PoPI and estate security

Residential Estate Security Handbook 2016 - Vol 1 Residential Estate (Industry), Security Services & Risk Management, Editor's Choice

Identity theft, fraud, cybercrime, spamming and information related crime have become a headache for many individuals and government alike. Key to this is the lack of accountability taken up by processors of personal information.

Francis Cronjé
Francis Cronjé

News headlines worldwide are riddled with stories of organisations losing customers’ personal information and people subjected thereto will testify that the subsequent consequences of falling victim to these crimes come at a cost, financially and emotionally.

A right to privacy?

Enshrined in our constitution, every person has a right to privacy. This right includes having your personal information protected against any unauthorised disclosure.

Over the last 10 years or so, South African legislators have followed their EU counterparts in coming up with equivalent and equally robust data protection legislation enabling the enforcement of this basic human right, and in 2013 the Protection of Personal Information Act (PoPI) was enacted legislating the manner in which persons or entities process (collect, use, share, store, archive, destroy and delete) personal information.

PoPI also makes provision for a regulator (“Information Regulator”) to whom aggrieved persons in the future can lodge complaints and through which mechanism enforcement notices, regulatory fines and criminal penalties, including imprisonment, can be imposed.

Residential estates and PoPI

PoPI seeks to protect estate residents’ and visitors’ personal information and therefore also seeks to regulate the way in which the estate and entities providing services to the estate, go about processing personal information.

Pivotal to any residential estate is the associated security services whereby physical access to the premises are controlled and monitored, usually as an outsourced service. This process mostly consists of security guards scanning visitors’ licences (car licence disc and drivers’ licences) or IDs, or in other instances writing down the number plate, ID number and name of the visitor on a register or logbook.

Residents on the other hand are usually provided with some tag system linked to a database, allowing them unfettered access. Further to this, most estates will also have CCTV cameras whereby footage is recorded and managed by the security company.

But what does PoPI say?

Some key points:

• The estate is regarded as the party responsible for the personal information processed – in PoPI referred to as the “Responsible Party”.

For example: If the security company, for instance, loses information collected at the entrance to the estate, it is the estate that would be held accountable should recourse be sought by the resident or visitor, or should the Information Regulator deem action is necessary.

• Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.

For example: One should not collect personal information regarding the visitor’s age, race, home address, email address or other irrelevant information.

• Personal information may only be processed if the visitor or the resident consents thereto or if the estate can justify that the processing of the personal information is necessary for pursuing its own legitimate interest.

For example: The safety and security of the residents might be considered as a legitimate interest of the estate.

• The estate must have a written agreement with the security company it employs whereby the security company must ensure the integrity and confidentiality of the personal information in its possession or under its control.

For example: Any CCTV footage, ID numbers, names, scanning records of licences etc. will fall into this category and it is the responsibility of the security company to safeguard this information by complying with generally accepted information security practises and procedures required in terms of specific industry or professional rules and regulations.

• The security company must only process such personal information with the knowledge or authorisation of the estate and ensure that it treats the information as confidential.

• The estate and security company must also not retain this information for a period longer than deemed necessary in fulfilling the intended purpose (security and verification of the individual) of collecting personal information. Thereafter, it has to be destroyed or deleted in a manner preventing its reconstruction in an intelligible form.

It is therefore important for both the estate and security company to maintain the confidentiality and integrity of, and accessibility to personal information under their control. Although the estate would be ultimately responsible for any data breaches, the security company can contractually be held liable and also be subjected to regulatory backlash.

Conclusion

Information thieves are targeting almost any type of organisation and estates and security companies alike should guard against these crimes.

PoPI aims to hold entities responsible for the personal information they process and strict adherence to the act by estates should be prioritised to prevent these crimes, thereby avoiding regulatory fines, civil remedies and subsequent reputational harm.

Estates must therefore conduct a proper information security and privacy due diligence of any company that they intend on contracting for any kind of service which involves the processing of personal information on their behalf, and further ensure that subsequent agreements entered into are adequately drafted to hold such entities liable for the personal information they process.

Once PoPI commences, entities will have one year to comply with the conditions. At the time of writing, the Act has not yet commenced.

For more information contact Francis Cronjé, [email protected], www.franciscronje.com





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Chubbsafes celebrates 190 years
Gunnebo Safe Storage Africa News & Events Security Services & Risk Management
Chubbsafes marks its 190th anniversary in 2025 and as a highlight of the anniversary celebrations it is launching the Chubbsafes 1835, a limited edition 190th-anniversary collector’s safe.

Read more...
New law enforcement request portal
News & Events Security Services & Risk Management
inDrive launches law enforcement request portal in South Africa to support safety investigations. New portal allows authorised South African law enforcement officials to securely request user data related to safety incidents.

Read more...
Continuous AML risk monitoring
Access Control & Identity Management Security Services & Risk Management Financial (Industry)
AU10TIX, launched continuous risk monitoring as part of its advanced anti-money laundering (AML) solution, empowering businesses to detect behavioural anomalies and emerging threats as they arise.

Read more...
SAFPS issues SAPS impersonation scam warning
News & Events Security Services & Risk Management
The Southern African Fraud Prevention Service (SAFPS) is warning the public against a scam in which scammers pose as members of the South African Police Service (SAPS) and trick and intimidate individuals into handing over personal and financial information.

Read more...
Rewriting the rules of reputation
Technews Publishing Editor's Choice Security Services & Risk Management
Public Relations is more crucial than ever in the generative AI and LLMs age. AI-driven search engines no longer just scan social media or reviews, they prioritise authoritative, editorial content.

Read more...
How can South African organisations fast-track their AI initiatives?
AI & Data Analytics Security Services & Risk Management
While the AI market in South Africa is anticipated to grow by nearly 30% annually over the next five years, tapping into the promise and potential of AI is not easy.

Read more...
Efficient, future-proof estate security and management
Technews Publishing ElementC Solutions Duxbury Networking Fang Fences & Guards Secutel Technologies OneSpace Technologies DeepAlert SMART Security Solutions Editor's Choice Information Security Security Services & Risk Management Residential Estate (Industry) AI & Data Analytics IoT & Automation
In February this year, SMART Security Solutions travelled to Cape Town to experience the unbelievable experience of a city where potholes are fixed, and traffic lights work; and to host the Cape Town SMART Estate Security Conference 2025.

Read more...
Stallion repositions itself as a services provider
News & Events Security Services & Risk Management
Stallion has rebranded as Stallion Integrated Solutions to reflect its expanded capabilities beyond traditional security services to delivering integrated solutions that enhance safety, asset management, and operational efficiency.

Read more...
Seven tips to help ensure your backup batteries work
Power Management Security Services & Risk Management
Load shedding is back, officially or not. Lance Dickerson offers seven tips to prolong the life of your power backup systems and ensure they perform as intended when needed.

Read more...
Cybersecurity best practice
Information Security Security Services & Risk Management
Breach and attack simulation has become an essential element of cybersecurity strategies in any modern business by allowing companies to actively detect and resolve vulnerabilities through real-world attack simulations.

Read more...