classic | mobile
Follow us on:
Follow us on Facebook  Share via Twitter  Share via LinkedIn

Hi-Tech Security Solutions Business Directory
Residential Estate Security Handbook 2017

PoPI and the role of biometrics
June 2018, Access Control & Identity Management

The European Union has beaten South Africa to the punch when it comes to implementing regulations pertaining to the protection of personal data.

After a two-year grace period following its adoption, the EU’s GDPR (General Data Protection Regulation) became fully enforceable on the 25th of May 2018. The local equivalent, PoPI (Protection of Personal Information) is still in limbo since, despite the PoPI Act having been signed into law in 2013, the regulations are still in draft form and are therefore not being enforced. The most optimistic estimates are that the regulations will be finalised later this year, but in the meantime it is a case of ‘hurry up and wait’ for organisations that will be affected.

The security and access control industry is not sitting on its hands in the meantime, though, and many vendors and service providers are already consulting with clients to help them understand and implement PoPI-compliant visitor management solutions.

Act versus regulations

John Cato
John Cato

IACT-Africa’s John Cato is intimately familiar with PoPI through his role as a senior consultant specialising in data protection. Without

delving too much into the legalese, he explains that while there is nothing specific regarding estates or visitor management in the draft regulations, the key rules are based around the principles of consent and purpose. “In other words, an estate or security company may only collect personal information from a visitor (data subject) with his or her consent and for the specific purpose of visiting the estate,” he explains. “In addition to this, the manner in which information is stored needs to be done in line with the Security Safeguards condition (Condition 7) in the PoPI Act. This states that appropriate and reasonable organisational and technical measures should be implemented. The Act is not prescriptive about these.”

A key component of PoPI is the protection of people’s rights: a data subject has the right to request access to their personal information that the estate/security company holds, and to request the information is deleted or corrected ‘if appropriate’. The estate/security company is legally obliged to provide the requested personal information and to take appropriate action if requested to do so.

The PoPI Act is not prescriptive about the length of time personal information can be kept, but states that personal information should not be kept longer than necessary. “The principle that should be applied is that when the validity of the purpose for which personal data is being stored is no longer applicable – for example when a visitor has left the estate – it should not be kept any longer. It is permissible to keep it longer for reasonable business purposes but this must be defined in an approved retention policy. Estates may want to keep information for investigating crimes, so a reasonable period for this business purpose would be acceptable,” Cato states.

Best practices, in an estate context specifically, boil down to ensuring that consent and purpose processes are followed when collecting personal information, according to Cato. “It is important to implement measures such as a PoPI/privacy policy and that you have a summary of this at information collection points such as estate gates and websites if the visitors are allowed to request access codes online,” he says.

It is also essential that estates apply appropriate and reasonable organisational and technical security safeguards when storing personal information, but Cato warns these should not be mistaken for estate security. Rather, they are measures that protect information based on information security standards, which include cybersecurity protection practices such as the use of encryption on computers, tablets and smartphones.

“The security safeguards must include contractual commitments between the estate and an external security company where visitor information is collected, processed and stored by the security company. This also applies to other service providers such as those that offer hosted or managed visitor management systems,” Cato continues. “A further point to be aware of is personal information collected via biometric devices, as this is regarded as special personal information in the Act. Visitors should be made aware of this and their consent should be obtained for this as well.”

Above all, Cato cautions that the subject of PoPI Act compliance should not be seen as a tick-box exercise, but “should be seen as building a privacy and data protection culture. This is beneficial for the estate as visitors, residents and potential buyers will be given confidence that their personal information is being protected in a responsible manner.

“The PoPI Act is not something dreamed up by SA lawmakers, it is based on European practices to bring SA into line with international practices. Estate management should become familiar with overseas legislation such as the EU GDPR as it has global applicability and may apply to an estate,” he adds.

Biometrics fit the bill

Marius Coetzee
Marius Coetzee

As specialists in providing biometrics solutions for access control as well as other applications, Ideco’s Marius Coetzee and ERS Biometrics’ Eddie Pienaar are well versed in the ins and outs of PoPI compliance.

“We obtained legal opinion five or six years ago which we present to our customers and which we used to form the basis for a framework that we roll out to partners,“ says Coetzee. “It is vital for us to be able to provide the assurance that we understand how to handle personal information and what systems should be put in place so that our solutions are not seen as being a risk, but rather adding value.”

Coetzee points out that the importance of having robust visitor management protocols in place serves to protect the site manager as well as the visitor, and the old-fashioned visitor book is a risk to both parties. He advises that digital solutions are far more secure, but they come in different flavours. These range from simple devices that capture information which is downloaded to a server at a later time, to mobile devices that communicate to an on-site server. All these solutions are vulnerable to theft or other forms of unauthorised access and copying of data, however.

“In my opinion the most secure solution is a digital terminal that scans information, encrypts it, securely communicates it to an off-site, cloud-based server, where data is protected from any potential access and only the authorised site manager is able to view that information. This is the only model that really complies with all PoPI requirements in terms of responsible data processing,” Coetzee states.

A fingerprint reader is important, he asserts, as it serves as a digital signature proving that a person has entered a site. Secondly, in the unfortunate event of a disaster, a roll call function built into Ideco’s hardware allows people to be identified by matching them to their captured fingerprint data.

“By having each visitor transaction signed off digitally with a fingerprint template, organisations can ensure that they will satisfy a PoPI audit. Ideco was the first to market with our solution, and we have processed more than 12 million transactions to date. We are currently in the process of moving from our private cloud server to one of the leading third-party cloud providers that complies with all our requirements in terms of PoPI,” Coetzee concludes.

