The collection and use of personal information in private estates and gated communities in South Africa is common. Visitors are often required to provide personal information to security companies like full names, contact number, vehicle registration and, with the development of technology, vehicle licence and ID or driving licence details are also required.
Collecting this information makes it easier for security companies to deal with offenders where damage might be caused, or crime committed on the estate.
In a ruling by the SCA last year on enforcing lower speed limits on private roads in the Mount Edgecombe Country Club Estate (Mount Edgecombe Country Club Estate Management Association II (RF) NPC v Singh and others ) the court confirmed the principle that the relationship between the parties was regulated by contract. In this case, it was held that there was no conflict between the National Road Traffic Act and the private rules of the association. The contractually binding regulations were “enforceable by the parties to the contract, and against them only”.
It remains to be seen how this might fare under the Protection of Personal Information Act (POPI), which is yet to come into force fully.
As an estate is private property, visitors cannot claim a right to access. Instead, visitors may be required to provide personal information in order to gain entry. While the provision of personal information is not necessarily a problem in itself, there is often little certainty about what will be done with the personal information.
Incidents of cloning vehicle registration details provided to security guards at private estates and incidents of identity theft are causing concern.
In terms of POPI, personal information must not be retained for any longer than it is necessary to achieve the purpose for which it was collected. While there are exceptions, it is a subject that requires careful consideration and the implementation of a good record retention policy which is reviewed regularly. A good information retention policy should cover how the information is stored and secured, how long it is stored and with whom the information is shared.
Although persons living on private estates may have good grounds for requiring identification from visitors, it is important that the security companies are assessed and required to implement appropriate policies and procedures to protect personal information. In the event of a security breach, it may well be that the homeowners’ associations would be liable for their role in failing to properly protect the personal information they process.