South Africa’s estates and office parks are bracing for a major shake‑up at their boom gates as the Information Regulator finalises a POPIA Code of Conduct for Gated Access that will directly impact how controlled‑access properties collect and store visitor data.
For years, “security” has meant handing over a licence, signing a clipboard and hoping for the best. Now those open visitor books, copied IDs, and endless spreadsheets are in the Regulator’s sights – with gated communities flagged for excessive data collection and weak controls.
Digital access control specialist, ATG Digital, has released a plain‑language guide to help estates adapt. The giuide, the company says, answers the questions trustees, HOAs, and managing agents are already asking: what can we collect, who is responsible, and how do we fix this without breaking the gate?
“The clipboard logbook of years past is no longer good enough,” the guide notes. “If your security team controls who enters and leaves, and you process personal information to do that, this Code is aimed squarely at you.”
From ‘collect everything’ to ‘only what you need’
At the heart of the new Code is a mindset shift. POPIA already requires that personal information be relevant, limited, and collected for a clear purpose. The gated access code is expected to turn that into concrete rules for real‑world gatehouses.
Generally defensible data points include name, ID or passport number, mobile number, vehicle registration, time and date, and host details – enough to identify who entered, when, and to see whom.
What is likely to fall foul of the Code:
- Open visitor books that anyone in the queue can read.
- Copying IDs “just in case”.
- Keeping visitor data and CCTV indefinitely with no clear retention rule.
ATG Digital’s guide breaks this down into “OK” vs “red flag” practices. It shows how digital visitor management systems can make over‑collection technically impossible by design.
High‑tech gates under the POPIA microscope
Many estates already use ID scanners, licence plate recognition (LPR), CCTV, and even facial recognition to keep people and assets safe. The Regulator’s concern is not the tech itself, but how it’s used: consent, transparency, scope, and retention.
The upcoming Code is expected to:
- Demand clearer notices for visitors and residents.
- Tighten expectations around biometric processing.
- Push estates to justify how long they keep logs and footage.
Estates take the rap, not vendors.
One of the most important messages in the code is about accountability. The estate, HOA, body corporate or property owner is usually the responsible party under POPIA; security and technology providers are operators acting on their instructions.
That means when something goes wrong at the gate (a stolen logbook, leaked visitor information, a dodgy biometric deployment), it’s the estate’s name that lands on the complaint or enforcement notice.
ATG’s guide can be found at https://www.atgdigital.biz/post/your-go-to-guide-to-the-popia-code-of-conduct-for-gated-access.