Warning for people with driver’s licences visiting estates in South Africa
Security guards should not make digital copies of your driver’s licence, as this could infringe on the Protection of Personal Information Act (POPIA).
This is according to the Information Regulator of South Africa’s latest draft Code of Conduct for the processing of personal information at gated accesses.
The draft, published in April 2026, is one of the last steps before the regulator finalizes and publishes the code, informing property owners of their responsibilities regarding visitors.
The code is intended to govern the processing of visitor information in a manner that balances security concerns with data rights, said the regulator.
“It establishes principles to ensure that such processing is lawful, reasonable and proportionate to the purpose for which the information is collected,” it said.
The draft makes it clear that guards and digital surveillance at gated accesses should not collect “excessive” data from visitors.
This applies to estates, complexes, office parks, and gated communities.
“POPIA protects the personal information of all the data subjects, including but not limited to visitors, employees and residents who enter through gated access entry points,” the document stated.
“The processing of Special Personal Information, including biometric data such as fingerprints or facial images, requires the implementation of heightened safeguards.”
Persons who provide this information face significant risks, requiring the collection parties to implement appropriate security measures.
Security staff must collect personal information from visitors only to manage security risks, such as requiring visitors to verify themselves at gates.
This requires necessary information such as full names, the car’s registration details, the purpose of the visit, and the time of entry and exit.
Information gathering that is considered excessive and non-compliant by the code includes taking digital copies or photographs of IDs.
Additionally, visitors should not be required to provide their home addresses, email addresses, personal phone numbers or employer details.
The responsible party, which in this instance would be the property owner or manager, must ensure that information gathered from visitors is not retained for more than 30 days.
The table below outlines the types of information the code deems necessary and excessive for employees, visitors, and contractors:
| Category | Minimal / Necessary (Compliant) | Excessive / Unnecessary (Non-Compliant) |
|---|---|---|
| Employees | – Name – Employee ID / Access Card Number – Time of entry/exit | – Full ID number – Home address – Personal phone number – Next of kin details – Biometric data (if not justified) |
| Visitors | – Name – Purpose of visit – Vehicle registration (only if driving in) – Time of entry/exit | – ID copy or photo – Home address – Email address – Personal phone number – Employer details |
| Contractors | – Name – Company name – Work order reference – Time of entry/exit | – Full ID number – Bank details – Residential address – Emergency contact info |
| Retention Period | – Logs kept for security audit period (typically 30 days) | – Indefinite retention of logs – Storing data beyond legal or operational need |
The information you provide when your driver’s licence is scanned
When security personnel scan the barcode on a driving licence at the gate of an office park or housing estate, it uploads all of the data printed on the card to their system.
South African driving licences use a PDF417 standard, which is a specialised stacked linear barcode format for secure data storage.
This allows the Department of Transport to store a considerable amount of structured data in a small space, making it easy to scan.
A cryptographic public key is required to decode this data. This key was initially disclosed only to service providers but has since been leaked online.
Any gated complex can easily build or purchase a system with a PDF417 barcode reader that scans and decodes the barcode without special permission from the department.
Information stored on the card includes the driver’s date of birth, gender, licence number, and the dates that the licence was issued and will expire.
It also includes the codes for the vehicles the person is authorised to operate, such as Code B, as well as codes for special restrictions such as the need to wear glasses.
Fairbridges Attorneys associate director Ali Sonday previously told our sister publication MyBroadband that the information exposed when licences are scanned raised serious POPIA concerns.
“POPIA allows processing where there is consent or another recognised justification, including where processing is necessary for the responsible party’s legitimate interests,” he said.
“There is no general POPIA rule that says estates or office parks are required to scan and store driving licence barcode data for entry.”
Loading ...
