The bloke at the gate with the handheld scanner may be about to become the weak link in the whole security setup. The routine of swiping a driving licence, saving the lot and moving on has lived for years because nobody bothered to ask whether a visitor logbook had quietly turned into a privacy dump.
This is now being dragged into the light. South Africa’s Information Regulator is tightening the screws on POPIA compliance. Estates, office parks, and gated communities could soon have to stop collecting far more than they need just to wave a car through the boom.
The licence scan has become the problem
A driving licence looks harmless until you remember what sits on it. It contains a full name, ID number, address, date of birth, and often more than a gatehouse actually needs. If a guard scans the card and stores the image or all the data, the property is hoarding personal information that has no business being there.
POPIA already leans hard on proportionality. Section 10 says personal information must not be excessive for the purpose. Section 13 says the reason for collecting it has to be specific and lawful. Section 9 requires processing to be lawful and reasonable. In plain English, if all you need is to know that a white Polo entered through Gate 3 to visit Unit 14, you do not need a digital copy of the driver’s licence sitting in a folder somewhere.
The old gatehouse habit of scanning everything has always looked lazy. Under stricter enforcement, it starts looking unlawful.
What guards should actually record
The new direction is not anti-security; it is anti-hoarding. The minimum data set is a lot smaller than most property managers would like to admit.
A guard should be able to record the driver’s name, surname, vehicle registration, purpose of visit, time of entry, and time of exit. If a contact number is genuinely needed, it should be collected for a clear reason and not as a default. The exact destination inside the property, whether that is a unit number, office suite, or a specific tenant, may also be logged.
That is enough to know who came in, why they were there, and when they left. Anything beyond that starts drifting into privacy overreach.
Visual inspection still has a place. A guard can look at the photo on a licence or ID document, confirm that it matches the driver, write down the necessary details, and hand the document back immediately. A full scan, a photograph of the card, or a copy stored in a visitor database should not happen simply because the system can do it.
Security staff will need retraining, not just new software
If guards are treated as data processors, the job changes. The person at the gate is no longer only checking a bonnet sticker and waving at the next car in the queue. They are handling personal information and will need proper training on how POPIA works in practice.
That training has to cover the basics: why the data is being collected, what can be recorded, what must be left out, how long information can be kept, and when a visitor has to be told what is happening with their details. It also has to cover the awkward part, where the guard on duty needs to say no to an estate manager who wants every field on the licence copied into the logbook because that is how the system has always worked.
That habit is exactly what gets properties into trouble. Convenience is not a legal justification.
The same rules reach beyond the gatehouse
Once the regulator starts pushing harder, the knock-on effect lands on the rest of the security stack too. CCTV systems, biometric scanners, and licence-plate recognition at entrances all process personal information. Each one has to stand up to the same basic question: Do you really need all of that data, and how long are you keeping it?
CCTV is the easiest to defend, but even there the rules matter. The cameras must serve a defined security purpose, signs should make it clear that recording is happening, and footage retention cannot be a casual forever archive. Thirty to 90 days is the sort of window that usually gets talked about for ordinary security retention, unless there is an incident that justifies keeping it longer.
LPR systems are useful, but they can easily overreach if the data gets linked to more than a simple vehicle record. A number plate, date, and time can be enough for access control. Tying that record to a driver’s ID number or home address without a solid legal reason is where the problems start.
Biometrics are the harshest case. Fingerprint and facial-recognition systems sit in a far more sensitive category under POPIA. This means stronger justification, stronger safeguards, and a much harder argument when a less intrusive option exists.
Estates will have to change the way they work
The practical answer is not chaos; it is a smaller, cleaner system.
Some estates will move to pre-booked visitor access, where a resident or tenant authorises a guest before arrival and the gate only checks a QR code or PIN. Others will keep it manual but strip the process down to the essentials, with guards entering only the minimum details into a digital log. Some will lean on one-time codes that expire after use. Larger office parks may let tenants manage their own guest lists, so the gatehouse is not collecting more than it needs.
What disappears is the reflex to store a full scan because it feels safer. It does not. It just creates another database full of sensitive information that can be copied, leaked, or abused.
The old way is too heavy for the purpose
A visitor to an estate is not applying for a loan, opening a bank account, or signing a lease. They are trying to get through a boom gate. That task needs identification, accountability, and a clean record of entry and exit. It does not need a permanent digital snapshot of the back and front of a driver’s licence sitting on a server somewhere.
If the Information Regulator pushes this through in the form that is now being discussed, the gatehouse will have to grow up fast. Estates and office parks will need to stop treating every visitor as a data source and start treating them like a person passing through for a limited purpose.
