South Africans presenting their driving licence cards to security guards at estates, office parks, and gated communities are being warned that these contain a ton of personal information.
The storage and handling of this information has become a point of contention for motorists, with many starting to ask what happens to personal information when their licence card is scanned.
According to access control and visitor management provider ATG Digital, the real issue is not the scanner, but the purpose, scope, and safeguards behind every scan.
“Yes, the barcode on a driving licence contains a lot of personal information,” ATG Digital explained.
“POPIA (the Protection of Personal Information Act) doesn’t say ‘never scan’ – it says, ‘only scan when you need to, and protect what you scan’.”
Information linked to a South African driving licence typically includes the holder’s name and surname, ID number, a photo and signature, alongside their licence number, vehicle and restriction codes, relevant dates and country of issue.
When the barcode is scanned by security, for example, this information is accessed digitally, which, under POPIA, means multiple categories of information are processed in a single step.
This is done to verify the holder’s identity, ensuring they are who they say they are, which can be a justified and necessary control in high-risk environments.
According to ATG, POPIA limits what information can be collected to what is genuinely needed, which can include a visitor’s name and surname, vehicle registration, and basic visit details.
The company added that data capture becomes excessive when collecting ID numbers and home addresses when the risk profile does not justify it.
“Similarly, collecting unrelated sensitive data such as health information, or storing full license images, and all barcode fields,” it added.
New regulations regarding personal data collection
South Africa’s Information Regulator has published a code of conduct which addresses the processing of personal information at gated-access estates.
The Own Initiative Code of Conduct on the Processing of Personal Information at Gated Accesses in South Africa was gazetted on 30 April 2026.
Its purpose is to prescribe sector-specific obligations that give practical effect to the eight conditions for lawful personal information processing under POPIA in gated access environments.
The regulator said that the code also aimed to promote appropriate practices by all gated access points in how they process the personal information they collect.
It added that the code seeks to ensure proportionality between security needs and privacy rights, the standardising of lawful access control practices and the regulation of high-risk technology.
The code also aims to enable complaint and enforcement mechanisms in a bid to strengthen governance and accountability.
“This code applies to any public or private body that determines the purpose and means of processing personal information at gated accesses where appropriate,” the regulator said.
It invited affected parties to submit written comments on the code to the regulator within 14 days of its gazetting.
According to Information Regulator chair Pansy Tlakula, POPIA clearly outlines that only minimal information can be collected from visitors.
In 2024, the chair said that scanning driving licence cards had potentially opened up a wide range of POPIA violations.
“How are they protecting it? Where does it end up? That disc has your name, home address, and ID number linked to it,” she said.
Security and access control companies may find themselves under investigation by the regulator should they be found to leave sensitive information available to unauthorised persons.
These companies should avoid copying IDs or licence cards without due cause, and should avoid collecting additional information such as employment history altogether.
Loading ...
