South Africa’s Information Regulator will soon take aim at security checkpoints at the entrances to office parks and residential estates that collect what it deems excessive information about visitors.

According to the regulator’s chair, Pansy Tlakula, security checkpoints are “overprocessing” personal information by taking more data than they need to perform their function.

She was speaking to Clement Manyathela on 702, a Johannesburg-based radio station, on Tuesday.

“Popia (the Protection of Personal Information Act) is very clear: you must only collect the minimum personal information needed for the purpose it is being collected. If you enter into a gated community, all they need for security purposes is your name, the colour of your car and the registration,” Tlakula said.

“After the direct marketing sector, the sector we are setting our eyes on is [the security] sector and the surveillance happening [there]. We preliminarily have taken the view that maybe after consulting that sector we should issue a code of conduct for them,” she said.

According to Tlakula, the additional information collected by scanning licence discs and drivers’ licences includes details such as a visitor’s ID number and home address, none of which assists the security personnel in protecting the premises or preventing a visitor’s vehicle from being stolen.

‘It’s ridiculous’

Tlakula said the practice also raises questions about where the personal data collected is stored, the security measures put in place to protect it and who is permitted to access the information. She said taking a driver’s photo before granting entry is not required either.

“What are they doing with that information and where does it end up? Even if your car is stolen, what will they do? It’s ridiculous,” she said in the interview.

Another area where security clashes with data privacy is in the use of bodycams by security personnel. According to Tlakula, bodycam use by private security companies is prohibited under Popia. However, the act has exemptions for law-enforcement purposes, provided it’s being done by a public body like the South African Police Service.

Read: Meta faces fight over South African election probe

According to Tlakula, the volume of complaints received by the Information Regulator suggests direct marketing causes the public the most annoyance regarding the misuse of personal information. However, insurance companies, mobile operators and the banking sector also account for a significant portion of complaints received.

Tlakula said the Information Regulator’s own assessment of Popia legislation suggests the law is adequate for regulating data privacy in South Africa, but there are gaps in the regulator’s powers to enforce it that could lead to greater compliance if plugged, especially in ensuring that organisations do not become repeat offenders of Popia. It has approached parliament with proposed amendments to Popia that will expand its powers of enforcement. – © 2024 NewsCentral Media