The driving licence problem for estates and gated communities in South Africa

 ·19 Nov 2024

The practice of scanning visitors’ driver’s licences at residential estates, gated communities, office parks, and similar properties is raising significant concerns about its compliance with South Africa’s Protection of Personal Information Act (Popia).

Advocate Pansy Tlakula, chairperson of the Information Regulator of South Africa, has expressed alarm at how much personal data these entities are collecting, often exceeding what is necessary for security purposes.

Popia is explicit in its requirement that businesses must only collect the minimal amount of personal information necessary and must have a lawful purpose for requesting such data.

For estates and gated communities, the basic details required to maintain security should typically include a visitor’s name, vehicle registration number, and car colour.

However, many access systems go far beyond these essentials, routinely scanning driver’s licences and vehicle licence discs, which contain sensitive information such as names, home addresses, and identification numbers.

In some cases, photographs of visitors are even taken. This extensive data collection practice constitutes what Tlakula refers to as “overprocessing.”

She questions the necessity of such detailed records, especially since estates and similar properties are not law enforcement agencies.

Even in the event of crimes like vehicle theft, these entities would ultimately need to involve the police, who are equipped to handle such cases.

Collecting excessive personal data serves no immediate or actionable purpose for these private properties, yet it exposes visitors to unnecessary risks.

One of the critical concerns revolves around data security. In an age where cybercrime is becoming increasingly sophisticated, safeguarding sensitive personal information is paramount.

Tlakula raises pertinent questions about how estates and gated communities protect the data they collect, including what measures are in place to ensure this information does not fall into the wrong hands and where and how the data is stored.

These concerns are heightened by the fact that vehicle licence discs and driver’s licences provide not just personal identifiers but also details that could be exploited for fraud or other malicious purposes.

The Information Regulator is now turning its attention to these practices.

Advocate Pansy Tlakula

Tlakula has indicated that after addressing issues in the direct marketing sector, the focus will shift to the surveillance and data collection practices of residential estates and similar properties.

The regulator is considering introducing a code of conduct to guide this sector, emphasising compliance with Popia’s principles.

While some argue that digitising visitor registration enhances security compared to traditional handwritten logs, which were prone to tampering and unauthorised access, the underlying issue remains the scope of the data being collected.

Ariel Flax, sales head at access management system provider At The Gate (ATG) Digital, acknowledged these challenges.

Flax supports the Information Regulator’s stance that only the minimum information necessary for a specific, lawful purpose should be collected.

As a result, he noted that ATG Digital’s systems incorporate features like “de-identification,” where any unnecessary data from scanned licences is redacted, ensuring compliance with Popia.

Additionally, captured data is encrypted and stored securely in the cloud, accessible only with proper authorisation.

These measures aim to mitigate risks, but the broader question remains whether such extensive data collection is warranted in the first place.

Popia also requires that personal information be retained only for as long as necessary and then securely deleted.

This regulation is designed to minimise the exposure of data to potential breaches or misuse.

By adhering to these guidelines, access management systems can reduce the risk of sensitive information falling into the wrong hands.

However, compliance hinges on these systems being implemented and managed with rigorous oversight and a clear understanding of legal obligations.

The debate over scanning driver’s licences at estates and gated communities highlights a critical tension between security needs and privacy rights.

While digital systems can offer enhanced security features compared to manual logs, they must be designed and operated within the confines of the law.

The overcollection of personal data not only violates Popia but also erodes public trust and exposes individuals to unnecessary risks.

As the Information Regulator moves to address these practices, the emphasis will likely be on creating a balance where security measures are effective yet respectful of personal privacy.

Ultimately, the goal should be to ensure that data collection practices are lawful, proportionate, and protective of individuals’ rights in an increasingly data-driven world.


Read: What your groceries cost in 1995 vs today in South Africa

Show comments
Subscribe to our daily newsletter