As estates, office parks and gated communities tighten their security, many South Africans are asking a new question at the boom gate: What really happens to my personal information when my driving licence is scanned?
ATG Digital says the real issue is not the scanner, but the purpose, scope and safeguards behind every scan. The company shares further clarity to help security management and HOAs cut through the noise.
“Yes, the barcode on a driving licence contains a lot of personal information,” the company notes. “POPIA doesn’t say ‘never scan’ – it says, ‘only scan when you need to, and protect what you scan’.”
Before deciding whether scanning is appropriate for your site, it helps to understand exactly what a driving licence barcode reveals when scanned.
What information is captured when a licence is scanned?
A South African driving licence typically includes:
- Name and surname
- ID number
- Photograph and signature
- Licence number
- Vehicle and restriction codes (for example, spectacles, certain disabilities)
- Dates (issue, validity, expiry)
- Country of issue
When the barcode is scanned, these fields can be read digitally. Under POPIA, this means that multiple categories of personal information are processed in a single step.
Such information includes identity data and, in some contexts, biometric identifiers.
When is scanning a lawful, legitimate purpose?
POPIA requires that personal information be collected for a specific, lawful, clearly defined purpose linked to the organisation’s function.
In access control environments, typical legitimate purposes include:
- Security: verifying identity at entry and exit points
- Incident response: keeping accurate logs for investigations or emergencies
- Operational improvements: managing traffic flow and access patterns more effectively
Crucially, the data collected must be proportionate to those purposes. That is the focus of ATG Digital’s guide and the upcoming POPIA Code of Conduct for the Residential Community Industry.
POPIA lens: justified vs excessive data collection
POPIA’s processing limitation (data minimisation) principle is simple: only collect what you genuinely need.
It is generally justified to collect a visitor’s name and surname, vehicle registration, and basic visit details such as the host, unit and time of entry.
Data capture becomes excessive when collecting ID numbers or home addresses when the risk profile doesn’t justify it.
Similarly, collecting unrelated sensitive data such as health information, or storing full license images, and all barcode fields.
According to ATG Digital, how much you capture, how long you keep it, and how you protect it will decide whether your process passes POPIA’s test.
Practical POPIA checklist for gates and estates
To turn concern into constructive action, ATG Digital recommends that estates and organisations:
- Minimise data collection. Configure systems to capture only the fields needed for your specific risk profile.
- Define and document the purpose. Put in writing why you collect licence data (for example, incident tracing for 30 days).
- Inform visitors clearly. Use onsite notices and awareness boards (an s18 notice) so people know what is being collected, why, their rights, and how to enforce them.
- Limit retention. Set and enforce automatic deletion periods; do not keep data “just in case” forever.
- Secure the data. Encrypt and store records in secure, access‑controlled systems. For example, ATG Digital holds no data on its devices: once scanned, information is immediately encrypted and uploaded to secure cloud‑based storage.
- Ensure accountability. Estates, HOAs and bodies corporate remain the responsible party. They must have a written contract with their operators and must be able to demonstrate compliance to the Regulator.
“POPIA does not aim to turn off every scanner,” ATG Digital says. “Rather, it seeks to turn gatehouses into regulated data environments that are as disciplined with information as they are with physical access.”