PoPI and the role of Biometrics
The European Union has beaten South Africa to the punch when it comes to implementing regulations pertaining to the protection of personal data (PoPI).
After a two-year grace period following its adoption, the EU’s GDPR (General Data Protection Regulation) became fully enforceable on the 25th of May 2018. The local equivalent, PoPI (Protection of Personal Information) is still in limbo since, despite the PoPI Act having been signed into law in 2013, the regulations are still in draft form and are therefore not being enforced. The most optimistic estimates are that the regulations will be finalised later this year, but in the meantime it is a case of ‘hurry up and wait’ for organisations that will be affected.
The security and access control industry is not sitting on its hands in the meantime, though, and many vendors and service providers are already consulting with clients to help them understand and implement PoPI-compliant visitor management solutions.
Act versus regulations
IACT-Africa’s John Cato is intimately familiar with PoPI through his role as a senior consultant specialising in data protection. Without
delving too much into the legalese, he explains that while there is nothing specific regarding estates or visitor management in the draft regulations, the key rules are based around the principles of consent and purpose. “In other words, an estate or security company may only collect personal information from a visitor (data subject) with his or her consent and for the specific purpose of visiting the estate,” he explains. “In addition to this, the manner in which information is stored needs to be done in line with the Security Safeguards condition (Condition 7) in the PoPI Act. This states that appropriate and reasonable organisational and technical measures should be implemented. The Act is not prescriptive about these.”
A key component of PoPI is the protection of people’s rights: a data subject has the right to request access to their personal information that the estate/security company holds, and to request the information is deleted or corrected ‘if appropriate’. The estate/security company is legally obliged to provide the requested personal information and to take appropriate action if requested to do so.
The PoPI Act is not prescriptive about the length of time personal information can be kept, but states that personal information should not be kept longer than necessary. “The principle that should be applied is that when the validity of the purpose for which personal data is being stored is no longer applicable – for example when a visitor has left the estate – it should not be kept any longer. It is permissible to keep it longer for reasonable business purposes but this must be defined in an approved retention policy. Estates may want to keep information for investigating crimes, so a reasonable period for this business purpose would be acceptable,” Cato states.
It is also essential that estates apply appropriate and reasonable organisational and technical security safeguards when storing personal information, but Cato warns these should not be mistaken for estate security. Rather, they are measures that protect information based on information security standards, which include cybersecurity protection practices such as the use of encryption on computers, tablets and smartphones.
“The security safeguards must include contractual commitments between the estate and an external security company where visitor information is collected, processed and stored by the security company. This also applies to other service providers such as those that offer hosted or managed visitor management systems,” Cato continues. “A further point to be aware of is personal information collected via biometric devices, as this is regarded as special personal information in the Act. Visitors should be made aware of this and their consent should be obtained for this as well.”
Above all, Cato cautions that the subject of PoPI Act compliance should not be seen as a tick-box exercise, but “should be seen as building a privacy and data protection culture. This is beneficial for the estate as visitors, residents and potential buyers will be given confidence that their personal information is being protected in a responsible manner.
“The PoPI Act is not something dreamed up by SA lawmakers, it is based on European practices to bring SA into line with international practices. Estate management should become familiar with overseas legislation such as the EU GDPR as it has global applicability and may apply to an estate,” he adds.
Biometrics fit the bill
As specialists in providing biometrics solutions for access control as well as other applications, Ideco’s Marius Coetzee and ERS Biometrics’ Eddie Pienaar are well versed in the ins and outs of PoPI compliance.
“We obtained legal opinion five or six years ago which we present to our customers and which we used to form the basis for a framework that we roll out to partners,“ says Coetzee. “It is vital for us to be able to provide the assurance that we understand how to handle personal information and what systems should be put in place so that our solutions are not seen as being a risk, but rather adding value.”
Coetzee points out that the importance of having robust visitor management protocols in place serves to protect the site manager as well as the visitor, and the old-fashioned visitor book is a risk to both parties. He advises that digital solutions are far more secure, but they come in different flavours. These range from simple devices that capture information which is downloaded to a server at a later time, to mobile devices that communicate to an on-site server. All these solutions are vulnerable to theft or other forms of unauthorised access and copying of data, however.
“In my opinion the most secure solution is a digital terminal that scans information, encrypts it, securely communicates it to an off-site, cloud-based server, where data is protected from any potential access and only the authorised site manager is able to view that information. This is the only model that really complies with all PoPI requirements in terms of responsible data processing,” Coetzee states.
A fingerprint reader is important, he asserts, as it serves as a digital signature proving that a person has entered a site. Secondly, in the unfortunate event of a disaster, a roll call function built into Ideco’s hardware allows people to be identified by matching them to their captured fingerprint data.
“By having each visitor transaction signed off digitally with a fingerprint template, organisations can ensure that they will satisfy a PoPI audit. Ideco was the first to market with our solution, and we have processed more than 12 million transactions to date. We are currently in the process of moving from our private cloud server to one of the leading third-party cloud providers that complies with all our requirements in terms of PoPI,” Coetzee concludes.
Pienaar describes the reason for collecting a visitor’s personal information as a way of verifying that someone entering your premises is there on legitimate business, and distinguishes between access to a premises and access to a specific building or business. In the case of the latter, the visitor data that should be captured includes their name and surname, person visited, visitor’s company name, cellphone number, and date and time of arrival. Access to a business park/premises would further require an ID book/card or driver’s licence, and a vehicle registration number and description.
“This information is required to properly announce the visitor, to know who to contact as well as to keep a physical record in the event of either an incidence of theft or a fire breakout where an evacuation is required, Pienaar explains. “This is dependent on the requirement of the organisation with strict rules surrounding the protection and disclosure of the information.
“An organisation may keep records indefinitely depending on the security and audit requirements in the organisation, but this information is protected under the PoPI Act and may not be disclosed to any other party without prior consent from the visitor. The use of any stored information must be monitored to ensure there is no unauthorised access or disclosure of any information other than what is required to perform validation if required.
All information must be properly destroyed after a set term and this should be done in accordance with the Act.”
Pienaar shares Coetzee’s aversion to any form of written data capture. “The data must be captured electronically at the point of entry or preloaded via a client portal, minimising the chance of the data being shared with a third party,” he says. “At ERS, we store as little personal information as possible and our system is customisable to store anything from issuing a visitor a unique PIN code to storing all personal, medical and any other information required by the organisation to gain access to the premises, and/or for time management purposes.
“Our servers have all the security measures in place to prevent unauthorised parties from gaining access to other companys’ information which includes controlled system level access that can be set per user and is completely audited to ensure all activities are monitored.”
Taken from Securitysa.com – witten by Brett van den Bosch
See how ERS Biometrics can help you secure your sensitive data