A new era for gated access control: Why you need to comment on the Information Regulator’s draft code of conduct by 4 March 2026

27 February 2025 | Sarah Sydenham and Nicole Tavares

The Information Regulator (South Africa) hosted a hybrid meeting titled Own Initiative Code of Conduct on Gated Access Stakeholder Consultation Session on Wednesday, 18 February 2026. The meeting was well attended, on both MS Teams and on-site in Johannesburg, with many participants staying for the entire day. We were delighted to see that the Community Schemes Ombud Service were not only in attendance but raised valuable contributions throughout the session.

On the other hand, it must be noted that many groups from within our community schemes industry, i.e. those that will be impacted by the proposed code of conduct, were missing in action. But fear not, as in this article Nicole (T) and Sarah provide a general overview of the information they gathered during their attendance.

We were particularly impressed by the openness and transparency of the Information Regulator panel and their willingness to engage with participants’ contributions, participants were encouraged to raise questions and concerns, with the panel engaging in conversations to delve deeper where necessary.

Why do gated communities need a code of conduct?

At the outset the Information Regulator indicated that their office had received a high volume of complaints regarding the information currently being gathered, processed and retained at gated access points within South Africa. This prompted the Information Regulator to exercise its powers under the POPI Act and initiate the drafting of a sector-specific code of conduct regulating gated access control practices.

While it is true that other sectors have put forward their draft of codes of conduct for the Information Regulator to review, the Code of Conduct on Gated Access is the first sector specific framework to be researched, and drafted by the Information Regulator itself. The code of conduct is, in many respects, a pioneering document as it takes into account The Protection of Personal Information Act 4 of 2013 (the POPI Act), international best practice, industry practice notes as well as extra-judicial frameworks.

Objectives of the code of conduct

The main objective of the code of conduct is to standardise access control practices, which the Information Regulator is empowered to regulate under Section 2(a) and (b) of the POPI Act, and more importantly to provide clarity and consistency relevant to any gated community, public or private, which includes our industry stakeholders such as bodies corporate, Homeowners Associations, managing agents, and/or security operators.

This code of conduct will be applicable to:

• Residential and commercial sectional title schemes.

• Homeowners Associations.

• Private and public bodies, as owners or managers of premises, with gated access.

• Security service providers, and

• Technology and system suppliers for access control.

What does this code of conduct aim to prevent?

The code of conduct aims to prevent loss of personal information, including unlawful access and damage or unauthorised destruction in the follow context:

• Secure access control systems.

• Proper storage of visitor logs.

• Encrypted databases.

• Restricted access to Closed-Circuit Television (CCTV) footage, and

• Password protection.

In a gated community, a personalised code must be created by the responsible party, who in a community scheme would be the duly appointed and registered Information Officer.

The code must prescribe the structures, processes, roles and responsibilities needed in order to implement the code effectively. It must further address how it can be amended and revoked, the date of commencement and expiry, and reporting mechanisms. In terms of complaints, the responsible party must establish a system to enable the receipt, handling, referral to adjudicator and to the Information Regulator. It is noted that the scheme’s code of conduct must be reviewed every 3 (three) years.

Core principles of lawful processing

The Information Regulator advised that the code of conduct must be based on the core principles of lawful processing of personal information, in terms of which responsible parties must:

• appoint the Information Officer and/or Deputy Information Officer, and provide clear responsibilities for controllers and operators;

• only collect the information that is necessary;

• clearly communicate to residents, visitors, contractors and/or employees;

• use the information strictly for access control and security;

• protect personal information against loss or unauthorised access, and

• have defined retention schedules and disposal controls.

 The main takeaway from the session is what information may be collected, and how it may be processed and stored in the context of gated access. The Information Regulator solidified the understanding of this by providing the below practical examples of what would constitute excessive and reasonable collection of personal information collected at access control points.

What would be deemed excessive: full names, contact number AND vehicle registration number AND identity number or driver’s licence AND a picture/image, biometric.

When it comes to single access control, asking for the above as well as an access code, which could be used to verify acceptance of the request to enter, will also be deemed excessive.

What would be considered less excessive: namely, requiring a person to write down their name, which is then ONLY compared to the name in their identity document, or a visitor’s permit/detachable sticker

From draft to enforcement: what happens next?

1. The draft code of conduct is currently open for public commentary until Wednesday, 4 March 2026.

2. An amended version of the draft code of conduct, taking into account the stakeholder commentary, will then be published in the Government Gazette.

3. Following the publication of the code of conduct, it will officially come into effect 28 (twenty-eight) days later.

In Conclusion

When it comes to the protection of personal information when entering a community scheme, having the code of conduct on gated access is a big step in the right direction. On the other hand, for those living in community schemes where gated access may have been a draw card, not only could the code of conduct increase admin, but it could also lower the effectiveness of security processes. The code of conduct may also result in the sudden exit of trustees who do not want to take on the additional responsibility of becoming the responsible party.

Keep an eye on our social media as we will be posting our comments on the draft code of conduct. If you would like to have your say:

View the meeting slides: Stakeholder engagement overview 18,2.26

View the draft code of conduct open for commentary:  ANNEXURE B _ Own Initiative Code of Conduct to OoC

All comments must be emailed to popiacompliance@infoRegulator.org.za by 4 March 2026.

Should you have any questions please don’t hesitate to reach out to TVDM Consultants by calling 061 536 3138 or emailing info@tvdmconsultants.com to find out how we can assist you.

About the Authors:

Sarah Sydenham is a community schemes consultants at TVDM Consultants.

Sarah is also an admitted attorney, brings a well-rounded legal background and a passion for community schemes to her role.

Learn more about Sarah Sydenham.