ID Document Sharing: South Africa's Most Common POPIA Breach

South African ID documents and passports contain some of the most sensitive personal information that exists: a person's full name, ID number, date of birth, address, and photograph. Collecting them is routine — for FICA verification, employment onboarding, property transactions, vehicle licensing, and dozens of other purposes. Governing what happens to them after collection is where most organisations fail.

Why ID Documents Require Special Treatment

Under POPIA, the ID number of a natural person is personal information. When combined with other information (name, date of birth, photograph), the risk profile is significantly elevated. An ID number is the primary identifier used for:

• Opening bank accounts and financial products
• Registering companies and property
• Credit applications
• SIM card registration
• Accessing government services

A copied or stolen ID document enables identity theft. This makes mishandling of ID documents one of the most consequential POPIA compliance failures an organisation can commit.

How ID Documents Are Commonly Mishandled

• Emailed as unencrypted attachments (the most common channel)
• Stored in shared drives accessible to most or all staff
• Retained indefinitely in email inboxes long after the purpose is served
• Photographed and shared via WhatsApp for verification
• Uploaded to AI tools for text extraction or data capture
• Collected from unsuccessful applicants and never deleted
• Photocopied and left in physical filing systems with no access controls

Legal Requirements for Collecting ID Documents

When collecting a copy of an ID document, the organisation must:

1. Have a specific, documented legal basis for the collection (FICA compliance, employment contract, regulatory requirement)
2. Inform the person of the purpose for which the copy is being taken
3. Store it securely with access limited to those with a specific need
4. Delete it once the purpose is served (unless a legal retention obligation applies)
5. Never share it with third parties without authorisation

FICA Compliance and POPIA

Many organisations justify indefinite retention of ID documents by reference to FICA obligations. FICA does require certain businesses (accountable institutions) to retain FICA records for specified periods (generally 5 years from the end of the business relationship). However, this retention obligation does not override the requirement to apply proper security controls to the retained records. FICA compliance and POPIA compliance must coexist.

Controls That Reduce Risk

• A secure, access-controlled FICA/KYC document vault rather than email or shared drives
• Automated deletion triggers when the retention period expires
• A prohibition on uploading ID documents to AI tools (a specific policy provision, not implied)
• Staff training specific to ID document handling in your sector
• An audit log of who accessed ID documents and when