POPIA & Guarding

Your legal questions answered

FAQ

Most frequent questions and answers

The key things for body corporate trustees to know

This guide answers your frequently asked questions (FAQ) about the legal issues related to us,
Online Network Systems, and personal information. As the representative of a body that runs a
property (for example, the trustees of a body corporate) you will find this guide interesting and useful.
Securing your property while lawfully processing any personal information involved in the process is
very important for you. You have a high risk of being held liable for failing to secure your property or
lawfully processing personal information. Using us will only help you by reducing your risk. We are
invested in ensuring that you achieve good security while lawfully processing any personal
information involved. At Online Network Systems we do not discriminate against or infringe anyone’s
constitutional rights.

Key points and possible actions

1. You may lawfully verify visitors’ IDs by scanning their driver’s licences.
2. We care about helping you provide security and protect personal information.
3. We are your operator under POPIA and process personal information for you.
4. It is impossible to always protect all personal information, but we try.
5. You benefit from using our products by managing many different risks.

What is POPIA?

It is the Protection of Personal Information Act, a law passed 1 by the South African parliament, which
sets the conditions that you must follow to lawfully process the personal information about persons.
POPIA commenced on 1 July 2020 and has a one-year grace period. This means everyone has one
year to start complying or risk facing serious consequences. We have already started complying.

Why did POPIA come into existence?

POPIA protects people (like you and me) from harm (both physical and financial, like loss of money)
by requiring those who process people’s personal information to protect it. For this reason alone,
POPIA is important.
The protection of personal information is definitely needed now, more than ever. With the rise of
computing power and devices like tablets and smart watches, personal information is at a greater risk
than ever before. POPIA will enable personal information to be transferred to South Africa, which will
bring economic benefits for the country.

Does POPIA apply to everybody?

Yes, virtually everybody. POPIA applies to everybody who processes personal information. It applies
to all public (like Home Affairs and SARS) and private bodies (like financial institutions, healthcare
providers and direct marketers) that process personal information. 2 POPIA defines “process”
extremely broadly. In terms of POPIA, processing means any operation or activity (either automated
or not) that involves the collection, receipt, recording, organisation, collation, storage, updating,
retrieval, dissemination, distribution, merging and degradation or erasing of data.
We strive to comply even when POPIA mainly requires you to comply (such as when we act as your
operator).

Does POPIA require you to have accurate data?
Yes, as the responsible party, you must take steps that are reasonably practicable to ensure that the
information is accurate and complete. As your operator, we endeavour to help you achieve this by
collecting information that’s reasonably accurate. Our Identiscan products will help you gather
information accurately. The time for manual visitor record books, which are an ineffective means of
management as the information is largely inaccurate and illegible, is over.
Who is the responsible party?
Whoever decides to process personal information in a certain way, is the responsible party. It is the
person that, alone or in conjunction with others, determines the purpose of (why) and means for (how)
processing personal information. 5 If we are processing personal information for somebody else, we
are their operator and they are the responsible party.

Who is exempt from complying with POPIA?

Very few people, but some are. For example, South African Police Service (SAPS), the Cabinet and
journalists who process personal information for journalism. 3 Some processing of personal information
is exempt. For example, if we process personal information in the course of a purely personal or
household activity.

Do you have to comply with POPIA?

Yes, you must comply with POPIA (and the consequences for non-compliance are quite severe), but
you will also want to do it efficiently and get business value out of those efforts. Our products have
built-in security for personal information and can help you get that efficiency and business value.
You must comply with the conditions of POPIA and protect the personal information that we process.
If we are suspected of not complying with POPIA, the Information Regulator will notify us.

What are the consequences for not complying?

There are significant consequences for non-compliance. You could:
 suffer reputational damage,
 lose customers (homeowners, tenants) and fail to attract new ones,
 pay out millions in damages in a civil class action,
 be fined up to R10 million or face 10 years in jail for committing an offence.

Who regulates POPIA? Will it have teeth?

The Information Regulator regulates POPIA (www.informationregulator.co.za). Parliament has gone
to great lengths to give this regulator teeth. The Information Regulator can ask an organisation to
produce a record to enable the Information Regulator to investigate a complaint (section 81 of
POPIA). We need to be able to comply with such a request.

