Gated access under POPIA and what responsible parties should do now

The Information Regulator’s proposed code of conduct for gated access is not just about residential estates.

It has wider relevance for any environment where access is controlled through a gate, reception desk, guard house, boom, camera, biometric device or electronic access system. This includes estates, complexes, office parks, commercial buildings, public sector premises, healthcare facilities, campuses and mixed use developments.

The code is still proposed. The consultation period has closed, following an extension to 29 May 2026. Even so, it gives a clear view of the Regulator’s expectations. Access control is no longer a low visibility operational process. It is a privacy process that needs governance, proportionality and evidence.

Why the proposed code matters

The Regulator’s concern is that gated access points often collect more personal information than is necessary.

That concern is practical. Many visitors are asked to hand over an identity document, scan a driver’s licence, provide a phone number, allow a photograph, or submit to biometric verification before they can enter a property.

Some of this may be justified in a particular setting. Much of it may not be.

The proposed code says gated access covers security personnel, CCTV and other electronic systems through which personal information is collected to control or restrict entry to premises under the control of a public or private body. It also frames the purpose of the code as balancing legitimate security needs with privacy and data protection rights under POPIA.

The practical point is simple. Security remains important. But security does not create a free pass to collect everything.

Who is likely to be the responsible party

For POPIA purposes, the responsible party is the person or body that determines why and how personal information is processed.

In a residential estate, this may be the homeowners association or body corporate. In privately owned premises, it may be the owner, landlord or legal entity that controls the premises. In commercial premises, it may be the organisation or appointed head responsible for the site.

This matters because accountability usually sits with the responsible party.

A security company may operate the gate. A technology provider may supply the scanning system. A managing agent may administer the estate. But the responsible party cannot treat those arrangements as a full transfer of responsibility.

The responsible party should be able to explain the purpose of each data point collected, the lawful basis relied on, who receives the information, how long it is kept, and what controls protect it.

What this means for estates and office parks

Estates, office parks and similar premises should start with a practical review of the access control process.

The review should not begin with the technology. It should begin with the purpose.

What risk is the access process trying to manage. What information is genuinely needed for that purpose. What information is collected because the system allows it, because it has always been done that way, or because no one has reviewed the process.

The proposed code gives helpful examples. For visitors, minimal information may include the visitor’s name, purpose of visit, vehicle registration where the visitor is driving in, and time of entry and exit. It treats items such as an ID copy or photo, home address, email address, personal phone number and employer details as excessive or unnecessary for visitors.

That does not mean every site must use the same process. A high risk site may need stronger controls than a small office park. But the responsible party should be able to justify the difference.

A useful review should cover at least the following.

→ what personal information is collected at entry and exit
→ whether ID scanning is necessary or whether visual verification would be enough
→ whether visitor photos are necessary
→ whether phone numbers are genuinely needed
→ whether biometric access is proportionate
→ whether CCTV signage and privacy notices are clear
→ whether residents, tenants and employees understand how their access data is used
→ whether access logs are deleted when no longer needed

Biometrics and CCTV need closer attention

The proposed code gives particular attention to biometrics and CCTV.

Biometric data, including fingerprints and facial images, is treated as special personal information. The proposed code says this requires heightened safeguards because of the sensitive nature of the information and the potential harm if it is unlawfully accessed, disclosed or processed.

This is important for estates and office parks that use fingerprint readers, facial recognition, automated licence plate recognition or visitor scanning tools linked to identity documents.

The question is not only whether the tool works. The question is whether it is necessary, proportionate and properly controlled.

Responsible parties should consider whether a less intrusive method can achieve the same security objective. They should also document the decision. If a biometric system is used mainly for convenience, speed or habit, it may be difficult to defend.

What this means for security companies and other operators

Security companies are often operators under POPIA.

They process personal information on behalf of the responsible party. They may collect visitor details, capture licence plates, view CCTV footage, operate access control software, store paper registers, or use mobile devices to scan identity documents.

The proposed code says operators must process personal information only with the knowledge or authorisation of the responsible party. They must also treat the information as confidential and must not disclose it unless required by law or as part of proper performance of their duties. It also states that responsible parties must have operator agreements with security companies or other third parties that manage entry.

For security companies, this means POPIA compliance should be built into the service model.

An operator should be able to show that guards and supervisors know what may be collected, what must not be collected, where records must be stored, who may access the system, when records must be deleted, and what to do if data is lost or accessed without authorisation.

