New surveillance rules set to transform property security
- South Africa's 580,000 private security officers face sweeping new privacy and surveillance compliance requirements under a proposed national Code.
- Residential estates, sectional title schemes, shopping centres and office parks will need to overhaul access control, contracts and data practices.
- Experts warn organisations should begin preparing now, as trustees, landlords and managing agents will ultimately carry the legal responsibility.
SA's largest workforce faces a new regulatory era
South Africa is preparing to regulate one of its largest workforces following the publication of the draft Code of Conduct on the Processing of Personal Information at Gated Accesses.
This a move that could fundamentally change how estates, sectional title schemes, office parks, shopping centres, schools, hospitals and other controlled-access environments collect and manage personal information.
According to the Private Security Industry Regulatory Authority (PSiRA), South Africa has more than 580,000 registered private security officers and approximately 11,000 registered security businesses, making it one of the world's largest private security industries.
Yet despite processing personal information at thousands of access points every day, the sector has never formally been integrated into South Africa's Protection of Personal Information Act (POPIA) compliance framework.
According to Cor van Deventer, Director at Van Deventer Dowlath & Marx Inc., the proposed Code exposes one of the country's biggest governance blind spots.
"Guards, receptionists, boom operators, parking attendants and contractor access teams process enormous volumes of personal information every day, yet most have never received formal POPIA training. The proposed Code changes that landscape dramatically by placing access control firmly within South Africa's privacy and governance framework."
A national compliance challenge
The scale of the challenge extends far beyond the private security industry. Every day, millions of South Africans pass through controlled access points where personal information is routinely collected.
This includes:
- 7,000 - 8,500 residential estates (Estate Living)
- Approximately 70,000 sectional title schemes (CSOS)
- Around 2,000 shopping centres (SACSC)
- Approximately 26,000 public and independent schools
- 400 - 450 hospitals and major healthcare facilities
- Thousands of office parks, industrial precincts, government facilities and National Key Points
South Africa's surveillance footprint is equally extensive. Industry estimates suggest there are now more than 1.2 million CCTV cameras operating across residential and commercial environments, while biometric technologies, including fingerprint recognition, facial recognition and licence plate recognition, have become standard features of many modern access control systems.
Van Deventer says the proposed Code will require organisations to rethink how all of this information is collected, stored and managed.
POPIA hasn't changed, accountability has
Importantly, the proposed Code does not introduce new privacy legislation. Instead, it clarifies how existing POPIA obligations must be applied at controlled-access environments.
"The principles of POPIA have always existed," says Van Deventer. "What's changing is the level of accountability expected from organisations operating gated access systems. The Code introduces a much clearer enforcement framework for an area that has historically received very little regulatory attention."
The draft Code follows years of complaints received by the Information Regulator relating to:
- Excessive collection of personal information
- Unclear data retention periods
- Poor governance around CCTV footage
- Inappropriate use of biometric systems
- Limited transparency around visitor data
Under the proposed framework, organisations will only be permitted to collect information that is strictly necessary for access control.
Where biometric or other high-risk technologies are used, organisations will need to justify their use through a Personal Information Impact Assessment (PIIA).
Security contracts will need a major rewrite
The impact will extend well beyond operational procedures. Van Deventer believes the proposed Code will fundamentally change relationships between property owners, estates and private security companies.
Future service agreements are expected to include:
- POPIA-compliant data handling obligations
- Mandatory staff training
- Retention and deletion schedules
- Data breach reporting procedures
- Clearly defined liability provisions
- Documented processing instructions
"Generic security contracts will no longer be sufficient," he says. "Organisations will increasingly need to demonstrate that everyone collecting personal information has received appropriate training and operates within documented governance frameworks."
Compliance is becoming a budget itemPreparing for the new regulatory environment is likely to require dedicated investment.Indicative costs may include:

While actual costs will depend on each organisation's existing systems, Van Deventer believes compliance should now be viewed as a governance investment rather than simply an operational expense.
What the draft code means
The proposed Code applies to virtually every controlled-access environment in South Africa, including:
- Residential estates
- Sectional title schemes
- Homeowners' associations
- Shopping centres
- Office parks
- Industrial developments
- Schools
- Hospitals
- Government facilities
- National Key Points
Its central principle is proportionality. Only information that is genuinely necessary for access control may be collected.
Organisations will also need to establish documented governance processes covering:
- Information Officers
- Privacy notices
- Data retention schedules
- Deletion policies
- Staff training
- Processing registers
- Security safeguards
Importantly, legal responsibility will rest with the organisation, not the security guard collecting the information.
Start preparing now
Although the Information Regulator is expected to provide a transitional implementation period once the Code is finalised, Van Deventer believes organisations should begin preparing immediately.
He recommends:
- Auditing existing access control procedures
- Reviewing CCTV and biometric systems
- Identifying unnecessary data collection
- Updating contracts with security providers
- Preparing staff training programmes
- Establishing retention and deletion policies
- Budgeting for compliance upgrades
- Reviewing governance structures
"Access control is no longer simply an operational function, it has become a governance responsibility," says Van Deventer. "Organisations that wait until enforcement begins may find themselves exposed, underprepared and unable to demonstrate compliance."
FOR MORE INFORMATION
- Cor van Deventer - Director | Van Deventer Dowlath & Marx Inc.
- Tel: (011) 394 1606 Ext 111
- Email: cor@vdm.law
- Website: www.vdm.law

_page-0007(1).avif)
.avif)
.avif)

.avif)







_page-0002.avif)








_page-0006.avif)

_page-0008(1).avif)
.avif)

.avif)

