The New Rules for Access Control to Residential and Business Estates

It applies to any public or private body that determines the purpose and means of processing personal information at gated access points. That includes residential estates, sectional title schemes, lifestyle estates, gated communities, bodies corporate, Homeowners Associations, commercial parks, and business office parks. In short, if your property has a controlled entry point and your security team collects information from people who pass through it, this code of conduct applies to you.

From “Collect Everything” to “Collect Only What You Need”

The driving force behind the code is a simple but important principle: personal information must be relevant, not excessive, and collected for a clearly defined purpose. For years, the standard practice at many access points has been to scan driver’s licences, capture full identity numbers, take photographs, and sometimes collect biometric data as a matter of routine. The Information Regulator has identified many of these practices as intrusive and disproportionate under the Protection of Personal Information Act (POPIA). 

When a driver’s licence barcode is scanned, it reveals considerably more than a name. The PDF417 barcode standard used on South African driving licence cards encodes a driver’s full surname and initials, their full identity number, date of birth, gender, licence number, issue and expiry dates, all vehicle codes the driver is authorised to operate, and any associated restriction codes. Those restriction codes may include sensitive medical information, such as whether the driver requires corrective lenses or uses an artificial limb. Collecting and storing all of this information from every visitor, indefinitely, on systems that may not be encrypted or access-controlled, is precisely the kind of practice the code of conduct is designed to stop. 

The Regulator has been clear about what constitutes excessive collection. Asking a visitor for their full name, contact number, vehicle registration number, identity number, and a photograph or biometric for a single entry is too much. What would be considered proportionate is requiring a visitor to provide their name, which is then compared only to the name in their identity document, alongside basic access details such as the time, date, gate, and host. The principle is that security teams should collect only what is necessary for positive identification and incident tracing, and nothing more.

What the Code Requires in Practice

The code of conduct introduces specific obligations for responsible parties, which under POPIA means the estate, HOA, body corporate, or property owner. Even where physical guarding or technology is provided by a third-party operator, the management body remains accountable for how personal information is handled. That is a critical point for facilities management teams and trustees to understand. The guarding company or technology provider is typically an operator processing data on your behalf. Written agreements with those operators must confirm the POPIA obligations they are implementing and the conditions under which they will apply. 

The practical requirements under the code can be summarised across four key areas.

 Data minimisation sits at the heart of the code. Security systems should only collect information that is strictly necessary for the stated security purpose. Visitor logs, access records, and surveillance data must be limited to what is relevant and proportionate.

 Secure storage and encryption are non-negotiable. Personal information must be held on secure, access-controlled systems rather than on personal mobile phones, open logbooks, or unprotected databases. Encrypted storage is essential to prevent unauthorised access or exposure.

 Defined retention periods replace the previous norm of indefinite storage. CCTV footage should be retained for between seven and thirty days, with stored footage automatically overwritten at the end of each cycle. Only footage linked to a specific incident should be retained for investigation purposes, and it must be deleted once that purpose has been fulfilled. Visitor logs and other personal records must similarly be subject to defined retention schedules and disposal controls.

 Transparency and consent require that visitors are clearly informed about the use of CCTV, biometric systems, and Licence Plate Recognition (LPR) technology, including the reasons for their use. This is not a minor administrative detail. It is a legal requirement under POPIA’s conditions for lawful processing.

 The Consequences of Non-Compliance

The Information Regulator has signalled a clear shift in its approach to enforcement. The period of education-first engagement is over. The Regulator is now actively conducting own-initiative assessments, naming non-compliant entities publicly, and issuing administrative fines. Fines of up to R10 million are within the Regulator’s scope for serious breaches. Recent enforcement action has seen fines issued to organisations including Lancet Laboratories and Blouberg Municipality, with court proceedings initiated where fines were not paid.

 For residential estates and commercial office parks, the risk extends beyond regulatory fines. POPIA allows any data subject, including a visitor whose information has been mishandled, to bring a civil action for damages against the responsible party. A visitor could sue a body corporate for distress caused by the exposure of their personal information. That is a liability that no management team should be willing to accept.

Where TTK Surveillance Fits In

At TTK Surveillance, we have always believed that effective security is built on a layered strategy. The new compliance landscape does not change that principle. It reinforces it. The code of conduct is not a restriction on good security. It is a framework that pushes properties towards smarter, more accountable, and more defensible security practices. Our solutions are designed to meet exactly that standard. 

Our advanced access control systems replace outdated manual logbooks and uncontrolled scanning practices with secure, digital visitor management. They are built to collect only the information necessary for positive identification and access authorisation, reducing the risk of excessive data collection while maintaining a clear and auditable record of who enters and exits the property.

 Our high-definition CCTV systems provide the visual backbone that every modern estate and office park needs. Clear, high-resolution footage improves both live visibility and post-incident investigation. When paired with our 24/7 off-site CCTV monitoring service, that footage is managed by trained operators who observe activity in real time, escalate incidents quickly, and ensure that retention schedules are applied correctly. Rather than footage sitting on an unmonitored recorder for months, our monitoring approach creates a secure, managed digital audit trail that supports both security and compliance.

 Our Automatic Number Plate Recognition (ANPR) systems provide intelligent vehicle management at access points. ANPR allows security teams to distinguish between expected and unexpected vehicles efficiently, speed up entry for approved users, and maintain a proportionate record of vehicle movement without the need for excessive manual data capture. When integrated with our access control infrastructure, ANPR becomes a powerful tool for both security and lawful data management.

 Where biometric verification is appropriate and justified, our systems are deployed with the transparency and consent requirements of POPIA in mind. Biometrics add a strong layer of accountability, particularly in environments where credential sharing is a known risk. They are most effective when implemented correctly, with clear communication to users and robust data protection measures in place.

 For management teams and HOAs that are unsure where their current security posture stands in relation to the new code of conduct, the right starting point is not to rush into new technology. It is to begin with a proper security audit. TTK Surveillance offers expert consultations to help properties understand their current vulnerabilities, both physical and data-related, and to design a security strategy that is proportionate, compliant, and genuinely effective.

 In South Africa, the regulatory environment around personal data is becoming more assertive and less forgiving. For residential estates and business office parks, the question is no longer whether to take POPIA compliance seriously. It is whether your current systems and processes are already aligned with what the law requires. When security is designed properly, it does not simply record incidents after they happen. It helps prevent them in the first place, and it protects the property and the people who manage it from the consequences of getting it wrong.

 Contact TTK Surveillance today for a free security audit and find out how our solutions can protect your property, your residents, and your legal standing.