A security company should not rely only on the estate or office park to define privacy controls after the fact. It should have a standard operating model that supports POPIA compliant access control.

Operator agreements need to become more specific

Many service agreements with security providers are still written mainly around guarding duties, service levels and cost.

That is no longer enough.

Operator agreements should clearly deal with personal information. The proposed code says operator agreements should include technical and organisational measures and should address cloud service providers where operators use electronic devices to collect and store personal information. It also says operators must notify the responsible party immediately where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person.

In practical terms, responsible parties should review whether their agreements cover the following.

→ what information the operator may collect
→ what information the operator may not collect
→ approved systems and devices
→ restrictions on guard owned phones and informal photographs
→ storage locations
→ access rights
→ confidentiality duties
→ breach escalation
→ deletion and return of records
→ audit rights
→ subcontracting controls

This is an area where estates and office parks often find gaps.

The contract says there is a security service. It does not always say enough about the personal information processed through that service.

Retention needs a clear rule

One of the most common weaknesses in access control is retention.

Visitor books sit in guard houses for years. Electronic access logs remain in systems indefinitely. CCTV footage is overwritten sometimes, but not always according to a documented rule. Scanned documents may sit in supplier platforms with no clear deletion process.

The proposed code takes a purpose based approach to retention. It gives 30 to 90 days as an ideal retention period for visitor registers, with up to 6 months where risk justified. It gives 7 to 30 days for CCTV footage, with incident footage retained separately where needed.

Responsible parties should use this as a prompt to set a practical retention schedule.

The schedule should be simple enough to operate. It should cover paper records, electronic logs, CCTV footage, biometric templates, contractor access records and incident reports.

It should also say who is responsible for deletion. A retention policy that no one implements is not a control.

Privacy notices should work at the gate

A privacy notice for gated access does not need to be long. It does need to be visible, understandable and useful.

The proposed code says privacy notices should explain who is collecting the information, why it is collected, whether provision is voluntary or mandatory, who can access it, the rights of the data subject and the right to complain to the Information Regulator. It also says the notice should be clear, visible, understandable and proportionate to the access context.

This is a practical design issue.

A visitor at a gate will not read a long legal notice while cars queue behind them. A layered approach works better.

The gate can display a short notice with the key information. A QR code or website link can provide the full notice. Guards should also know how to answer basic questions or direct visitors to the right contact.

Complaints and objections need a process

The proposed code also points to complaints handling.

It says responsible parties should clearly display information on how to lodge a complaint, including at estate entrances or security offices, on the website where applicable, or in printed notices or resident information packs. The procedure should explain how to lodge a complaint, who receives it, how it will be handled, and when it may be referred further.

This matters because gate disputes are often handled informally.

A visitor refuses to provide an ID copy. A resident objects to biometric registration. A contractor asks why their personal phone number is needed. A delivery driver asks how long the data will be kept.

These should not be left to the guard at the gate to resolve alone.

The responsible party should have a clear escalation route. The operator should know when to escalate and what not to do.

What responsible parties should do now

The proposed code may still change before finalisation. But waiting for the final version is not the best approach.

Most of the expected controls are already consistent with POPIA.

Responsible parties should use this period to review their access control environment and close obvious gaps.

The most useful first steps are these.

→ map the current gate process
→ list each category of personal information collected
→ identify the lawful basis for each category
→ remove information that is not necessary
→ review ID scanning, photos and biometrics
→ update the gate privacy notice
→ set a retention schedule
→ review operator agreements
→ train guards and site staff
→ create a complaints and escalation process
→ document the decision for any high risk processing

This does not require a complicated privacy programme. It requires disciplined operational review.

What operators should do now

Operators should not wait for each client to ask for POPIA support.

Security companies, access control providers and technology vendors should prepare standard documentation and controls that make it easier for responsible parties to comply.

That includes a POPIA ready service schedule, guard training material, system access controls, deletion processes, breach escalation procedures and clear rules for subcontractors or cloud hosted platforms.

Operators that can evidence these controls will be better placed in procurement and contract renewal discussions.

The practical direction of travel

The proposed code is a reminder that privacy risk often sits in ordinary operational moments.

A guard book. A scan at a boom. A camera at a gate. A visitor record kept for too long. A supplier platform no one has reviewed.

For estates, office parks and other controlled access environments, the message is not that access control must stop.

The message is that access control must be more deliberate.

Collect what is needed. Explain it clearly. Protect it properly. Delete it when it is no longer required. Make sure the security company is working under clear instructions.

That is where responsible parties and operators should focus now.