What is personal information?

It includes information such as ID numbers, race, gender, age or marital status of a person. It also
includes information relating to the education, medical, financial, criminal or employment history of
person. And contact details like an email address, telephone number or location information. It is any information that relates to an identifiable, living, natural person. In other words, it is
information that identifies a human being. But in some circumstances, it can also be information,
which identifies an existing juristic person like a company, close corporation or trust.

What information does IdentiScan process about visitors?

IdentiScan processes various personal information about visitors, including:
 their name, ID number,
 information that appears on a driver’s licence (including sex and age)
 details about their vehicles, including vehicle registration number,
 their access to a property (location information).

Do we process account numbers or credit card holder
information?

No, we do not process the account numbers of your data subjects. This is a good thing because it
means that you are not exposed to the risks associated with processing that kind of personal
information (which are significant). We do not need to comply with PCI DSS. But we may process
your bank account number when we receive payment. We take protecting your bank account number
seriously.

Does POPIA require you to have accurate data?

Yes, as the responsible party, you must take steps that are reasonably practicable to ensure that the
information is accurate and complete. As your operator, we endeavour to help you achieve this by
collecting information that’s reasonably accurate. Our Identiscan products will help you gather
information accurately. The time for manual visitor record books, which are an ineffective means of
management as the information is largely inaccurate and illegible, is over.

Who is the responsible party?

Whoever decides to process personal information in a certain way, is the responsible party. It is the
person that, alone or in conjunction with others, determines the purpose of (why) and means for (how)
processing personal information. 5 If we are processing personal information for somebody else, we
are their operator and they are the responsible party.

Who is the operator?

If we are processing personal information for somebody else, we are their operator. If we do not
determine the purpose and the means for processing the personal information, we are the operator.
An operator usually processes personal information for a responsible party under a contract.
Operators are required to process information only under authorisation from the responsible party
concerned. Operators must also treat all information in their knowledge as confidential unless
disclosure is required by law.

Who is responsible for protecting the personal information that we process?

You, the user of our products, are the responsible party. Because you decide why (to control access
or secure the property) and how (by monitoring or identifying) the personal information will be
processed 6 . As the responsible party, you must ensure that the personal information is being
processed lawfully.
What role does Online Network Systems play?
We process personal information for you as your operator 7 . POPIA requires us to secure the personal
information we process for you and to only process with your authorisation. We comply with both of
these obligations.

Is it lawful for you to scan visitors’ IDs to verify their identity using IdentiScan?

Yes. There are conditions that you must comply with to do it lawfully. But it is in your legitimate
interests to control access and secure the property. You must take reasonable and practicable steps
to:
 disclose to the visitors why you process their personal information 8 ,
 ensure that their personal information is not used for other purposes 9 ,
 ensure that visitor information is accurate and of good quality 10 ;
 be open and transparent about your processing;
 secure the integrity and confidentiality of it 11 ; and
 allow visitors to access their information and correct it 12 .
Identiscan helps you in various ways to meet these conditions. This includes ensuring accountability
and transparency by requiring the guard managing the IdentiScan scanner to first correctly identify
themselves using their personal PIN before they can collect data, ensuring accountability for the
management of the scanner as well as the allocation of the access record to the specific guard. No
longer can a staff member say “It wasn’t me who let the visitor in”.

Can IdentiScan help you to comply with POPIA?

Yes. Using IdentiScan is a reasonable and practicable measure that you should take to protect visitor
information 13 . Other options, such as a written visitor book, do not provide the same level of security or
accuracy as IdentiScan. Thieves can copy or take photos of visitors’ books. IdentiScan will help to
ensure that their personal information is not used for other purposes (for example, a guard selling it to
an identity thief). IdentiScan will ensure that visitor information is accurate and of good quality.

Do you need to get consent from the person entering the property, or the visitor?

No, POPIA is not consent driven. In other words, you do not have to have someone’s consent in order
to lawfully process their personal information. There are many other justifications you can rely on. 14
Should you put up a notice making visitors (and other people) aware of what you will do with their information?

