Back to all articles

POPIA access control

New POPIA Access-Control Rules: What Office Parks and Estates Need to Know

Plain-English guide to proposed Information Regulator conduct codes for visitor access control, estate gates, office parks, CCTV, biometrics and ID scanning in South Africa.

Published 13 May 2026Updated 13 May 2026Plain-English guide for South African organisations
Read the API docs
Important: This article discusses proposed conduct-code requirements reported in May 2026. It is not legal advice and should be reviewed by your Information Officer or legal adviser before changing your access-control policy.

Access-controlled estates, office parks, business parks and reception desks across South Africa often ask visitors for personal details as a matter of routine. According to a 12 May 2026 Maroela Media report, proposed conduct codes from the Information Regulator place that routine under much closer scrutiny.

The message for property managers and facilities teams is simple: if you collect personal information at a gate, you should be able to explain why each data point is needed, how long it is kept, who can access it and when it will be securely destroyed.

What is reportedly changing?

The proposed codes have not been described as final law. They are, however, an important signal of how visitor access-control practices may be assessed under POPIA. The reported focus is on excessive collection at access points, especially where less intrusive methods are available.

  • Organisations may need to justify every piece of personal information collected from visitors.
  • Historical practice, convenience or “we have always done it this way” is unlikely to be a strong reason on its own.
  • ID card scanning, vehicle licence scanning, biometrics, facial recognition and CCTV without clear policies may attract closer scrutiny.
  • Organisations may need an appointed and empowered Information Officer responsible for POPIA compliance.
  • Personal information should not be stored indefinitely once the access-control purpose has ended.
  • Retention periods, security controls, access controls and destruction processes should be documented.

Why gate data is sensitive

A visitor access point can collect more personal information than teams realise: names, ID numbers, smart ID card images, vehicle registration details, face images, phone numbers, host details, arrival times and departure times. That creates a data-management obligation even if the visit lasts only a few minutes.

If the purpose is simply to check that a supplied South African ID number is structurally valid, scanning or copying an entire ID document may be more information than the workflow needs. A better starting question is: “What is the minimum information we need to safely complete this access decision?”

A practical audit checklist for estates and office parks

Use this checklist before the proposed codes are finalised. It is not a substitute for legal advice, but it can help your team prepare the right questions for your Information Officer, security provider or legal adviser.

  • List every field collected at the gate, reception desk, boom, kiosk and visitor app.
  • Record the reason for each field, including whether it is necessary or merely convenient.
  • Identify whether the same purpose can be met with less data, such as a structural ID validation check instead of a stored ID scan.
  • Confirm whether ID numbers, ID card images, licence scans, CCTV clips or biometric templates are stored.
  • Define a retention period for each category of visitor data.
  • Document who can access visitor records and how access is approved, reviewed and revoked.
  • Check that old visitor records can be securely deleted when the purpose has ended.
  • Review signs, privacy notices and staff scripts so visitors understand what is collected and why.
  • Train guards, reception teams and contractors on the approved process.
  • Keep a written record of your decisions for future review.

Where CheckID fits

CheckID validates the structure of a South African ID number. It checks the 13-digit format, date encoding, age, gender encoding, citizenship or permanent resident indicator where supported by the ID format, and the Luhn checksum. It does not confirm that the number belongs to the person presenting it and it does not query a government identity database.

That boundary matters. CheckID is not a complete POPIA compliance solution and it does not replace your access-control policy. It can, however, support a data-minimisation workflow when your purpose is to perform a fast structural ID check without copying a full document or retaining the ID number.

For high-volume sites or access-control software vendors, the CheckID API can be integrated into an existing visitor workflow. For smaller teams, the browser-based validator can support quick checks without new infrastructure.

What to do next

Start with an audit, not a new tool. Once you know which visitor data points are genuinely necessary, decide where a minimal structural ID validation check is enough and where stronger identity, security or legal checks are still required. Then update your policies, train staff and review your retention settings before the regulatory position becomes more formal.

Review your visitor ID process

CheckID validates the structure of an ID number without storing the number or decoded result on our servers. Your browser may keep a short local history of recent checks, which you can clear at any time. Use CheckID when a quick structural check is enough for your workflow.

View pricingContact us

Related articles

Validate visitor IDs without retention headaches

Practical workflows for estates, office parks, contractors and high-volume gates.

Why scanning every visitor ID is harder to defend

A simple comparison between full-document scanning and minimal ID validation.

How SA ID numbers work

Understand the 13-digit format, date encoding, citizenship indicator and checksum.