Property Advice

POPIA Compliance: Your Driver’s Licence Scanning Questions Answered

Private Property South Africa
Private Property Reporter |
POPIA Compliance: Your Driver’s Licence Scanning Questions Answered

The Protection of Information Act (POPIA) will commence on 1 July 2021. As organisations nationwide hurry to meet compliance regulations, access control practices—such as driver’s licence scanning—are thrown into question. Ariel Flax of ATG Digital answers frequently asked questions regarding data collection regulations at physical access points.

Is it legal to scan and collect data from driver’s licences under the POPI Act?

Provided the data is processed following POPIA regulations, yes. The POPI Act doesn’t stop an organisation from collecting personal information but rather concerns itself with the “why” and “how” such information is processed. Processed refers to the collection, receipt, recording, organising, retrieval or use of the data.

Compliance relies on the responsible party (the organisation that collects and controls what happens to the data) meeting the conditions of the Act. Therefore, processing driver’s licence data is legal, provided that it is done in a compliant manner.

What are the conditions, and how do they apply to access control data collection?

In essence, the responsible party must:

• Only collect information that is necessary for a specific purpose. In this case, security. Apply reasonable security measures to protect it. Ensure that information on the scanning devices and any end-points to which the data is transferred are secure. Create a procedure that outlines what to do in the event of a breach.
• Ensure it is relevant and up to date. Digitally capturing data directly from a driver’s license or ID book ensures accuracy. Handwritten visitor books are unreliable.
• Only hold as much as you need, and only for as long as you need it.
• Allow the subject (the person whose information it is) to see what you’re holding about them upon request.

Does this mean that digitised licence scanning can help with compliance?

Yes, but remember, not all scanning solutions are the same. You want a system that will:

• Encrypt the information captured on the scanning device and immediately uploaded it to a secure storage platform so that the data does not remain on the device.

• The cloud (or local server to which the data is sent) is secure and compliant with local and international data privacy standards.

• Limit access to the information to authorised personal only via two-factor authentication.

For POPIA compliance purposes, all such authorised personnel should be POPI trained and sign an NDA.

Which is more secure, the cloud or local storage?

This question comes up often. There’s a misconception about the cloud, mainly because—again—not all platforms are equal. You would need to investigate the solution that your security provider is using. Is their cloud just their own local data centre? Do they have adequate redundancy, disaster recovery protocols, IPS and IDS in place?

ATG Digital, for example, uses Google Cloud Services, a platform selected for its world-renowned security systems and compliance with international privacy legislation.

What if a visitor refuses to have their information scanned?

Like any piece of legislation, POPIA co-exists with other laws and regulations. It does not necessarily supersede your other compliance obligations—nor does it suspend your rights.

You can still reserve your right of admission. Suppose it is mandatory to collect specific personal details to grant access, and a visitor upholds their right of refusal. In that case, you can uphold your right not to permit entry.

That’s one example of many possible solutions. If refusing entry is not an option (for practical or legal reasons), there are alternative solutions depending on the application.

We find that visitors will most often refuse to share their data if they are not furnished with a privacy notice. A document that outlines what you’re collecting, why and how it will be processed, how long it is stored and the data subject’s right to view what you have on record in the future on request.

Peace of mind that you are handling private information responsibly goes a long way.

Article is written by ATG Digital

Related Articles

POPIA compliance toolkit now available for community housing schemes
Private Property Reporter | 18 May 2021

POPIA compliance toolkit now available for community housing schemes

Protection of Personal Information Act (POPIA) is a legislative development which will impact property management companies. How best can they familiarise themselves with it?

What clearance certificates are needed when selling property?
Property Power | 18 Nov 2015

What clearance certificates are needed when selling property?

Find out which types of clearance certificates you will need to obtain, before selling a property.

Compliance certificates needed when selling your home
Sarah-Jane Meyer | 28 Oct 2019

Compliance certificates needed when selling your home

Sellers are responsible for providing certificates of compliance (CoC), but buyers also need to know what they entail.

sample image of property alerts

Get instant property alerts

Be the first to see property alerts for your area.
;