The data collection practices of security estates and office parks is under scrutiny by the Information Regulator of South Africa, particularly the information gathered from visitors.

Many of establishments collect personal details from visitors as part of their security measures, including the scanning a visitor’s driver’s license or ID document, as well as their car’s license disk.

Information including a visitor’s name, surname, ID number, age, gender, and vehicle registration details is often captured.

In some cases, security providers offer access to a database for cross-referencing, and the scanned information may be automatically sent for verification against home affairs records.

The responsibility for securely storing and processing this data lies with the estates and office parks, which must comply with the Protection of Personal Information Act (POPIA).

Under POPIA, they are required to explain why they are collecting personal data, ensure it is used appropriately, and keep it confidential. Visitors should also have the ability to access, correct, or delete their information.

However, many estates and office parks collect this data without obtaining explicit consent, often making it a requirement for entry without further explanation.

Advocate Pansy Tlakula, chairperson for the Information Regulator of South Africa, expressed concerns about this widespread collection of personal data, stating that there is "over-processing of information" in many cases.

“When you visit a gated community or office park, they scan your car’s disk and driver’s license, which contain a lot of personal information. Some even take your photo,” she explained during an interview on Radio 702.

She stressed that under POPIA, only the minimum necessary information should be collected: “If you enter into a gated community, all they need for security is your name, the colour of your car, and the car’s registration.”

Tlakula noted that many current practices go beyond what is required for security, raising questions about how this data is being protected and where it is ultimately stored. To address this, the Information Regulator is targeting the 'surveillance sector'—including security estates and office parks—and plans to introduce a code of conduct to curb the overprocessing of personal information.