South Africans are used to “gate admin”: signing a visitor register, showing an Identity Document, having a vehicle registration recorded, or being captured on CCTV at an estate or office park. A draft Code of Conduct issued by the Information Regulator treats these routine interactions as personal-information processing and proposes rules for how such data should be collected, used, stored, and deleted under the Protection of Personal Information Act (POPIA).
The draft “Own Initiative Code of Conduct on the Processing of Personal Information at Gated Accesses in South Africa” was published in Government Gazette No. 54594 on 30 April 2026, and the Notice invited written comment within 14 days.
The Code prescribes sector-specific obligations giving practical effect to POPIA’s conditions for the lawful processing of personal information. Its objectives are to ensure proportionality between security needs and privacy rights, standardise lawful access control practices, and regulate high-risk technologies, including CCTV and biometric systems.
Werksmans Attorneys has described this proposed shift as consequential for day-to-day gatehouse operations: “At 65 pages long, the Code signals a significant shift in how housing estates, office parks, and other secure access buildings will be expected to manage personal information collected at entry points.”
It states the effect for property managers and businesses is a move away from “informal security practices” and warns that “because it’s always been done this way” will not suffice as a lawful basis.
“Businesses operating gated environments should begin auditing their practices now, as over-collection at entry points is both highly visible and increasingly difficult to defend.”
The draft Code applies across public and private controlled-access environments and explicitly lists settings including residential buildings and estates, social housing and RDP developments, commercial buildings and complexes, government buildings, healthcare establishments, and educational institutions.
Law firm Michalsons says private and public bodies that own or manage premises with gated access will have to comply with the Code. These include trustees of bodies corporate, managing agents, homeowners’ associations, executive estate managers, and facilities managers.
Also within scope are providers of security services and suppliers of technology and access control systems (both “acting as operators on a need-to-know basis”).
The draft is the result of concerns and complaints from members of the public that personal information collected at gated access points is often “excessive, not relevant and not limited to what is necessary”, and that people are not always given a reasonable opportunity to object or seek details about the processing.
The Information Regulator also flags intrusive practices identified through research and complaints handling, including CCTV capturing facial images without consent or, at times, without knowledge or awareness, and the processing of biometric information such as facial recognition used for “positive identification”.
The draft is structured around POPIA’s eight lawful-processing conditions and then expands into governance, monitoring, reporting, complaints, review, and amendment. Rather than creating a single “gatekeeping rule”, it separates obligations: accountability, processing limitation (minimality), purpose specification, retention, further processing, security safeguards, data-subject rights, and rules for automation and complaints.
Accountability and governance
The draft requires responsible parties to appoint and register an Information Officer (and deputies where needed), assign privacy responsibilities, and maintain a compliance framework that includes privacy notices, retention schedules, incident response planning, security policies, and training.
What may be collected
The draft reinforces POPIA’s minimality requirement: personal information may be processed only if, given the purpose, it is “adequate, relevant and not excessive”. It sets out a proportionality method (necessity, effectiveness, and whether the benefit outweighs privacy loss) and treats excessive processing as intrusive and non-compliant.
To illustrate, the draft gives an example of potentially excessive collection: gathering multiple data points (such as full names, contact number, vehicle registration number, ID/driver’s licence details, image, biometrics) for a single access-control purpose where less intrusive alternatives exist. It also gives less intrusive alternatives, such as checking an ID document without copying it, issuing vehicle permits/stickers, or confirming authorisation with the person being visited.
Consent and objections
The draft states consent must be informed, voluntary, and an expression of will, and notes POPIA does not provide for implied or indirect consent. It gives an example of “implied consent” risk where a visitor signs a register, and the responsible party assumes consent without properly informing the person.
Where processing rests on certain legitimate-interest grounds, the draft outlines the right to object and requires mechanisms to object at collection, with consequences (including refusal of access) clearly described in the privacy notice.
Purpose specification and retention
The draft requires personal information to be collected for a specific, explicitly defined, and lawful purpose, and requires that the purpose for each type of personal information collected be documented and made available to data subjects.
On retention, the draft says records must not be retained longer than necessary for the purpose (subject to limited lawful exceptions) and must be securely deleted, destroyed, or de-identified when no longer authorised.
The draft includes a purpose-based retention and deletion schedule as an indicative guide, with examples that vary depending on risk and legal holds. The examples include: visitor registers 30 to 90 days (up to six months if risk-justified); access-control logs 30 to 90 days (up to 6 to 12 months for high-risk sites); CCTV footage 7 to 30 days on an overwrite cycle (with exports retained only if linked to an incident); and incident/occurrence reports three to five years (subject to litigation/legal hold).
Operator controls and security safeguards
The draft requires responsible parties to secure integrity and confidentiality with “appropriate, reasonable technical and organisational measures” to prevent unlawful access, loss, damage, or unauthorised destruction.
Where operators (such as security companies or tech providers) process information on the responsible party’s behalf, the draft requires operator agreements, controls over authorised processing, confidentiality, and breach-notification duties.
Werksmans’ explains why this matters in practice: gated-access CCTV is “multi-party by design”, and the draft’s differentiation between responsible parties and operators “forces organisations to formalise roles and relationships” that are often left informal.
Automated decision-making
The draft addresses automated access decisions more broadly than AI. It gives examples of automatic gate decisions based on cards, biometrics, licence plates, QR codes, and mobile credentials, and it also lists AI-based CCTV flags and automated vetting/alerts as examples where the outcome may restrict access or trigger security responses.
The draft links safeguards to POPIA’s restrictions where decisions are based solely on automated processing and have legal consequences or substantially affect a person.
Complaints architecture
The draft’s complaints provisions go further than general “contact us” messaging. It requires a complaints process that is fair, transparent, and accessible, and explicitly states complaint-handling must be at no cost to complainants, with complaint records securely and accurately maintained.
It also requires the responsible party to clearly display information on how to lodge a complaint (for example, at entrances or security offices, on a website if applicable, and/or in printed notices), and the procedure must explain how the complaint will be handled, timeframes, escalation options, and remedies.
A key structural element is the mandatory adjudicator layer: the draft states that each responsible party operating a gated access point must appoint or designate an independent adjudicator to resolve complaints arising from processing at gated access points, with the ability to refer matters to the Regulator if a party is aggrieved by the adjudicator’s determination.
When the Code will become binding
The draft includes a commencement clause stating that a Code of Conduct issued under section 60 of POPIA comes into force on the 28th day after the date of its notification in the Gazette (or a later date specified in the Code) and remains effective for a period not exceeding five years.
The “28 days after Gazette notification” timetable is tied to the final code once issued and notified, not to the public-comment publication of the draft.
