Information Regulator’s code of conduct | Speak now or forever have your personal information accessible

Written By Nicole Tavares

11 May 2026 | Nicole Tavares and Sarah Sydenham

Please note that the deadline to submit written commentary to the Information Regulator (South Africa) is 13 May 2026.

If you read our February 2026 article: why you need to comment on the information regulators draft code of conduct, you'll know that Nicole and Sarah attended the Information Regulator's Own Initiative Code of Conduct on Gated Access stakeholder consultation session. This article provided a general overview of what was discussed and, importantly, urged anyone in the community schemes sector to engage with the process. 

Today, we pick up where we left off, as the Own Initiative Code of Conduct on Gated Access was officially published in the Government Gazette (Vol. 730 No. 54594) dated 30 April 2026, where again all interested parties have been invited to submit written comments on the gazetted draft. 

The “million dollar” (well Rand in this case) question is what was amended following the first round of public commentary? In this article Nicole (T) and Sarah highlight the key differences between Draft 2: Annexure B, dated 16 February 2026 (“Draft 02”), and Draft 3: The Government Gazette dated 30 April 2026 (Draft 03).

Draft 03: Which sections are new? 

Definitions

At the outset, we see an inclusion of the below definition: 

  • "Compliance Framework" which means: “all of the interrelated and/or interacting components within an organisation that:

    • Sets out the organisation’s approach to the management of all categories of compliance risk. The framework addresses aspects such as compliance strategy, objectives, governance, policy, roles and responsibilities, compliance risk appetite, process and techniques and reporting.

    • Establish and maintain (or contribute to, support, facilitate or enable establishing and maintaining) compliance related objectives and the activities, policies, procedures, processes and practices to achieve those objectives; and

    • Direct, guide, contribute to, facilitate, enable or support compliance related practices and activities.”

Purpose Specification

8.3 Condition 3 adds a specific new note about South African Police Service (SAPS) Licence Plate Recognition (LPR) technology, requiring responsible parties to make the purpose clear where information is linked to LPR systems integrated with private security networks.

Governance, risk and monitoring

Section 9.3 specifically addresses monitoring high-risk processing using a “Risk-Based Approach”. The  key additions in this section include:

  • Section 9.3.5 which requires responsible parties to identify risk areas including CCTV processing risks, and

  • Section 9.3.6 which includes operating environment-specific risk considerations. 

Identifying risk areas 

Section 9.3.6 requires responsible parties to take into account their specific operating environment, including risk profiles, throughput volumes, safety obligations, and security requirements unique to different settings.

Gated access risk management framework 

Annexure B is a substantial addition covering:

  • Governance and oversight;

  • Risk assessment methodology using ISO 31000;

  • The Risk and Control Matrix (“RACM”) approach;

  • Key risk categories (security, operational, compliance);

  • Risk control measures, and

  • Incident management and business continuity planning.

High risk processing checklist

Annexure C provides a practical checklist across eight categories:

  • Type of personal information;

  • Scale and scope;

  • Technology used;

  • Impact on data subjects;

  • Data transfers;

  • Monitoring and surveillance;

  • Consent and transparency, and

  • Operational environment.

Complaints management and Adjudicator provisions

Section 15 depicts one of the most significant changes for community schemes. Section 15.3.1 through to 15.3.6 set out that in the residential sector, the adjudicator may be appointed by governing bodies or recognised property regulatory authorities such as the Community Schemes Ombud Service, the National Association of Managing Agents, or the Residential Communities Industry. Furthermore, in the commercial sector, the responsible party appoints directly or through recognised property management entities.

Public commentary 

Draft 03 invites written comments within 14 (fourteen) days to the Information Regulator via electronic mail to POPIACompliance@inforegulator.org.za.  

Draft 03: Clauses that have been amended 

The definition of "Profiling" has been updated to a cleaner table format with footnote references.

Conditions for lawful processing 

Section 8 introduced the following amendments: 

  • Condition 2: Processing Limitation

    This section has restructured the Proportionality Test into four formally named sub-requirements:

    • premises specific,

    • purpose specific,

    • documented, and

    • reviewed periodically.

Draft 03 has slightly restructured the note regarding driver's licence concerns under section 68(4)(a) of the National Road Traffic Act 93 of 1996.

  • Condition 8: Data Subject Participation

    Section 8.8.6 expands on the “Manner of Access” into a more detailed structure, and adds clearer cross-references to the Protection of Access to Information Act 2 of 2000 (“PAIA”).

  • Biometric Information

    In draft 02, section 8.13 contained an open question where the Regulator was to verify at stakeholder consultation if it is applicable in gated accesses. This is resolved and the restriction is clearly set out and refers to sections 27(f) and 33 of the Protection of Personal Information Act 4 of 2013 (“POPIA”) without leaving the question open.

  • Information Matching Programmes

    Section 8.9.3 has been amended to state that the Code specifies appropriate measures for information matching programmes without leaving it as an open question.

Governance, risk and monitoring 

Section 9 has been renamed and significantly expanded upon.  

Draft 03: Clauses that have been removed

All red-highlighted "NB. further information will be obtained during consultation" notes from Draft 02 have been removed as they were internal drafting markers which have been resolved and finalised.

Summary of key practical implications 

The most significant additions for community schemes and property practitioners are:

  1. CSOS named as a possible adjudicator in residential sector complaints.

  2. LPR transparency requirement for systems linked to SAPS networks. 

  3. Full Risk Management Framework annexure. 

  4. High Risk Processing Checklist. 

  5. Formal Proportionality Test structure for processing limitation.

  6. Resolution of all open consultation questions flagged in red in Draft 02.

Conclusion

It is clear that the Government Gazette Draft 03 represents a significantly more developed and refined iteration of the Code of Conduct for Gated Accesses when compared to the earlier Annexure B Draft 02, and responsible parties operating in the residential and commercial gated access environment should review both new annexures carefully and ensure that should they have any comments they submit them in writing to POPIACompliance@inforegulator.org.za before the deadline of 13 May 2026.

For more information please reach out to us at info@tvdmconsultants.com or call 061 536 3138.

About the authors:

Nicole Tavares

Nicole Tavares is the Co-Founder and Director of TVDM Consultants

Sarah Sydenham TVDM Consultants

Sarah Sydenham is a Community Schemes Consultant at TVDM Consultants

Nicole Tavares
Previous

City of Cape Town's fixed charges declared unlawful | What the court has ruled
Next

How to raise a complaint in your community scheme | A step-by-step guide for grievances