Powell Tronics’ visitor management POPI Act compliance

Being aware of the South African government's proposed enforcement of the POPI Act in 2020, Powell Tronics has endeavoured to develop and implement multiple security layers and features to both the PT-Scan and PT-Guest solutions.

By employing a phased approach, Powell Tronics will implement security features onto existing sites during the standard upgrades without negatively affecting a live site and gradually enforcing them in the next release, giving the sites ample time to accommodate the new requirements.

The final security layer for PT-Guest will be enforced in Q2 of 2020, whereby any PT-Guest site using the visitor pre-authorisation feature will have to have SSL (secure sockets layer) implemented on their publicly accessible PT-Guest domain to access their pre-authorise portals (Web browser or mobile apps).

Security upgrades

The Secure Sockets Layer or SSL is the standard security technology protocol for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the 2 sockets is confidential. An added security feature is that by convention, websites that require an SSL connection start with https: instead of http:

Other security features or levels that have already been implemented in either or both systems include but are not limited either visitor, contractor nor resident data is stored on the handheld licence scanners. All contractor company and resident destination will be retrieved from the Web server on each request.

• Access to the scanner’s config will be password protected with a rolling password.
• Encrypted data will transfer from handheld licence scanners to servers over WiFi.
• Encrypted data will transfer from within the Web pre-authorise portal to the PT-Guest Web server (visitor's name and contact details).

Furthermore, data captured in the login screen of the Web portal (username and password) will only be securable by implementing SSL, which remains the responsibility of the site or their respective installer or IT service provider to implement. And mobile applications (Android or iOS) will have to comply with the mobile OS manufacturers’ GDPR requirements that will be available on the respective app stores.

Users need to know:

• Apps that do not comply will not get published or will get disabled until they have been corrected by the developer and re-verified by the app stores.
• Two-step PT-Guest API authentication for third party integrators will each have their own unique integrator's ID that is required in order to authenticate against a secure Powell Tronics Web service.

Additional security benefits include a “Purge Visitor” function, that is available on the PT-Guest app, whereby visitor data can be manually purged by date of capture. All visitors captured six months ago and have not returned to the site since will be purged during this manual process. This function does not archive the data, it discards it completely from the database.

All resident and contractor company information can only be captured within the access control system and is retrieved on a need basis and reporting is accessible to administrators only using an alternate Web address (PT-Guest IXP) or defined by user-level captured in the access control system (PT-Guest Portal). Databases and systems are username and password protected.

Powell Tronics can confirm that both the PT-Scan and PT-Guest visitor management solutions developed and supported by Powell Tronics are compliant with the South African Act 4 of 2013: Protection of Personal Information (POPI) in terms of meeting the stipulated regulations regarding how personal identification data is captured, stored, utilised and discarded.

Powell Tronics strives to ensure its systems are secure and in line with industry security trends and will continue to implement additional security levels or features as vulnerabilities present themselves.

However, with PT-Scan and PT-Guest being on-premises solutions rather than cloud-based, it is also imperative that the site on which it is installed ensure all necessary security measures are in place, with the assistance of the installer or networking service provider.

These security measures include but are not limited to:

• SSL implementation on the publicly accessible Web portals.
• Change default systems passwords.
• Secure network on-site (WiFi for scanners, access control network).
• Access control and visitor management server to be stored in a secure location (ie, not in reception or guardhouse).
• Limit the number of users that have access to the access control and visitor management server and/or workstations.
• Unique usernames and passwords for users (audit trail purposes).
• Ensure system backups are done elsewhere on the network rather than to an external drive that permanently resides on the server.
• Define proper procedures and regular timelines for archiving of visitor data.

Protection of personal information

Powell Tronics' solutions software licence agreement must be agreed to on system installation because in terms of South African Act No.4 of 2013: Protection of Personal Information Act, 2013 (POPI), it is a criminal offence to use the information in this system for any other purpose than which the visitor gave express consent.

Users of the system will be personally liable for any information extracted, exported or withdrawn from this system. The law explicitly prohibits further processing of information that is not in line with the original purpose for which the visitor gave consent. To comply, this system encrypts data and protects it with passwords and user rights.

End-users will be accountable for how the data is used and what is done to it. Therefore, end-users are required to put measures in place to ‘take appropriate, reasonable, technical organisational measures’ to protect personal information.

This also applies to resellers or consultants installing this software for a client; they need to make the clients aware of this legal responsibility.