The Protection of Information Act (POPIA) will commence on 1 July 2021. As organisations nationwide hurry to meet compliance regulations, access control practices—such as driver’s licence scanning—are thrown into question. Ariel Flax of ATG Digital answers frequently asked questions regarding data collection regulations at physical access points.
Is it legal to scan and collect data from driver’s licences under the POPI Act?
Provided the data is processed following POPIA regulations, yes. The POPI Act doesn’t stop an organisation from collecting personal information but rather concerns itself with the “why” and “how” such information is processed. Processed refers to the collection, receipt, recording, organising, retrieval or use of the data.
Compliance relies on the responsible party (the organisation that collects and controls what happens to the data) meeting the conditions of the Act. Therefore, processing driver’s licence data is legal, provided that it is done in a compliant manner.
What are the conditions, and how do they apply to access control data collection?
In essence, the responsible party must:
• Only collect information that is necessary for a specific purpose. In this case, security.
Apply reasonable security measures to protect it.
Ensure that information on the scanning devices and any end-points to which the data is transferred are secure. Create a procedure that outlines what to do in the event of a breach.
• Ensure it is relevant and up to date. Digitally capturing data directly from a driver’s license or ID book ensures accuracy. Handwritten visitor books are unreliable.
• Only hold as much as you need, and only for as long as you need it.
• Allow the subject (the person whose information it is) to see what you’re holding about them upon request.
Does this mean that digitised licence scanning can help with compliance?
Yes, but remember, not all scanning solutions are the same. You want a system that will:
• Encrypt the information captured on the scanning device and immediately uploaded it to a secure storage platform so that the data does not remain on the device.
• The cloud (or local server to which the data is sent) is secure and compliant with local and international data privacy standards.
• Limit access to the information to authorised personal only via two-factor authentication.
For POPIA compliance purposes, all such authorised personnel should be POPI trained and sign an NDA.
Which is more secure, the cloud or local storage?
This question comes up often. There’s a misconception about the cloud, mainly because—again—not all platforms are equal. You would need to investigate the solution that your security provider is using. Is their cloud just their own local data centre? Do they have adequate redundancy, disaster recovery protocols, IPS and IDS in place?
ATG Digital, for example, uses Google Cloud Services, a platform selected for its world-renowned security systems and compliance with international privacy legislation.
What if a visitor refuses to have their information scanned?
Like any piece of legislation, POPIA co-exists with other laws and regulations. It does not necessarily supersede your other compliance obligations—nor does it suspend your rights.
You can still reserve your right of admission. Suppose it is mandatory to collect specific personal details to grant access, and a visitor upholds their right of refusal. In that case, you can uphold your right not to permit entry.
That’s one example of many possible solutions. If refusing entry is not an option (for practical or legal reasons), there are alternative solutions depending on the application.
We find that visitors will most often refuse to share their data if they are not furnished with a privacy notice. A document that outlines what you’re collecting, why and how it will be processed, how long it is stored and the data subject’s right to view what you have on record in the future on request.
Peace of mind that you are handling private information responsibly goes a long way.
Article is written by ATG Digital