Warning for estates and office parks with boom gates in South Africa

South African estates and office parks with boom gates must overhaul their data practices, since new privacy regulations will hold them accountable for over-collection, weak controls, and indefinite retention of personal information.

The Information Regulator is busy finalising a POPIA Code of Conduct for Gated Access that will directly impact how controlled‑access properties collect and store visitor data.

This is set to affect visitor books, copied IDs, and relevant spreadsheets, with gated communities potentially being flagged for excessive data collection and weak controls.

Digital access control specialist ATG Digital recently released a guide to help estates adapt to the new regulations. It explains what can be collected, who is responsible and how violations should be fixed.

“The clipboard logbook of years past is no longer good enough,” the guide stated. “If your security team controls who enters and leaves, and you process personal information to do that, this code is aimed squarely at you.”

At the heart of the new Code of Conduct is the fact that POPIA already requires that personal information be relevant, limited and collected for a clear purpose. The code is expected to turn that into concrete rules for gated areas.

Generally defensible data points include name, ID or passport number, mobile number, vehicle registration, time and date, and host details.

This is enough to identify who entered, when and to see whom. ATG Digital’s guide breaks this down into “OK” vs “red flag” practices. Generally, “OK” practices, if justified by the collector’s risk profile, include –

• Name and surname
• ID or passport number (captured and stored securely, not written down in a visible book)
• Mobile number
• Vehicle registration
• Time, date, gate and host details

There are also “red flags” that estates and office parks should avoid, ATG said. These practices include –

• Open visitor books where anyone can see previous entries
• Copying ID books or licences “just because we’ve always done it”
• Collecting extra information that has nothing to do with security or access, for example, employment history or family details
• Keeping visitor data and CCTV indefinitely with no clear retention rule

The big shift is from “collect everything, just in case” to “collect only what you really need”. Under POPIA, that means personal information must be relevant, not excessive, and used for a clearly defined purpose.

Estates will be held responsible

Many estates already use ID scanners, licence plate recognition (LPR), CCTV and even facial recognition to keep people and assets safe.

ATG explained that the regulator’s concern is not the tech itself, but how it’s used – consent, transparency, scope and retention.

The upcoming code is expected to demand clearer notices for visitors and residents, tighten expectations around biometric processing, and push estates to justify how long they keep logs and footage.

In this regard, ATG proposed real-world solutions, such as using cloud platforms that collect just-enough data, encrypting information, applying automatic deletion rules, and maintaining audit trails of who accessed what and when.

One of the most important messages in the code is about accountability. The estate, homeowners association, body corporate or property owner is usually the responsible party under POPIA.

Security and technology providers are operators acting on their instructions and are not responsible for code violations.

That means when something goes wrong at the gate, such as a stolen logbook, leaked visitor information, or a dodgy biometric deployment, it is the estate’s name that lands on the complaint or enforcement notice.

For estates juggling high crime rates, complex living conditions and constant load-shedding, ATG said the POPIA Gated Access Code can feel like yet another pressure.

But it is also a chance to turn the gatehouse into what ATG calls a “smart, compliant command centre” – not just a boom gate with a pen and paper.