Pienaar describes the reason for collecting a visitor’s personal information as a way of verifying that someone entering your premises is there on legitimate business, and distinguishes between access to a premises and access to a specific building or business. In the case of the latter, the visitor data that should be captured includes their name and surname, person visited, visitor’s company name, cellphone number, and date and time of arrival. Access to a business park/premises would further require an ID book/card or driver’s licence, and a vehicle registration number and description.

“This information is required to properly announce the visitor, to know who to contact as well as to keep a physical record in the event of either an incidence of theft or a fire breakout where an evacuation is required, Pienaar explains. “This is dependent on the requirement of the organisation with strict rules surrounding the protection and disclosure of the information.

“An organisation may keep records indefinitely depending on the security and audit requirements in the organisation, but this information is protected under the PoPI Act and may not be disclosed to any other party without prior consent from the visitor. The use of any stored information must be monitored to ensure there is no unauthorised access or disclosure of any information other than what is required to perform validation if required.

All information must be properly destroyed after a set term and this should be done in accordance with the Act.”

Pienaar shares Coetzee’s aversion to any form of written data capture. “The data must be captured electronically at the point of entry or preloaded via a client portal, minimising the chance of the data being shared with a third party,” he says. “At ERS, we store as little personal information as possible and our system is customisable to store anything from issuing a visitor a unique PIN code to storing all personal, medical and any other information required by the organisation to gain access to the premises, and/or for time management purposes.

“Our servers have all the security measures in place to prevent unauthorised parties from gaining access to other companys’ information which includes controlled system level access that can be set per user and is completely audited to ensure all activities are monitored.”

For more information contact:

• ERS Biometrics, +27 (0)10 593 0459,,

• Ideco Biometrics, +27 (0)12 749 2300,,

• IACT-Africa, +27 (0)10 500 1038,,

Supplied By: Technews Publishing
Tel: +27 11 543 5804
Fax: +27 11 787 8052
  Share via Twitter   Share via LinkedIn      

Further reading:

  • Cybersecurity is not hype
    June 2018, Technews Publishing, News
    Regular readers of Hi-Tech Security Solutions will know that we have upped the amount of content we have about cybersecurity, whether it is aimed at the physical security market or not. This is not some ...
  • Residential Estate Security Conference
    June 2018, Technews Publishing, Calendar of Events
    Residential Estate Security Conference    14 August 2018 Indaba Hotel, Fourways, Johannesburg Following sold-out events in Durban in March 2018, Hi-Tech Security Solutions in cooperation with Rob Anderson, ...
  • Guarding your time with WFM solutions
    June 2018, Technews Publishing, This Week's Editor's Pick, Access Control & Identity Management, Asset Management, EAS, RFID, Integrated Solutions, IT infrastructure
    Workforce management solutions ease some of the burden of out-of-sight-out-of-pocket costs for companies by instituting simple or complex checks to ensure that schedules are followed to the letter.
  • Simplicity, standards and predictability
    June 2018, Technews Publishing, This Week's Editor's Pick, Integrated Solutions
    In today’s world of technology, global communications and the IoT, we have almost endless options when it comes to building management.
  • Bringing different systems into a cohesive solution
    June 2018, Technews Publishing, Retail (Industry), Integrated Solutions
    Modern commercial environments no longer have the luxury of treating systems such as security and building management as isolated entities.
  • Intelligence and compliance ­depend on data governance
    June 2018, Technews Publishing, This Week's Editor's Pick, Cyber Security, Security Services & Risk Management
    The growth of data in all its forms caused data governance to become increasingly complex, to the point where it is a skill in itself.
  • Data governance and security
    June 2018, Technews Publishing, This Week's Editor's Pick, Cyber Security, Security Services & Risk Management
    Data governance has become a key issue for all businesses, and as with all things data-related these days, security is a key component of data governance.
  • Mobile visitor management
    June 2018, ZKTeco, Access Control & Identity Management
    Whether you’re in a commercial park, a residential estate or a retail environment, how to deal with visitors in a secure, yet friendly manner is something that should be carefully managed.
  • Streamlining visitor management
    June 2018, Access Control & Identity Management
    A best practice visitor management system forms part of the whole security equation, which includes deterrence, obstruction, identification, detection and response.
  • Integrated visitor management
    June 2018, Powell Tronics, Access Control & Identity Management, Integrated Solutions
    The effective integration of various products delivers seamless visitor management when the customer selects the right products and the right service provider.
  • Logical SAP access via biometrics
    June 2018, Technews Publishing, This Week's Editor's Pick, Access Control & Identity Management, Integrated Solutions
    Linx/AS Africa recently held a conference in Johannesburg to highlight the company’s success in controlling logical access to SAP systems via biometrics, meeting compliance and governance demands.
  • The story behind an SA-made home automation solution
    June 2018, Technews Publishing, This Week's Editor's Pick, Perimeter Security, Alarms & Intruder Detection, Security Services & Risk Management
    The Sentian i3 is a ‘brain’ for home security, and comprises hardware, embedded software, a cloud service and user app. It can connect to existing alarm systems and off-the-shelf CCTV cameras.

Technews Publishing (Pty) Ltd
1st Floor, Stabilitas House
265 Kent Ave, Randburg, 2194
South Africa
Publications by Technews
Dataweek Electronics & Communications Technology
Electronic Buyers Guide (EBG)

Hi-Tech Security Solutions
Hi-Tech Security Business Directory (HSBD)

Motion Control in Southern Africa
Motion Control Buyers’ Guide (MCBG)

South African Instrumentation & Control
South African Instrumentation & Control Buyers’ Guide (IBG)
Terms & conditions of use, including privacy policy
PAIA Manual
    Mobile | Classic

Copyright © Technews Publishing (Pty) Ltd. All rights reserved.