Yes, you must take reasonable and practical steps to ensure that they are aware of what you are
doing with their personal information 15 . We can provide you with a written notice. The notice should be
clearly visible from the place where the personal information will be collected. Both the position and
size of the font of the notice is important.

Must we notify you or the Information Regulator if one of our products is lost or stolen or there is a data breach?

While such an event is very unlikely to occur, in the event that we have reasonable grounds to believe
that one of our devices is lost or stolen or there is a data breach, we would endeavour to inform you
first before informing the Information Regulator. Importantly, though, the risk for a data breach is not
very high because no personal information would be accessible from the loss of a device, since we do
not store personal information on our devices. Where a data breach did actually occur, we would
inform you as soon as we became aware of it. You would then have the opportunity to formulate the
right notification that you want to send to the Information Regulator. This would allow you an
opportunity to comply with your obligation to inform the Information Regulator of a potential data
breach.

Does IdentiScan infringe anyone’s rights?

No, POPIA allows the lawful processing of personal information. Regarding other rights, people do not
have absolute fundamental rights. Our products help body corporates achieve something that is in a
body corporate’s legitimate interest: securing a property. As long as you use our products for those
legitimate interests and within the limits of the law, any limitations that our products may place on
people’s rights will be legally justifiable.

Can the cloud help you to comply with POPIA?

Yes, it can. If many copies of personal information exist in many different places it is exposed to a
greater number of risks. If you can consolidate your personal information into one central location in
the cloud, and then control the security and access to that personal information you will be protecting
personal information. We are cloud based and will always be so.

Does the law now require information security?

Yes, it does. POPIA places a legal obligation on you to secure the information we process. Our
products have built-in security so we can help you fulfil those obligations. We make it a point to
secure any information that we process because it makes business sense to do so. We can help you
secure both the integrity and confidentiality of personal information by taking appropriate, reasonable
technical (like using encryption) and organisational (like policies) measures to prevent loss and
unlawful access (a hack). 16

What is appropriate and reasonable information security?

It depends. The question is what is appropriate and reasonable for us to do considering the type of
personal information that we would process on your behalf. What is appropriate and reasonable for
some may not be appropriate and reasonable for others. But there are certain things that will be
considered appropriate and reasonable measures for most people to take. One of those is to use
encryption to secure personal information or to store personal information in the cloud as much as
possible. The products we supply, therefore, do not keep the information on them and we use
encryption as much as possible.

Does Online Network Systems secure the personal information it processes?

Yes. Online Network Systems’ directors and employees:
 take appropriate and reasonable measures to secure the personal information 17 ;
 have a proven track record of protecting information; and
 are trusted by hundreds of users.

Does POPIA require certain clauses to be in the contract between you and us?

Yes, it does. Our contract ensures that you comply with your relevant obligations in POPIA 18 .

Does Online Network Systems use personal information for anything else?

No.

How long does Online Network Systems keep personal information for?

We keep records (on your behalf) for as long as you reasonably require them to guard your property 19 .
We also keep records for as long as the law may require us to keep them 20 .

What are useful links for more information?
https://www.michalsons.com/ 
www.informationregulator.co.za 

About this guide

Copyright Copyright © 2002 – 2020. Michalsons. All rights reserved. Copyright subsists in this work under the
Copyright Act 98 of 1978. Any unauthorised act infringes copyright. We trust you to respect our
copyright.

Disclaimers

  1. The content is provided for the jurisdiction of South Africa and is not suitable for other jurisdictions.
  2. We give no warranty about it, and none may be implied. We are not responsible for
    any mistake in the information or any direct or indirect loss that may follow from it.
  3. The guidance has been prepared by Michalsons and is based on their interpretation
    of the principles of South African law at the time of publication. The law may
    change due to future legislative enactments and court decisions.
  4. It is a summary or opinion on general principles of law and is published for general
    guidance purposes only. The content does not constitute specific legal, tax,
    investment, accountancy or other professional advice.
  5. Seek individual advice from a suitably qualified professional adviser before dealing
    with any specific situation.

Are you ready?

To start scanning