POPIA Compliance for Sectional Title Schemes: Facial Recognition Systems

A client asked: “Does POPI apply to my body corporate which intends to install a face recognition access system without consent from residents?

In South Africa, the Protection of Personal Information Act (POPIA) applies to both public and private bodies that process personal information, including sectional title schemes. If the body corporate intends to install a face recognition access system, it must comply with POPIA.

Key Considerations

1. Definition of Personal Information: POPIA defines personal information broadly, including biometric data such as facial recognition data. Therefore, using facial recognition technology involves processing personal information.
2. Consent Requirement: POPIA generally requires informed consent from data subjects before processing their personal information. However, there are exceptions where consent is not necessary if the processing is necessary for a legitimate purpose and is lawful.
3. Legitimate Purpose: For a body corporate, installing a face recognition system might be justified if it serves a legitimate purpose, such as enhancing security. However, this must be balanced against the privacy rights of residents.
4. Transparency and Awareness: POPIA requires transparency and awareness among data subjects regarding the collection and processing of their personal information. This means residents should be informed about the purpose and extent of the facial recognition system.
5. Compliance Measures: Your body corporate must implement appropriate measures to protect personal information, including ensuring that the system is secure, and that data is not misused.

Steps the body corporate should take

• Conduct a Privacy Impact Assessment: Evaluate the potential impact on residents’ privacy and ensure that the system is proportionate to the security needs.
• Obtain Consent or Justify Legitimate Purpose: Either obtain consent from residents or justify the system as necessary for a legitimate purpose, such as security.
• Develop a Privacy Policy: Create a comprehensive privacy policy that outlines how personal information will be processed and protected.
• Register an Information Officer: Ensure that an Information Officer is appointed and registered with the Information Regulator to oversee POPIA compliance4.

Conclusion

While POPIA applies to a body corporate’s use of facial recognition technology, careful consideration must be given to obtaining consent or justifying the system’s use based on a legitimate purpose. Ensuring transparency and implementing robust privacy measures are crucial to compliance.

Given the complexity and potential ambiguity in interpreting the application of POPIA, it is advisable to seek clarification from the Information Regulator, responsible for overseeing compliance:  www.inforegulator.org.za