:
Technews Publishing (Pty) Ltd
1st Floor, Stabilitas House
265 Kent Ave, Randburg, 2194
South Africa
Publications by Technews
Dataweek Electronics & Communications Technology
Electronic Buyers Guide (EBG)

Hi-Tech Security Solutions
Hi-Tech Security Business Directory (HSBD)

Motion Control in Southern Africa
Motion Control Buyers’ Guide (MCBG)

South African Instrumentation & Control
South African Instrumentation & Control Buyers’ Guide (IBG)
Other
Terms & conditions of use, including privacy policy
PAIA Manual
         
    Mobile | Classic

Copyright © Technews Publishing (Pty) Ltd. All rights reserved.